CyberWire Daily - Not the Gremlin from the Kremlin. Zerologn exploited in the wild. Cyberespionage phishing in NATO’s pond. US Treasury announces sanctions. Four guilty pleas coming in eBay cyberstalking case.
Episode Date: September 24, 2020Zerologon is being actively exploited in the wild. The OldGremlin ransomware gang picks on Russian targets. Thought Fancy Bear was done with NATO? (Think again.) The US Treasury Department sanctions m...ore organizations and individuals for malign influence operations. Betsy Carmelite from BAH on vaccine laboratory cybersecurity. Our guest is Shena Tharnish from Comcast Business with insights for small businesses concerned with COVID-19 related phishing. And four of the defendants indicted in the eBay cyberstalking case have chosen their pleas. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/186 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Zero Logon is being actively exploited in the wild.
The old gremlin ransomware gang picks on Russian targets.
Thought Fancy Bear was done with NATO? Think again.
The U.S. Treasury Department sanctions more organizations and individuals for malign influence operations.
Betsy Carmelite from BAH on vaccine laboratory cybersecurity.
Our guest is Shena Tarnish from Comcast Business with insights for small businesses
concerned with COVID-19 related phishing. And four of the defendants indicted in the eBay cyber
stalking case have chosen their pleas. From the Cyber Wire studios atribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 24th, 2020.
Zero logon exploitation is no longer merely a theoretical possibility.
Microsoft has seen the Windows server vulnerability being actively attacked in the wild.
ZDNet reminds all that Samba file sharing software is also susceptible to this bug and must be updated as well.
Computing has an update on the patches available for zero logon.
That the zero logon vulnerability is a serious risk isn't in dispute.
The U.S. Cybersecurity and Infrastructure Security Agency took the unusual step last week of issuing the federal agencies it oversees a binding operational directive,
telling them to get their skates on and patch by midnight Monday.
telling them to get their skates on and patch by midnight Monday.
Those agencies were given a deadline of last midnight to get back to CISA and let them know that the proper patches had been applied.
Group IB says a new ransomware group they're calling Old Gremlin
is currently active against Russian banks and corporations.
Old Gremlin is phishing with emails that represent themselves as coming
from a variety of legitimate third parties whom the email recipients might be predisposed to trust.
RBC, RosBiznes Consulting, a large Russian media holding company, the self-regulatory
financial organization SRO Mir, an unnamed Russian metallurgical holding company,
an unnamed dental clinic, and crossing the Belarusian border to another country in the near abroad,
the Minsk Tractor Work.
As Group IB, Singapore-based but with Russian roots,
Old Gremlin's target list is surprising.
Group IB's report says, It is common knowledge that Russian hackers have an unspoken rule about not working within Russia and post-Soviet countries.
Yet, Old Gremlin, made up of Russian speakers, is actively attacking Russian companies, banks, industrial enterprises, medical organizations, software developers.
medical organizations, software developers.
According to group IB expert estimations,
since the spring, Old Gremlin has conducted at least seven fishing campaigns.
End quote.
This seems to be sailing pretty close to the unforgiving wind,
or to mix the metaphor, a little bit like tugging on Superman's cape,
and it will be interesting to see how long they continue to get away with it.
They've been at it since March, and the Kremlin is probably not too pleased with Old Gremlin.
Unless there are wheels within wheels here,
Old Gremlin is going to draw the attention of the organs in an unpleasant way.
As Bleeping Computer summarizes, the gang is using tiny Posh and tiny Node backdoors,
tiny crypt ransomware,
and various third-party tools for reconnaissance and lateral movement.
So far, Old Gremlin has been active in Russia only, but there are signs it may be working toward much wider attacks elsewhere.
A ransomware attack has hit Tyler Technologies,
a large IT service provider to U.S. state and local government agencies.
The company has disclosed that it's working to restore its systems and that while some data were exposed, as is now normal in ransomware attacks, it's not believed that any customer software was affected.
