CyberWire Daily - Nomad cryptocurrency bridge looted. BlackCat ransomware hits Europenan energy company. DSIRF disputes Microsoft's report on cyber mercenaries. Are there spies under Mr. Putin’s long table?
Episode Date: August 2, 2022Nomad cryptocurrency bridge is looted. The BlackCat ransomware gang hits a Luxembourgeois energy company. DSIRF disputes Microsoft's characterization of the Austrian firm as cyber mercenaries. Ben Yel...in looks at privacy concerns in the education software market. Our guest is PJ Kirner from Illumio to discuss Zero Trust Segmentation. And, finally, are there spies under Mr. Putin’s very very long table? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/147 Selected reading. Crypto Firm Nomad Loses Nearly $200 Million in Bridge Hack (Bloomberg) Crypto Bridge Nomad Drained of Nearly $200M in Exploit (CoinDesk) Nomad token bridge drained of $190M in funds in security exploit (Cointelegraph) Nomad token bridge hacked in nearly $200 million exploit (mint) BlackCat ransomware gang hits Luxembourg energy supplier Creos (Computing) Luxembourg energy provider Encevo Group battles ransomware attack by BlackCat (Tech Monitor) BlackCat ransomware claims attack on European gas pipeline (BleepingComputer) Luxembourg energy companies struggling with alleged ransomware attack, data breach (The Record by Recorded Future) Austrian spy firm accused by Microsoft says hacking tool was for EU states (Reuters) Dilyana Gaytandzhieva: Putin’s Elite Inner Circle Infiltrated By Nato Informants (SouthFront) GEC Special Report: Pillars of Russia’s Disinformation and Propaganda Ecosystem (US Department of State) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Nomad cryptocurrency bridge is looted.
The Black Cat ransomware gang hits a Luxembourg energy company.
DSERF disputes Microsoft's characterization of the Austrian firm as cyber mercenaries.
Ben Yellen looks at privacy concerns in the education software market.
Our guest is PJ Kerner from Illumio to discuss zero-trust segmentation.
And finally, are there spies under Mr. Putin's very, very long table?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary
for Tuesday, August 2nd, 2022.
Bloomberg reports that Nomad, which provides a bridge over with crypto tokens can be shifted to different blockchains,
was hit yesterday by an attack that's caused the loss of nearly $200 million in cryptocurrency.
PeckShield, which has been following developments over its Twitter account,
is credited with noticing the caper.
Apparently, there was a flaw in the platform's blockchain contract
that allowed users to withdraw more than they deposited.
After the initial exploit, around 40 other copycat attacks followed.
We heard from Comparatech's head of data research, Rebecca Moody, who ranked this attack as the ninth largest of its kind.
kind. She stated, overnight, Nomad Bridge was drained for over $190 million in the third biggest crypto heist of 2022 and the ninth biggest of all time, according to Comparatech's
worldwide cryptocurrency heist tracker. But in a unique twist, the hack on Nomad
appeared to be carried out by numerous copy-and-paste actors. Experts suggest that the initial hacker found a fatal flaw
in the platform's replica contract,
meaning anyone, including those with zero coding knowledge,
could locate a transaction that worked,
use their address to replace the user's address,
and rebroadcast it.
Over the space of a few hours,
almost all of the bridge's $190.7 million was drained, with just $651.54 left.
It's unclear how much, if any, of the currency lost will be recovered.
Moody says,
There are suggestions that white hat hackers removed some of the funds to safeguard them,
but it remains to be seen just how much of the $190 million is recoverable.
The Black Cat ransomware privateers, also known as ALF-V
and generally regarded as a DarkSide successor,
or simply as DarkSide rebranded,
claimed responsibility for an attack on Creos,
a Luxembourg company that operates a major Western European gas pipeline, bleeping computer reports.
According to the record, the group claims to have stolen 150 gigabytes of data that they said includes contracts, passports, bills, and emails.
They threatened to leak the data on Monday, but as of the afternoon, no data had been released.
on Monday, but as of the afternoon, no data had been released.
Krios' corporate parent, Encevo, said late last week that it was continuing to investigate the incident, which has affected its customer-facing portals.
