CyberWire Daily - Luminous Moth or Mustang Panda, it’s the same bad actor (probably). Updates on other cyberespionage and ransomware campaigns. Rewards for tips on cyberattacks.
Episode Date: July 15, 2021A Chinese APT is active against targets in Myanmar and, especially, the Philippines. Cyberespionage campaigns suggest that there’s a thriving market for zero-days. MI5 warns against spying, disinfor...mation, and radicalization. REvil continues to lie low (and the Kremlin hasn’t seen anything). CISA offers ransomware mitigation advice. Bogus Coinbase sites steal credentials. Ransomware attacks on old SonicWall products expected. Daniel Prince from Lancaster University looks at Getting into the industry, and whether a degree is worth it. Our guest is Kurtis Minder from GroupSense, tracking 3 divergent ransomware trends. And Rewards for Justice offers a million dollars for tips on cyberattacks. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/135 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A Chinese APT is active against targets in Myanmar and the Philippines.
Cyber espionage campaigns suggest that there's a thriving market for zero days.
MI5 warns against spying, disinformation, and radicalization.
Our evil continues to lie low, and the Kremlin hasn't seen nothing.
CISA offers ransomware mitigation advice.
Bogus Coinbase sites steal credentials.
Ransomware attacks on
old SonicWall products are expected, Daniel Prince from Lancaster University looks at getting into
the industry and whether a degree is worth it. Our guest is Curtis Minder from GroupSense,
tracking three divergent ransomware trends, and Rewards for Justice offers a million bucks for
tips on cyber attacks.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 15th, 2021. Kaspersky outlines the activities of a Chinese APT
tracked as Luminous Moth,
engaged in cyber espionage against Southeast Asian targets.
Myanmar and the Philippines are receiving most of the
group's attention. Luminous Moth, Kaspersky says, has an affinity with Honeymite, the threat actor
better known as Mustang Panda. The current campaign, which began with operations against Myanmar,
but has since shifted to the Philippines, and is unusual in that it combines high volumes with highly
targeted approaches to a relatively small number of targets, sweeping attacks for the chosen few,
as SecureList's headline puts it. The attacks have typically begun by spear phishing and then
subsequently spread through malicious payloads carried by infected USB drives. Post-exploitation, the operation relies on a bogus
Zoom application to identify and exfiltrate data of interest. Some of the victims were also infected
with a Chrome cookie stealer. Google's threat analysis group yesterday blogged about four
campaigns it's found in the wild that exploited zero days.
One extensive campaign targeting mostly European government officials and believed to be the work
of a Russian intelligence service use LinkedIn spam to push malicious links. Three other campaigns,
including some deployed against Armenian targets, appear to have been sold to various unnamed governments by a zero-day broker.
While Google's estimation is that a single broker was behind the sales,
CyberScoop sees Google's report as also exposing a growing market for zero-days,
in which many of the buyers are nation-state security and intelligence services.
According to Sky News, Ken McCallum, the head of Britain's MI5 counterintelligence
service, warns that private persons remain targets for recruitment or manipulation by hostile
intelligence services. He thinks that collection is happening at scale, and Sky News paraphrases
his warning as saying that this activity takes place in a gray zone
that sits deliberately under the threshold of what would normally be considered an act of war,
but can be just as dangerous if ignored.
Russia, China, and Iran are particularly called out,
and his warning deals as much with disinformation as it does espionage.
Not all of the threat is foreign. The BBC reports
that McCallum sees indigenous racism as driving recruitment of younger subjects in particular
into more or less organized extremist activity. The R-Evil ransomware gang remains in the wind,
gone from its customary haunts on the web. TASS says Russian authorities
know nothing about Areval's vanishing act, which, if one takes it at face value, would suggest that
Areval hasn't been closed down by Russian security or police agencies. News outlets, including
Germany's Spiegel and the English-language Moscow Times review the three leading lines of speculation
about the disappearance, a Russian enforcement action, an American takedown, or simply our
evil's going on the lam, but little new light has been shed on the matter. Consensus holds,
however, that relaxing vigilance against ransomware attacks would be unwise. Not only
are there other gangs out there, but it would require
a Panglacian optimism to think that our evil is down for the count.
The U.S. Cybersecurity and Infrastructure Security Agency, CISA, the nation's risk advisor,
as it calls itself in the announcement, has released advice for managed service providers
and small to medium businesses
on how they might harden their systems against ransomware and cyber espionage.
The advice is familiar but useful, brief, and well-founded. Its overarching advice about how
to think about the threat, whether criminal or state-directed, is to understand that, quote,
these actors can exploit trust relationships in MSP networks and gain access
to a large number of the victim's MSP's customers. Compromises of MSPs can have globally cascading
effects and introduce significant risk, such as ransomware and cyber espionage, to their customers,
end quote. Security firm Inkey reports that the value Bitcoin has assumed in the marketplace
has driven a rise in impersonation scams,
in which criminals mimic the appearance of the widely used Coinbase exchange.
The scams begin with phishing emails,
some of which Inkey finds relatively well-written,
a cut above the run-of-the-mill subliterate criminal hackwork.