Reuters notes that Tyler's services are used by states and counties for both emergency response coordination
and for sharing election information. Security Week describes Quo Intelligence's research into
a new Zebrosi cyber espionage campaign directed against NATO. Zebrosi is by consensus held to be
a Russian operation. While its exact organizational niche isn't entirely clear,
most observers think it's associated with Moscow's GRU, that is, Fancy Bear. The group's
eponymous malware, Zebracy Delphi, used NATO exercises as its fish bait. The operation's
command and control infrastructure is located in France, and Quo Intelligence has let the French authorities know where to look for it.
The U.S. Treasury Department yesterday sanctioned more Russian individuals
and organizations for their involvement in malign influence operations,
The Hill reports.
Most of them are tied to the previously sanctioned
Yevgeny Prigozhin, known as Putin's chef,
because of the way in which the entrees he once catered served as his entree to the Russian oligarchy.
Mr. Prigozhin is best known for having been one of the organizers and funders of the Internet Research Agency,
the St. Petersburg troll farm that gained notoriety during the last U.S. election cycle.
He also pioneered a more sophisticated form of trolling,
outsourcing and offshoring much of the work to a lot of contractors in the Central African Republic.
And finally, there are developments in the very strange case we first discussed back in June,
where eBay employees, now former eBay employees,
were charged with various forms of illegal harassment of a mom-and-pop newsletter that
had published notes not always to the liking of eBay's then-leadership. Of the seven defendants
charged, four have decided to plead guilty to cyber-stalking the couple who ran the e-commerce bytes newsletter.
Stephanie Popp, Stephanie Stockwell, Brian Gilbert, and Veronica Zaya yesterday filed their intention to enter guilty pleas to federal charges on October 8th.
All are former members of eBay's security and global intelligence teams.
The other three defendants are presumably still weighing
their options. The response to the newsletter, beyond being illegal and morally loathsome,
seems quite out of proportion to anything the couple who published the newsletter wrote.
They weren't particularly inveterate critics of eBay, nor did they seem to write anything
particularly scurrilous or defamatory.
Such complaints, as the ones they put out, were of the anodyne sort any business inevitably attracts.
And what was the response of eBay's security and global intelligence team?
Anonymous email and Twitter threats, deliveries of live cockroaches and a bloody Halloween pig mask,
deliveries of live cockroaches and a bloody Halloween pig mask,
clandestine surveillance, and shipping adult material to the victim's neighbors in the victim's names.
How in the world all of this could have seemed to be a good idea at the time is difficult to fathom.
The incident will at some point provide, we imagine,
interesting lessons about organizational culture and the dangers of groupthink.
Ongoing, cascading, impulsive bad judgment isn't just for teenagers. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Shena Tarnish is Vice President of Cybersecurity Product Management at Comcast Business.
She joins us with valuable insights for small businesses concerned with COVID-19 related phishing.
Hackers are using tried and true approaches like phishing and malware and denial of service attacks to exploit businesses, especially amid COVID.
And we're seeing a much higher rate of that. So, you know,
phishing and ransomware will remain the biggest threats to businesses of all sizes. And you want
to make sure that you're really cautious of those campaigns that are going on. You know, we saw
150% rise in the number of new domains related to COVID since March. And they use keywords like
corona or drug or vaccine and test kits. And we've blocked queries of these newly registered
domains nearly 13 times. So as much as we talk about phishing and ransomware and train our
employees, it's still a place where cyber criminals
are multiplying the number of messages and ways to influence consumers. And from a DDoS perspective,
attack traffic has significantly increased and more businesses are being targeted by cyber
criminals. As a result, during these attacks, businesses aren't able to serve their customers online or transact with supply chain partners or maybe even interact with their employees, which all causes disruption and loss for the business. COVID scamming opportunities arise, you know, even like the stimulus relief came out, it caused more phishing offers related to, you know, assisting with payment receipts.
So as the pandemic prolongs, businesses should be really sensitive to these phishing and malware campaigns that could surface.
Are there any areas when it comes to cybersecurity, are there any areas that you feel aren't getting the attention that they deserve?
