CyberWire Daily - News on three ransomware operations: BianLian, Cuba, and Ragnar Locker. How the gangs are recruiting. Mobile app supply chain blues. Happy Insider Threat Month.
Episode Date: September 1, 2022The BianLian ransomware gang is better at coding than at the business of crime. The Attack on Montenegro seems to be ransomware. A look at Ragnar Locker's current interests. Recruiting for gangland ge...ts allusive, but those who know, well, they know. Our guest is Dan Lanir of OPSWAT with insights on recent federal legislation supporting cyber jobs. Ben Yelin lexamines a lawsuit filed by the FTC against an online data broker. And it’s Insider Threat Month, so keep an eye on yourself. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/169 Selected reading. BianLian Ransomware Gang Gives It a Go! ([redacted]) Montenegro blames criminal gang for cyber attacks on government (Reuters) FBI's team to investigate massive cyberattack in Montenegro (AP NEWS) US issues rare security alert as Montenegro battles ransomware (TechCrunch) Cuba ransomware group claims attack on Montenegro government (IT PRO) Cuba Ransomware Team claims credit for attack on Montenegro (Databreaches.net) Montenegro blames Cuba ransomware for cyberattack (Cybernews) Cybercriminals Apparently Involved in Russia-Linked Attack on Montenegro Government (SecurityWeek) THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector (Cybereason) Behind the News: The Ragnar Locker Attack on Greek Natural Gas Supplier DESFA - Radiflow (Radiflow) Mobile App Supply Chain Vulnerabilities Could Endanger Sensitive Business Information (Broadcom Software Blogs / Threat Intelligence) “Looking for pentesters”: How Forum Life Has Conformed to the Ransomware Ban (Digital Shadows) NCSC and Federal Partners Focus on Countering Risk in Digital Spaces during National Insider Threat Awareness Month 2022 (ODNI) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Beyond Leon ransomware gang is better at coding than at the business of crime.
The attack on Montenegro seems to be ransomware.
A look at Ragnar Lager's current interests.
Recruiting for gangland gets elusive, but those who know, well, they know.
Our guest is Dan Lanier of OpsWat, with insights on recent federal legislation supporting cyber jobs.
Ben Yellen examines a lawsuit filed by the FTC against
an online data broker. And it's Insider Threat Month, so keep an eye on yourself.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 1st, 2022.
Security firm Redacted today released a study of a ransomware operation they've been tracking.
The gang calls itself Beyond Leon and uses custom malware written in the Go language.
The malware is resistant to reverse engineering, Redacted says, but not completely uncrackable.
Beyond Leon has tended to use the proxy shell vulnerability to gain initial access to its targets, and
it's shown a preference for targeting servers that provide remote access.
As a double extortion operation, Beyond Leon maintains a dump site where it can post data
stolen from its victims.
The gang chooses its victims largely from companies based in North America, Australia,
and the United Kingdom.
The companies range in size from small businesses to big multinationals.
Beyond Leon seems unrelated to the Android banking trojan
that's been referred to by the same name,
and while many ostensibly new ransomware groups
in fact represent rebrandings of existing groups
or have formed from the remnants of gangs disrupted by law enforcement,
Redacted thinks that Beyond Leon is actually a new group.
Their report says,
While there is a long history of seemingly new ransomware groups rising from the ashes of defunct and or rebranded groups,
we do not have any indications at this time to suggest that is the case with Beyond Leon.
have any indications at this time to suggest that is the case with Beyond Leon. For all intents and purposes, the Beyond Leon group appears to represent a new entity in the ransomware ecosystem.
They are better at coding than at the business of crime, redacted adds. Furthermore, we assess that
the Beyond Leon actors represent a group of individuals who are very skilled in network penetration,
but are relatively new to the extortion and ransomware business.
Some of their missteps include mistakenly sending data from one victim to another,
possessing a relatively stable backdoor toolkit,
but have an actively developing encryption tool with an evolving ransom note, and long delays in communications with victims.
They can be expected to up their game as long as they're at liberty.
The usual best practices against ransomware should help protect organizations against
Beyond Leon.
Montenegro, which continues to work to recover government systems from a cyber attack it's
blamed on Russia, have now, according to Reuters,
called the incident ransomware. The country's public administration minister, Maras Dukai,
said that no ransom demand had yet been received, but that some stolen data had been spotted online.