Should the recipients be unwise enough to follow the invitation to, say, restore access to your
Coinbase account, they'll be taken to a credential harvesting site, and from there matters will
proceed in the usual unfortunate way. Two-factor authentication remains a good idea and best
practice, but Inky points out that it won't always protect you.
Some of the Coinbase imposters use Evil Jinx, a man-in-the-middle framework that proxies a real website with an Nginx HTTP server that intercepts data, including two-factor authentication tokens.
SonicWall has warned its users that some of its older appliances are expected to become victims of an imminent phishing campaign, making use of stolen credentials.
The Secure Mobile Access 100 series and Secure Remote Access products that still run unpatched and end-of-life 8.x firmware are the products that carry the risk.
The vulnerability SonicWall expects to be exploited has been patched in more recent versions of these products.
The U.S. State Department's Diplomatic Security Service this morning offered a reward of up to $10 million for information leading to the identification or location of any person who,
while acting at the direction or under the control of a foreign government,
participates in malicious cyber activities against U.S. critical infrastructure
in violation of the Computer Fraud and Abuse Act.
The announcement particularly calls out cyber espionage and cyber sabotage,
although not under those names, and the related threat of ransomware.
The offer is being tendered under the state's Rewards for Justice program,
which the department has operated since 1984. Rewards for Justice, the State Department says,
has paid more than $200 million to over 100 tipsters since its inception.
Most of the rewards have gone for tips that help prevent terrorist activity.
The program's use against ransomware is significant
in that it marks the seriousness with which the U.S. government
seems to be treating ransomware.
Providing tips can be risky, and the State Department knows this.
To help ease the minds and secure the safety of potential informants,
State writes, Commensurate with the safety of potential informants, State writes,
quote,
Commensurate with the seriousness with which we view these cyber threats,
the Rewards for Justice program has set up a dark web, TOR-based TIPS reporting channel
to protect the safety and security of potential sources.
The RFJ program also is working with interagency partners to enable the rapid processing of information So, if you've got a tip and it pans out, State promises to take care of you.
And finally, Peter Lavashov, the Russian national,
who in September copped a guilty plea to U.S. federal charges addressing his role in the creation and operation of the Kilohoz spam botnet,
is now up for sentencing.
The Government Memorandum in Aid of Sentencing recommends
that the U.S. District Court for the District of Connecticut follow sentencing guidelines in the case, making no case for unusual leniency or stringency in the matter with Mr. Lavashov.
Those guidelines call for imposition of a sentence of between 12 and 14 and a half years. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Curtis Minder is CEO at GroupSense, a cyber reconnaissance, digital risk, ransomware strategy, and negotiation firm.
He and his team have been tracking divergent trends in ransomware, a topic I recently spoke with him about on the Hacking Humans podcast.
Here's an excerpt from that conversation. On the threat actor side, Dave, it's chaos. As you've seen in the news and the media, we've seen higher and higher profile cases. Those are the ones that we know about. There's a lot that we
don't. We've also seen, because of those high profile cases, the threat actors changing tactics,
changing names, changing brands.
So there's a lot going on. Even in the last month, we've seen quite a bit of change in the activity
level and also the tactics that the threat actors are using.
Well, there's some specific things that you all are tracking here. Let's go through them
one by one. What's the first thing that's on your radar?
We're obviously
intimately involved in the actual ransomware cases themselves. So we're doing a lot of the
negotiations on behalf of the victims. So we're tracking the metrics associated with those
negotiations, which groups are most prolific, which groups are using which malware components successfully, also what amounts are being asked for and or paid in those exact negotiations.
But on top of that, we're actually tracking the individual threat actors themselves
and sort of their track record and history in the space.
I see.
Now, one of the things you're tracking are what you describe as crypto brokers, these folks who manage the crypto payments. Can you describe that to us? What's going on here?
the brokers that basically take the standard currency, in this case, a lot of times it's US dollars, and convert that into cryptocurrency for the purposes of doing a cryptocurrency
transaction. In this case, that transaction is often paying a threat actor or a ransom payment.
There are specific operational and financial security measures that you have to take,
or obviously you don't have to, but it is advised that you take doing a transaction like this.
And so we've worked with a number of brokers that help us facilitate those processes.
And I can't go through those specifically, but the idea is the threat actor,
I can't go through those specifically, but the idea is the threat actor, when you're actually making the payment, cannot easily trace back to the victim's bank.
So there's a whole infrastructure there that helps protect the reverse tracing of the transaction.
Where do you suppose we're headed?
I mean, what are the trend lines? Are we on a trajectory where this can't continue? There's going to have to be some sort of disruption here?
There are several ways to do that. There's a technology approach, which we've got myriad companies trying to solve this.
How do we protect companies better from ransomware?
There's a sort of a policy and best practices approach, which, by the way, is highly effective. And what I mean by that is just following some basic security hygiene on the front end will basically remove a company from being the low-hanging fruit.
So that's probably one of the cheapest ways to address this.
And then the third way is legislation and government support.