Like its immediate ancestor, DarkSide, responsible for last year's cyberattack against Colonial
Pipeline, Black Cat is based in Russia and has shown an interest in targeting Western
energy infrastructure.
Reuters quotes a statement by the Austrian firm Desurf, whom Microsoft had described
as cyber mercenaries selling SubZero spyware to customers who abused it.
Desurf said in an emailed statement,
SubZero is a software of the Austrian DSERF,
which has been developed exclusively for official use in states of the EU.
It is neither offered, sold, nor made available for commercial use.
In view of the facts described by Microsoft,
DSERF resolutely rejects the impression that it has misused SubZero software.
Reuters says it's not clear who DSERF's legitimate
European Union customers are. Microsoft identified DSERF as the threat group it tracked as
NotWeed. And we note, in full disclosure, Microsoft is a CyberWire partner.
And finally, what if there were a bunch of independent journalists under President Putin's bed?
Well, all right, maybe not under his bed, but how about under that really, really long table he likes to use when giving foreign numeros his own crew of the world?
Too ridiculous to rebut, but still, you can see those independent journalists like the idea.
So what are we talking about?
Well, there's a story circulating in
disinformation circles. The claim that Bellingcat has compromised the GRU comes from Southfront,
an English-language news service and Russian government front organization.
The teaser for Southfront's video report reads in part, independent journalist Dilyana Gaitanjeeva, founder of
Arms Watch and a South Front correspondent, appealed to Russian President Vladimir Putin.
She says that the Putin's elite inner circle is infiltrated by NATO informants.
She asked for a meeting with Ramzan Kadyrov, boss of Chechnya and one of Mr. Putin's more intemperate and brutal political
allies, to give him a list of names of identified infiltrated GRU agents. Ms. Gaitan Chiva said in
her video, according to my source, Ramzan Khadrov is the only person in your circle who can be
trusted. Why South Front would take pains to single out the GRU is an interesting question.
It's not at all clear what advantage Russia might see in convincing foreigners that one of its main
intelligence services had been so seriously compromised. The publication of this particular
story may indicate that a purge of the GRU is in the offing. Southfront is believed to operate from Crimea
and is probably run by the FSB.
It's been on the U.S. Treasury Department's list
of sanctioned entities since April of 2021.
The singling out of the GRU as a source of leaks,
deception, and disinformation seems significant.
The FSB may be preparing the ground
for a purge of its sister and rival
service. So far, the FSB has taken the brunt of Mr. Putin's wrath for intelligence failures in
Russia's war with Ukraine. More than 100 officers are believed to have been dismissed and arrested.
The FSB may wish to share some of the heat it's feeling, or it could be that the president wishes to ensure that no one intelligence service grows too powerful.
If this proves to be so, the purge would be another throwback to the 1930s,
when Stalin used the GRU and the FSB's predecessors to keep one another in check.
That's speculation, but one imagines a lot of GRU officers are feeling uneasy today.
One of Bellingcat's leading figures commented on Twitter about the claims that they were running a bunch of GRU agents, saying,
The idea that Bellingcat, of all organizations, would have spies breathing in Putin's neck and at the top of the GRU, feeding him disinfo and passing personal secrets to us,
as flattering as it is, is so ridiculous,
it doesn't even warrant a serious rebuttal.
Of course, Bellingcat would say that.
Who's that under Mr. Putin's very, very long table?
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you
know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
P.J. Kerner is CTO and co-founder of security firm Illumio.
They recently published a zero-trust segmentation impact report,
and my conversation with P.J. Kerner started with a helpful analogy.
The easiest way to understand this is to sort of think about how submarines are built for resiliency, right?
So they have redundant systems, and then they have small compartments.
And what are those compartments for is that if there is a breach, they seal off one of those
compartments so the water doesn't flood the submarine and the submarine doesn't sink. So
segmentation in a IT environment is exactly the same thing. How do you sort of compartmentalize
and sort of prevent a
breach from becoming a giant disaster in your environment? Yeah, it's a great description.