Dukai said, we have already got an official confirmation. It can also be found on the dark
web, where the documents that were hacked from our system's computers will be published. So, the attack, which has substantially
disrupted public services in the Balkan country, seems to be a double extortion attack. The gang
that's claimed responsibility is the Cuba Ransomware Group, according to ITPro. Cuba is a
russophone operation that has nothing to do with Havana. The FBI described
Cuba in December of last year. In April of this year, security firm Profero linked Cuba to Russia
with their attribution based largely on linguistic cues. In June, Trend Micro researchers reported a
surge in Cuba's activity, along with the gang's deployment of some new tools.
It seems likely that the operation against Montenegro represents Russian privateering.
Cyber News has published a screenshot of Cuba's claim of hack and briefly describes the circumstantial case for linking the gang to Russia.
The AP reports that the U.S. Federal Bureau of Investigation has dispatched a response team to Montenegro to assist the Ministry of Justice with its investigation.
What's up with Ragnar Laker these days?
Well, Cyber Reason this morning published an account of the Ragnar Laker threat actors.
Their key findings confirm much of what's long been known or suspected about the operation, and adds details on the group's evolution.
Ragnar Laker has joined other ransomware actors like Cuba and the former Conti Group
in paying particular attention to the energy sector.
Ragnar Laker has claimed, for example, the Greek natural gas delivery company
DESFA as one of its victims.
Active for at least three years, RagnarLocker has become
increasingly evasive. Its ransomware now checks if specific products are installed, especially
security products, virtual-based software, backup solutions, and IT remote management solutions.
And, of course, it's aligned with Russia and avoids being executed in countries located in the Commonwealth of Independent States.
The CIS is an association of former Soviet republics that have remained in a more or less uneasy alliance with the Russian heir to the USSR.
Digital Shadows has issued a report on how cybercriminals are skirting bans of ransomware-related content on underground forums.
Two of the most popular criminal forums, XSS and Exploit, banned recruitment for ransomware affiliates after the Colonial Pipeline attack last year in order to avoid being targeted by law enforcement.
by law enforcement. So, you can't just say something like, yo, criminals, make good money in ransomware, or hey, hey, come help us rob and defroid the squares. Not anymore, anyway.
With the sort of low cunning one finds in gangland, forum users have begun wording their
posts in a way that doesn't explicitly mention ransomware. For example, instead of stating that
they're seeking ransomware affiliates,
the crooks will say their team is looking for pen testers. The researchers conclude,
overall, in practical terms, there is almost no compliance with the forum bans on commercial
ransomware content on Exploit and XSS. The trade seems to be alive and well on these platforms. For those who wish to recruit affiliates or buy and sell ransomware, success is only a carefully worded post away.
The Symantec Threat Hunter team, part of Broadcom Software, released a blog yesterday detailing mobile app supply chain vulnerabilities.
mobile app supply chain vulnerabilities. The team says that issues with the supply chain in relation to mobile apps include mobile app developers unknowingly using vulnerable external software
libraries and STKs, companies outsourcing the development of their mobile apps, which then end
up with vulnerabilities that put them at risk, and companies, often larger ones, developing multiple apps across teams using cross-team vulnerable libraries in their apps.
Over 1,800 apps were identified to contain hard-coded AWS credentials, of which 98% were iOS apps.
77% contained valid AWS tokens that allow access to AWS cloud services,
tokens that allow access to AWS cloud services, and 47% included tokens that gave access to numerous files via the Amazon Simple Storage service. Interestingly, over half of the AWS
discovered were found to be used in other apps, even from different developers and companies,
and were traced to shared components within apps.
And finally, September is Insider Threat Awareness Month, so greetings of the day and have you done your holiday shopping?
But seriously, we've received some comments from industry on insider risk.
James Christensen, CSO and VP of Cloud Security Transformation at Netscope stated,
CSO and VP of Cloud Security Transformation at Netscope, stated,
it's the risk that never goes away because insider threats involve employees,
often the weakest link in any company's security posture.
Employees are not only vulnerable to common attacks or insecure practices like email phishing,
but they have bona fide access to workplace systems and an understanding of internal processes,
providing the malicious insider a head start.
Joe Payne, CEO and president at Code42,
noted that almost all malicious data theft from insiders occurs when people change organizations,
which is on the rise because of the great resignation and recent layoffs.
We might also mention that the biggest insider threats
may be things like simple inattention,
honest mistakes, a desire to help,
misguided but well-intentioned initiative.
We will be looking in the mirror this month
because, as Pogo Possum said,
we have met the enemy and he is us.
So let's also commit to some self-examination
and resolve to be good to our sister and brother insiders.
