CyberWire Daily - Malicious Google ads lead to spoofed Signal and Telegram pages, and then on to malware. LV’s REvil roots. Vulnerable defense contractors. And bogus AIS position reports in the Black Sea.
Episode Date: June 22, 2021Malicious Google ads for Signal and Telegram are being used to lure the unwary into downloading an info-stealer. LV ransomware looks like repurposed REvil. A study of the US Defense Industrial Base fi...nds that many smaller firms, particularly ones that specialize in research and development, are vulnerable to ransomware attacks. Rick Howard ponders how we categorize state sponsored cybercrime. Our guest is Sudheer Koneru from Zenoti on how data privacy impacts salons and spas. And it’s high noon in the Black Sea. Do you know where your warships are? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/119 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Malicious Google ads for Signal and Telegram are being used to lure the unwary into downloading an info stealer.
LV ransomware looks like repurposed R-Evil.
A study of the U.S. defense industrial base finds that many smaller firms,
particularly ones that specialize in research and development, are vulnerable to ransomware attacks.
Rick Howard ponders how we categorize state-sponsored cybercrime.
Our guest is Sudhir Kaneru from Zenoti
on how data privacy impacts salons and spas.
And it's high noon in the Black Sea.
Do you know where your warships are?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 22, 2021.
eSentire reports finding spoofed Google ads for the Signal and Telegram messaging apps that induce visitors to download Redline Stealer, information-harvesting malware,
whose take the criminals subsequently sell in various dark web markets.
It's not just Signal and Telegram that are being faked to deliver malicious content.
It's not just Signal and Telegram that are being faked to deliver malicious content.
eSentire says others have seen similar activity, pretending to be any desk or Dropbox.
In this case, the threat actors use convincingly forged download pages for the apps.
Users who attempt to get those apps during their visit will be socially engineered, as eSentire puts it,
into downloading and initializing Redline InfoStealer.
The hoods behind the scam are willing to invest. eSentire's report says, quote,
the threat actors who launched these malicious campaigns would have had to spend money purchasing Google Ads. The cost of these ads depend on many variables, including the popularity of the keyword, like Signal, Telegram, Viber,
and the willingness of other advertisers to pay for that keyword in their ads.
Although we do not know the total amount the cybercriminals spent on the Google ads,
we do know that purchasing the keyword Telegram can run $0.40 per click, while the keyword
Signal can cost up to $1.40 per click. It's possible that financing
for these ad purchases were themselves sourced by earnings from previous malicious campaigns.
End quote. So, evidently, it pays to advertise. This is the third campaign eSentire has recently
tracked in which the threat actors are abusing Google search results.
The two earlier efforts were called Gootloader and Solar Marker.
SecureWorks has taken a look at the LV strain of ransomware that's in circulation,
and they've concluded that LV is basically just warmed over REvil,
and not really a distinct strain at all.
How LV came to share the same
code structure as R-Evil isn't entirely clear. R-Evil's proprietors, whom SecureWorks calls
Gold Southfield, and who succeeded the GANDCRAB operators at the time of that gang's retirement,
or dispersal, or rebranding, in the spring of 2019, may have sold it, had it stolen,
or rebranding in the spring of 2019, may have sold it, had it stolen, or traded it with some criminal partner for other considerations. There's no immediate evidence that LV's operators
are running their own affiliate program, but SecureWorks thinks it's possible that one is
in the offing. The Colonial Pipeline and JBS ransomware incidents raised concerns about two critical
infrastructure sectors, and recent reports have suggested that the water and wastewater sector
has also come under attack more often than had been thought. This morning, Blue Voyant released
a study of the U.S. Defense Industrial Base that concludes that this sector, too, exhibits
significant vulnerabilities, particularly among its
smaller companies. Half of the 300 small and medium businesses studied were found
critically vulnerable to ransomware. 28% fell short of CMMC requirements.