Can you take us through some of the highlights from the report here? What are some of the things
that grabbed your attention? So there are different elements of zero trust, right? So one element is
this idea of least privilege, right? So that in the sense that least privilege is the idea of rather than having everybody have access to, you know, a lot of things, it's only allow things that are necessary and business critical or business defined to have access to things. Another concept is this concept of assume breach, right? And the assume
breach mentality is you assume the attacker is already inside, right? Already has breached the
perimeter. Somebody has already clicked on that phishing link. It's maybe sitting there on a
laptop. And if you have that mentality, then you start thinking about, you know, cyber controls
that, you know, help you prevent things from moving laterally and making
it a worse disaster than it is. So that mentality is important. And one thing that the research did
was sort of measure, well, first of all, it measured how many people were doing or had zero
trust. And one of the metrics is 90% of the people believe it's one of their top three priorities, right? So this was a set of people who believed in zero trust.
But when we measured another thing about assumed breach mindset,
a question that was asked that was, do you think you're going to be breached?
3% of people said no, they believed they were never going to be breached.
Another 11% of people said they highly likely didn't think were never going to be breached. Another 11% of people said
they highly likely didn't think they were going to be breached. And a whole 31% said they weren't
really sure, right? So if you take all that, that's about almost 50% of people didn't really,
in my opinion, have that assumed breach mindset that is necessary for doing zero trust.
That's interesting. I mean, what is your
response to that? Are they being realistic? Is that whistling past the graveyard? How do you
respond? Well, I think it's the remnant of our perimeter-based approach to security for a long
time, right? There was the bad internet, And then we trusted everything that was kind of inside the perimeter. Like once you walked into the building, you were fully trusted, right? And,
and, you know, that's how security got done for a long time, that perimeter based control. And I
don't, and that's, I think that's a remnant of people not yet getting past, you know, they'll
say they're past this perimeter. They say they believe in it, but it was kind of an indicator of they're not really, they don't really have the mindset.
They haven't moved past that mentality yet. But I'm sure this will happen again and we'll sort
of see trends and that'll be actually interesting conversation. Like when we do this again next
year, we'll sort of compare and contrast how far that has moved. We can talk about that then.
And what about the segmentation
itself? I mean, in terms of measuring results of that, where do we stand? Yeah, it's interesting
you ask that question because zero trust in general and zero trust segmentation is a journey,
right? So it's an architecture, it's a philosophy. There's not just a single product you buy and then you install it and you're done.
We were talking with some people around RSA about how
it's an organizational change.
The organization needs to have this mentality as a whole.
What we've done and what we've learned over the years is
you really need to take a very step-by-step approach to things. There's no boiling the ocean. Boiling the ocean is a recipe for disaster. You need to understand where your crown jewels are, understand what you want to protect, build a ring fence around those crown jewels, do some amount of segmentation, take some small steps
along the way, get the organization to sort of see that success, show your board that success,
and then sort of repeat that process. So this step-by-step mentality is really important to
success of these projects. When you look at the results that you've gathered in this report,
what are the take-homes for you? What do you hope people take away from it? Yeah, well, I hope people take away kind of
what you sort of said, that zero trust is a mainstream kind of thing and that zero trust
segmentation is a key pillar to doing zero trust. The other thing that was interesting is that there is some proven business ROI around this, right?
So averting a cyber disaster or accelerating a transformation project.
Because a lot of what you have to do when you're doing a zero trust segmentation is you have to get visibility.
You have to understand how things are connected, right?
And once you understand how things are connected
for your zero trust goals,
they have other benefits, right?
Like you understand how your applications work.
You might be able to migrate an application
to the cloud more easily
because you understand its connectivity.
So there is other benefits, business benefits
in addition to the security benefits.
That's PJ Kerner from Illumio.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Hello, Ben.
Good to be with you, Dave.
Thank you very much.
Interesting article from the New York Times.
This is written by Natasha Singer,
and it's titled,
A Cyber Attack Illuminates the Shaky State of Student Privacy.
What's going on here, Ben?
So there was a cyber attack against an education software provider, which is called Illuminate Education.
And it is one of these pieces of software that collects data on individual students.
So there's been kind of a trend of tracking the progress of students,
including things like test scores, but also absenteeism, behavioral incidents. You get a
lot of pretty personal information on students if you gain access to one of these very popular
databases, and they're used at school all across the country. This one is used in the public school
systems in New York City and Los Angeles. So certainly.
Big systems.
Yeah.