This isn't mistrust your colleague month, after all.
So stay safe out there.
Coming up after the break, Dan Lanier from OpsWatt has insights on recent federal legislation supporting cyber jobs.
And Ben Yellen examines a lawsuit filed by the FTC against an online data broker.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives
and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
There have been a number of important cybersecurity workforce-related bills making their way through the federal government.
President Biden recently signed the Federal Rotational Cyber Workforce Program Act,
and the Industrial Control Systems Cybersecurity Training Act was approved by the House of Representatives.
For insights on both of these bits of legislation,
I checked in with Dan Lanier, Senior Vice President of Customer Success at critical
infrastructure security company, Opswat. It's an acknowledgement by the government
that we need to be able to train up existing professionals in either in government or the industry on critical
infrastructure protection. So of course, as a community, we recognize we also need to train
people that are going to be focused on cybersecurity as a profession,
people that are going to take degrees in this, and that'll be their job and their profession and their passion. But we also need people that are already in industry, already in the government,
and people that aren't necessarily, where their jobs aren't necessarily all about cybersecurity.
We need to make sure that they're also getting trained and educated on cybersecurity challenges and addressing those challenges, best practices
related to staying cyber safe, and specifically in the critical infrastructure domain.
Now, for folks who may not be familiar with critical infrastructure and the ICS world,
can you give us some insights here as to
what, you know, that intersection between the operational side of things and cyber,
but where do we stand there? So, you know, in general, every government, every country in the
world has a definition of what critical infrastructure is. The U.S. government,
the Department of Homeland Security defines it as 16
sectors of industry within the country. Things like the power grid, healthcare, the financial
system. It's basically the industries that form the foundation of our way of life, right? The industries that help,
the industries that Americans depend on
every hour, every day
to just lead our modern way of life.
And those industries often have their own technologies
that historically weren't really part of the IT space, right?
We're talking about, like you said,
industrial control systems,
programmable logic units, sensors, valves, etc.
And we're seeing more and more situations where as those areas, those domains become more
internet-enabled, as they become more internet-enabled, become a bigger and bigger focus on trying to attack those areas.
And those areas are the most critical for us to make sure that they remain secure.
So how are we going to measure success here, do you suppose?
Is this a matter of getting everyone up to a certain baseline level of
knowledge when it comes to the cyber components of their day-to-day work?
That's a really, really good question. And measuring success, of course, is that's the
ultimate goal we're trying to get to. And it's obviously very, very challenging to truly define success, right? I mean, success means in conjunction with the technologies that we have to help cybersecurity these areas.
And this really is a public-private partnership sort of thing here, right? I mean, neither side can achieve what needs to be done on their own. Oh, it's definitely, definitely a public-private
collaboration. The director of CISA, Jen Easterly, talks about true operational collaboration,
right, and the need. There's no way that one or the other entity is going to be successful on
their own. We need that collaboration. And not only collaboration between public and private, but even within the private sector.
Organizations and entities that in other domains might be competitors need to come together and collaborate to build up a common set of cybersecurity best practices and guardrails to help safeguard critical infrastructure.
You're seeing a lot of efforts from the government side,
like the acts that we just discussed
and like ongoing executive orders,
state level orders, et cetera.
But you're going to be seeing a lot
coming out of the private sector too.
I think the bulk of the,
there's gonna be a large body of work, courses, material focused on real-world challenges and responses to those
challenges that will be produced by the private sector. And I also think that the private sector
will be introducing and evolving industry standard certifications so that we have a common language, a common definition of sort of what it means to be,
to have critical infrastructure protection expertise and the right training levels.
So the industrial engineers and the field technicians and the IT staff and the network engineers, they just need to be
staying constantly trained and educated on this sort of evolving cybersecurity challenge, right?
And that means constantly staying up on education, training, taking courses, getting certified
in cybersecurity and specifically critical infrastructure protection, certifications, etc.
That's Dan Lanier from Opswant.
Cyber threats are evolving every second, Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Ben, good to have you back.
Good to be with you, Dave.
Interesting news coming about the Federal Trade Commission suing a data broker company.
This is a story from the New York Times that caught my eye,
but several places have been covering this.
What's going on here, Ben?
So as we know, smartphone location tracking, which is a multibillion-dollar business, and certainly very lucrative for companies like this one, which is called Cocava or Cocheva.
Not sure exactly.
We know that they can reveal intimate details about our personal lives, our familial associations, our religious associations, our political activities.
our religious associations, our political activities.