And that's something like, for example, the ransomware task force is making recommendations around how can the government help the victims that are in these scenarios without facilitating
a ransom payment. And so the net outcome from this would be that the threat actors no longer
get paid for what they do. Now, what I'll add to that is they will find another angle. And we're
already seeing, you know, threat actors pivoting off of pure ransomware and creating, for example, Marketo created...
By the way, this is not the same as the marketing company Marketo.
There is a threat actor group called Marketo,
which is a little bit confusing and unfair to the marketing company.
The threat actor group Marketo, for example,
has already pivoted to just selling stolen data in packages
rather than doing the ransomware deployment themselves.
So they just exfiltrate data,
and then they've got a stolen data marketplace that they've created.
So we're seeing them get creative about changing their approach.
So we're going to see that regardless of what we do
on the specifics of the ransomware problem.
That's Curtis Minder from GroupSense.
You can listen to the rest of our
conversation over on the Hacking Humans podcast.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, always great to have you back.
You know, I realize this is the business that you're in. This is a bit like asking a barber if you need a haircut.
But I'm wondering what your take is these days.
In terms of folks who are looking to get into the industry, how valuable is a degree?
Is it necessary?
Is it worth the investment?
Well, I'm sure some of my colleagues will probably shoot me.
But I think the answer is it really depends on the individual.
So the way that I see it, as the industry's grown,
so is the number of entryways into the industry.
And specifically, if we go back, again, 10 or 11 years
when we set up the MSC program at Lancaster,
we didn't have all of the wonderful and terrible
YouTube videos explaining certain attacks and how things operate. And we certainly didn't see
as much information available on the internet at large. And so the universities did what they did
best, which was act as an aggregator of that information
a curator if you like and then down selected what they felt was appropriate with guidance from
from industry and taught that particular knowledge but as the again as the industry's grown as it's
increased in maturity that information is now largely again available online and there are some very good tutorials
there's some very good information and there are some very good industry qualifications
and that you can go and you can go and get so it depends on what you actually want to do in the
industry because the other thing that's changed is the type of roles that are available you know
it's not just the guy that
works or the girl that works in the IT department. There are a number of roles that work across the
business. So is a degree worth it? And the answer is typically, as always, it depends.
But the role of the university, I think is a university is an important one because we act as that curator of knowledge,
but also a key developer of knowledge. And we try very hard, along with a number of other
universities to ensure that we provide that knowledge that we are generating into our degree
programs. So perhaps unlike, you know, your standard qualifications, industry qualifications,
you're getting an extra bit of special source, if you like, with a university degree because you're getting access to that cutting-edge research, which you can then take into industry, which would help differentiate you from other people.
accurate that part of what a university degree brings to the table is the notion that someone's going to come out of there well-rounded. They will have, because of the requirements of the degree,
not only will they have knowledge in their area of specialty, but supporting areas as well.
Yeah, that's certainly true. So one of the things that we have to do when we're designing
modules, for example, which a lot of people do, is we have to talk about the knowledge subject
specific areas. So, you know, talk about digital forensics, the tools, the techniques, the approaches
that you have to apply. But then we also have to design the program to say, well, how does teamwork
play into this? And what are the other kind of
what would effectively professional skills have that we have to teach as part as part of this
and one of the things that i've i've noticed within our degree because it's a multidisciplinary
program where we have modules technical modules but we also have law criminology international
relations and management within that.
We're teaching all those other disciplines,
but also we're teaching how to synthesize the approaches across all those disciplines to round people out.
And one of the things I observe is that
when you get a computer science graduate,
their thinking tends to be very black and white.
You can either build it and it works,
or you can build it and it doesn't work.
It's a very, as you would expect, a binary solution.
Whereas when you get some of these other disciplines
where it's about discourse,
it's about discussing the gray issues
and then taking a position,
bringing that into cybersecurity and security in general,
which is generally a great subject,
how much security is enough?
Well, it depends.
Having that ability to host that discourse,
to be able to build that into your day-to-day approach
is vitally important.
So one of the other things, as you rightly point out,
that I firmly believe in in the role of the university
is to not just provide that knowledge and skills,
but also, you know, producing professionals and improving the professional
skills that sit around our graduates and our students. Is there a message here as well to
the folks who are doing the hiring that, you know, that they need to be careful to not be
filtering out folks who don't have a degree? Yeah, definitely. I mean,
the degree is now not the only good route into cybersecurity. And I've spoken about this
in the past. Degrees and universities work for some people, but they don't necessarily enable
you to access all the talent that we desperately need into the
industry and so if you're only focusing on do they have an undergraduate computer science degree
have they done a master's degree in cyber security or some combination of that then you're going to
lose the the younger people who perhaps don't have the potential opportunities that people like myself have had to go to university.
But they are still passionate.
They still have a keen interest.
They still have keen intellect to be able to work in this particular field.
And we need to find ways to encourage that pathway
into cybersecurity and give them the options.
There are lots of very good self-taught individuals out there.
And so it's vitally important that we support them to get into the industry,
like I say, to get the talent that we need to deal with some of these really complex problems
that we have faced day to day.
All right. Well, Daniel Prince, thanks for joining us. Thank you. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.