Should one of these firms be infected, there's the possibility of disruptions to those supply
chains in which the company figures. There's also the possibility that the ransomware could be propagated from the initial victim to partners, prime
contractors, and subcontractors. The assumption the attackers seem likely to work from, the Washington
Post writes, is that smaller firms are inherently less likely to be well protected against cybercrime
than are the bigger outfits in the defense sector.
CISA's weekly vulnerability roundup lists 24 high-severity vulnerabilities.
23 of them this past week are android bugs.
And finally, two NATO warships, the Dutch vessel Evertsen and the Royal Navy's HMS Defender,
operating in the Black Sea and visiting the Ukrainian port of Odessa, were falsely reported to have moved to disputed
waters in the vicinity of the Russian-claimed port of Sevastopol. The USNI News reports that
it seems automatic identification system signals were falsified to give the impression that the warships had engaged
in what effectively would have been a provocation. In fact, both ships remained in Odessa. Whether
the AIS reports were deliberately falsified and by whom, or whether the incident involved
some malfunction, how the misreporting occurred remains unclear. Most commercial vessels are required to be equipped with AIS,
which is a valuable aid to collision avoidance, among other things.
Warships also typically carry AIS,
although for security reasons they may turn it off as necessary
since their locations are often sensitive.
But navies, too, are interested in safe transit.
In 2017, for example, following two
deadly collisions between U.S. Navy warships and commercial vessels, the U.S. Navy told its ships
to turn their AIS on in heavily trafficked waters. So there are several points in the electronic
chain at which AIS positions for the two NATO warships in the Black Sea might have been faked,
but it seems that both Evertson and Defender were in Odessa where they belonged and had every right
to be. Again, how the locations came to be misreported remains, for now, unknown.
Those of you landlubbers out there who may decide you're interested in looking at what ships are doing where, you can gratify your curiosity by consulting the AIS aggregation site, Marine Traffic. And all
y'all mariners, well, stay safe out there, whether you're in the Gulf of Odessa, Manila Bay, or
practically outside our own windows here on the Chesapeake.
outside our own windows here on the Chesapeake.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Third-party risk is top of mind these days, thanks to incidents like the SolarWinds Orion breach. And it's worth considering the broad range of places in our lives where third-party data is stored and shared. Sudhir Kunneru is founder and CEO of Zenoti, a provider of cloud-based
software for the beauty and wellness industry. They work with companies like Haircuttery and
European Wax Center. Potentially intimate stuff and data worth protecting. Some of the more organized and larger scale footprint businesses do ask for more information
around their preferences in terms of color, skin care, skin type.
Some of them even take a photograph of the person's hair before and after, depending
on, you know, well-established brands have
these kinds of processes defined and they use all that.
And then some of the businesses where they do, you know, spa related services and all
that, there you do need them to, you know, sign a disclosure and, you know, sign a waiver
kind of stuff, which, you know, in the event of any challenges.
So most spas insist on a waiver of sorts.
So, yeah, that's the, I would say, the spectrum of information.
Yeah, it strikes me, too, that there's sort of an intimate relationship you have with
the folks who are doing this sort of, these sorts of services for you.
You know, particularly when we're talking about things like grooming, there could be
details there, even just the services rendered that you want to be kept private.
Yes, absolutely.
And even what services a person took is a private information.
And many of these, what we think of as salons and spas, go beyond hair itself.
They do a lot of skincare treatments.
spas go beyond hair itself.
They do a lot of skincare treatments.
And then nowadays they are expanding into something called MediSpa, which is like, you know, because it is a profitable segment,
which has involved, you know,
whether it's Botox or other kinds of regimens kind of thing.
So yeah,
they even disclosing who came and what service they took,
it would be a liability for them.
And is it your sense that the folks who are running these sorts of organizations,
do they have a good understanding of the importance of protecting the privacy of this sort of information?
I would say the well-run and established organizations definitely do,
especially if you're running a business which has more than five stores.