Since the Supreme Court's decision in the Dobbs case, which overturned Roe v. Wade,
we've also seen fears that this type of location tracking could be used to prosecute people who are seeking abortion care.
So abortion is criminalized in a limited number of states at the moment.
Several more are in the process of enacting laws to criminalize the procedure. And a great piece of evidence to prosecute somebody is location data.
So they went to an abortion clinic.
They went across state lines to obtain an abortion.
So this has created justifiable fear that these types of data brokers
who are really in this just for the money,
they see that data is valuable,
they're willing to sell it,
that that's going to be a privacy violation
for people who are seeking reproductive care.
So the Federal Trade Commission has taken action
and they are suing one such company,
this Kokava company.
They say the company's sale of geolocation information on tens of millions of smartphones
could, quote, expose people's private visits to places like abortion clinics and domestic
violence shelters.
This is part of a broader Biden administration effort to crack down on this type of data
broker activity.
So the Biden administration issued an executive order
after the Dobbs decision
saying that they were seeking to bolster privacy protections
for this type of information.
So they want to curb intrusive surveillance practices
that might cut against reproductive rights
for millions of women in the country.
They urged the FTC to take action
to address some of these data brokerage issues.
And that's what the FTC has done.
So they have initiated a lawsuit on this company.
The lawsuit could result in civil or criminal penalties
for the company.
They could levy fines.
So the consequences could be relatively steep.
It might be in the interest for the company to try to settle with the FTC, to come up with some sort of equitable solution where the company can still maintain its existence, not be bankrupted by this legal proceeding, but also can pay a fine, rectify its previous behavior, and vow to protect this important consumer data.
So it'll be a really interesting case as it comes down the pike.
We are just at the first step with FTC initiating this lawsuit.
But it'll be really interesting to see what happens as this makes its way through the court system.
If I'm an organization that's also in this business, if I'm another data brokerage
organization, this has my attention, right? It certainly does. Cocava and I think many of the
other same companies insist that they comply with all the laws on the books. They say that location
data comes from third-party information brokers who collected it from consumers who were consenting to have this data collected.
They were confronted with the EULA.
They wanted to play that game
or use that application to order a sandwich
or do whatever,
and they pressed the accept button
without really reading it.
And that allowed people
or allowed these companies
to collect that data and to sell it
and potentially make it available to law enforcement.
Law enforcement agencies are buying data from these data brokers,
and they don't have to obtain a warrant under the Fourth Amendment to do so.
So that's why it could be potentially dangerous when we're talking about criminal prosecutions
because it's something that law enforcement could have access to.
But yes, if you're another company that engages in these practices, if at the
FTC, despite what seems like COCAVA's compliance with the current laws we understand, if they're
being threatened with this legal action, I think other companies could impute that as they're taking
this issue particularly seriously. And I think there's going to be a more watchful eye on data that's collected pursuant to reproductive rights
because that's in the news, that's the end result, the consequence that came from the Dobbs decision,
and that's the focus of this presidential administration.
To what degree is this putting a regulatory band-aid on a more serious disease?
I mean, is this the best we can do?
And by we, I mean the Biden administration, while waiting for Congress to put in some meaningful privacy legislation?
Yeah, I mean, it's not the most efficient form of policy change because you can't literally sue every company that does this. You can try,
but that's very
cost,
that costs a lot of money and is
very time intensive.
Ideally, what the FCC
is trying to do, which is to protect
consumers against these data
broker practices, would
be best done through federal data privacy
legislation.
And we know that such legislation is being considered right now in Congress.
There's a real effort underway to get data privacy legislation enacted before the end of this calendar year.
I don't think we're going to have a resolution to this FTC case by that time.
So in an ideal world, Congress could see how the FTC is seeking to enforce these new consumer protections, and they would codify those protections into law.
But I don't think the timing is going to work out because I think Congress is working on a shorter timeline than the FTC in pursuing this case.
this case. I think the concern is, from the perspective of those who care about data privacy and or reproductive rights, this is an enforcement action coming from the current FTC and its current
commissioners. A future presidential administration and a future crop of FTC commissioners could
simply decide not to take this type of enforcement action. If they didn't believe this was a violation of privacy, personal liberty, if they didn't
think it was a worthwhile use of the FTC's enforcement power, they could simply not do
anything.
So I think Congress has the incentive to really try to codify this into statutes that can
be protected from future FTC commissioners, future presidential
administrations. All right. Interesting stuff. Again, this is an article over in the New York
Times written by Natasha Singer. Ben Yellen, thanks for joining us. Thank you. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your