And there's a concern now after this hack, which isn't even one of the biggest hacks in the history of cyber education software.
But there's a concern that's I think been illuminated by this hack that government regulators and individuals have to be more protective of this data.
What could be revealed by accessing these files is extremely personal.
We talked about things like absenteeism,
but also even behavioral instances that occurred
when somebody was very young that stays on your so-called permanent record.
You could potentially be on something that a college could look for as they consider one's application.
So it's beyond just grades and test scores.
It's also demographic information that might be sensitive or personal or something that somebody does not want to reveal.
There really is this, I think, valid concern that we're just putting too much information into these databases that we now know
are vulnerable to cyber crimes and espionage. So there are a couple of action items that can
happen here. One is that educational institutions have to be more proactive when they are obtaining
a contract for the services of this type of software
and making sure that whatever they're using has the most robust cybersecurity protections.
That's not a fail-safe, but that's something that could certainly help the problem.
But then on the broader level, I think it might be incumbent upon policymakers, it would
probably start at the state level, but eventually might make its way to the federal level to institute some type of minimum security standards for the use of this type of
education software. That would have to happen first in the public school system, because that's where
the government would have jurisdiction. But I think we could start to see that pop up in some
of these larger school districts where you have to comply with certain NIST cybersecurity standards in order to sell your product to this particular school district.
I think the more of these types of incidents that occur, we might see regulators be more
motivated to take that type of action. Now, where does the FTC come in on this? I mean,
they have the Children's Online Privacy Protection Act. Would that apply to a situation like this?
Yeah.
So the FTC has fined a lot of different companies based on violations of children's privacy.
So high profile cases like YouTube and TikTok.
But the agency has yet to enforce the industry's kind of self-policing initiative,
which is the Students' Privacy Pledge.
In May, the FTC announced that regulators were going to try and crack down on ed tech companies
that violate the COPPA, the Child Online Privacy Protection Act.
So they are pursuing a number of non-public investigations into these companies.
That's according to the FTC spokeswoman interviewed as part of this article.
But we don't know exactly where that's going to go and what will come out of these investigations.
But yeah, the FTC is a major player here because they have enforcement authority under the COPA.
I just wonder, at what point does all this stuff come to a head?
I mean, you could joke.
I mean, it's a trope.
You can say, protect the children, protect the children.
But in this case, we're talking about protecting the children, right?
Right, right.
And sometimes we justify the use of this software by saying, you know, we want to keep track of things like absenteeism and behavioral problems that we can take corrective action.
Yeah.
We can have an algorithm that identifies problem students and we can do X, Y, and Z once those students are identified.
Mm-hmm. sounds really good in theory, but there are certainly some negative aspects of collecting
that amount of data that's negative both for the school district, because they're more likely to
become a target of cyber criminals, and for students who might have really personal information
collected that might hurt future job prospects, that might be out there on the dark web, something
that's searchable. So it can have real consequences for students.
So I think ed tech, while it's very promising, has these pretty pronounced downsides.
And I think school districts, when they're making decisions as to how to employ this
type of technology, really have to take that into consideration, at least before we have
these minimum security standards or we know that the
software is capable of withstanding some of these attacks. And it's happened so many times now that
we know that this is not an isolated concern. Anybody that, any entity that maintains this type
of private information is vulnerable to cyber attacks. And that certainly does not exclude school districts
from being in that category. I'm just imagining somebody, you know, decades later trying to get
a security clearance or even just a job and being asked about, you know, the time that they
blew up a watermelon in the cafeteria microwave or something. We have evidence that when you were
six years old, you punched Timmy in the face
and were put on timeout for 10 minutes.
Is that correct, sir?
Yeah.
Now, I doubt that is actually going to happen,
but I don't think that's that far off,
especially if this becomes more widely accessible
and searchable.
I mean, some of the other big hacks
that targeted OPM,
something like Ashley Madison,
the information is really used against
people, even if it was obtained unlawfully. And if it's between you and one other candidate,
and you have this plot on your record that's discoverable on the internet,
maybe that hurts your job prospects. And that's fundamentally unfair to these students. So I think
it makes it certainly worthy of our attention.
All right.
Well, Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Thanks for listening. We'll see you back here tomorrow. Thank you.