I think they understand the liability associated with it and are waking up to being very diligent
about asking all the right questions and ensuring their software supports these capabilities. And
I would say some have even made changes to their software systems as these regulations are getting
more prominence in the industry kind of
stuff to make sure their software supports it. But yeah, I do think the small players, I don't think
even know or understand any of it. So many of them run their business on pen and paper or some
old school software, which possibly is not even compliant from a regulatory perspective.
Even for the smaller businesses,
actually the compliance is not very hard to achieve today.
Software solutions, whether it's ours or others,
make it super easy for them when they deploy it to say,
hey, the customer, their guests should have the flexibility
and control to choose, you know, will they opt in,
will they opt out, and making sure the business
doesn't do any mistake also of saying,
hey, accidentally also our systems will not allow a business to go send off a marketing mailer to people when the guest has said no.
And it protects the business quite well.
I think there's awareness pretty strong in our industry as well.
And I think many systems have matured to ensure they're protecting the
business overall. That's Sudhir Konneru from Zanotti.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant. And joining me once again is Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, always great to have you back.
Thanks, Dave.
So your CSO Perspectives podcast just wrapped season five last week.
And I have to say, it seems as though you've got some free time on your hands.
Because at our program meeting this week, you were mentioning a new trend in terms of nation-state hacking activity,
something that you call continuous low-level cyber conflict.
So that caught my eye or my ear as being an expensive stringing together of words.
So two questions for you. First of all, how does it feel to have some free time to get caught up?
But more importantly, what is this new trend you're talking about?
Well, it's always good to get some breathing room between deadlines and having time to get
caught up on the latest developments. And we were getting ready for the CyberWire's quarterly analyst call, which by the way,
is at the end of the month. You don't want to miss any of that. And that's where we get
two smart people and me into a room and discuss the three most impactful news stories from the
past 90 days. So I'm going through all these old news stories right from the last quarter.
And I noticed a lot more state-sponsored actors were dipping their toes into cybercrime in various ways.
Now, I don't think it's new news that, you know, North Korea with the Lazarus Hacking Group, they've been conducting cybercrime operations to help fund their espionage operations.
Are you saying that we're getting
beyond that, that the situation is evolving? Yeah, that's exactly right. You know, here at
the Cyber Wire, we started calling the Lazarus Group's crime activity as the old APT side hustle,
right? And they originated the idea, but the Russians with their internet research agency
did it to fund their influence operations in the 2016 U.S. presidential election. And the Chinese do it too for general
purpose funding, like how APT 41 does it. But that's just one way that nation-state hacking
groups conduct cybercrime. A slightly different angle than the APT side hustle is the idea of
using these very same groups to bring revenue into the country.
In my free time here, I stumbled on a podcast made by the BBC.
It's called The Lazarus Heist, and it's excellent.
But they describe that North Korea is so poor as a country that they use their hacking team to bring in revenue
to support, you know, things they need to buy and maintain and things, right?
And so that's very interesting.
And then we have a completely another category, which I call state-sponsored organized crime,
where the government tasks cyber adversary groups within their country with specific target sets,
like how the Russian FSB co-opted the ransomware group Evil Corps in order to cause chaos and fear in the West.
And then, you know, finally, we have the one longstanding tradition that we all know about,
okay, of state-tolerated crime, essentially looking the other way as long as cyber criminals
are not attacking their own citizens. And that was one of the things that President Biden and
President Putin talked about during this week's summit. Hmm. Wow. So I guess when we talk about this changing cyber threat landscape, I mean, these are
the kinds of things we're talking about.
Yeah.
And it changes fast.
It's always changing.
That's what I like about it.
Yeah.
Yeah.
Well, listen, before I let you go, even though you concluded season five of your CSO Perspectives
show, we are still publishing season one episodes over on the ad-supported side.
And what is on tap for this week?
Yeah, so most of the season one
was me discussing my first principal strategies.
And this week we're talking about something
that the entire industry needs to go a lot faster on,
and that is DevSecOps.
So join in and figure out what we're talking about there.
All right, we will check it out.
Rick Howard, thanks for joining us.
Thank you, sir.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.