I guess I would say education.
I think that is really key to the whole program of cybersecurity.
While technology is very important, training our employees and businesses on these types of threats is important. Training our employees and businesses
on these types of threats is important,
but to err is human.
So technology is important as well,
especially that which has automatic updates
and you're not having to rely on people
to configure or load.
So getting services by reputable companies that can automatically include the latest domains that are malicious and automatically protect the business are really important.
That's Shanna Tarnish from Comcast Business. Staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Betsy Carmelite.
She is a senior associate at Booz Allen Hamilton.
Betsy, it's always great to have you back.
I wanted to touch today on some of the work that you and your colleagues are doing
when it comes to cybersecurity in the lab.
We've been hearing a lot about vaccine research, those sorts of things.
What are some of the things that you all are tracking?
Sure. We're very much tracking how to keep labs secure with such a rapid increase in data
generation, which ultimately introduces vulnerabilities. We're definitely seeing the increase in data, certainly PII, PHI, financial data, but also the increased concern for network lab equipment, such as, for example, petabytes of genomic data and securing all of the advanced technology that now exists in labs.
What about the velocity that labs find themselves running at today?
I'm thinking about all those labs who are trying to keep up with,
you know, the demand for things like COVID testing.
Does that mean that it's easy for some security things
to slip through the cracks?
Sure.
And I think some of that kind of lends to the research culture.
And in recent weeks, we've seen this with some high-profile attempts to steal vaccine data and helping researchers understand the risk of
what is an inherent part of their roles and jobs, which is data sharing, being collaborative,
how much we collaborate, how we collaborate securely.
And so given the nature of their jobs, especially in the current COVID-19 environment
and the circumstance like a pandemic where we want to be working together,
we really need to be balancing how much we collaborate and the security around that collaboration.
collaborate and the security around that collaboration. We're looking at information transfer and then the possibility of compromise of the integrity or confidentiality of that
research information. Well, share with us some insights of what are some of the specific
concerns that you have. What are some of the things that you all are tracking here? Sure. So in recent weeks, we've seen some of the reported high-profile attempts to steal
COVID-19 vaccine data. We've seen the Department of Justice accusations alleging Chinese intelligence
services that are targeting that COVID vaccine research. We've also seen similar accusations
targeting that COVID vaccine research. We've also seen similar accusations directed toward Russia that may have been targeting universities, organizations, healthcare providers as well.
So we're seeing some highly sophisticated threat actors that are obviously cause for concern
in a heightened crisis situation. Is there a cultural element here as well?
Are the folks who are working on these hard problems,
the scientists,
do they generally need to be brought up to speed
on the cybersecurity elements
to keep their research safe?
Yeah, and it's definitely an increased awareness
that may not have come naturally to their jobs as they're performing their scientific research.
The awareness of how much we collaborate, how we do it securely.
Do we increase the levels of security to protect the intellectual property?
But then do we do that at a risk of decrease to information sharing and promoting that information sharing?
So that's a really hard problem steeped in technology, but to your point also in the culture of performing scientific research.
So for the folks who are in this line of work, what sort of recommendations do you have for them?
of work, what sort of recommendations do you have for them? Sure. I would say that it really boils down to some basic cyber hygiene to keep these labs safe and also to keep the research data safe
and the lab teams as well. First, we would say examine the business processes in place prior
to adoption of any technology, whether it's a collaboration tool or any changes
to the network environment. For example, isolation of that internal research from the other parts of
the network would be critical. So looking at segregated networks to reduce that chance of
attack. And secondly, really knowing your use cases for workflows and processes
and choosing your tools and technology. How are you actually going to use that tool to perform
your work? And do you really know all the use cases that could be used properly or lead to
misuse? And then when you're choosing that technology, look at the possibility for flexibility
to change the functionality
when you're moving from your current use
to a possible to-be future state
of how you're going to be using that technology.
Hmm.
All right.
Interesting stuff.
Betsy Carmelite, thanks for joining us.
Thank you.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time, keep you informed, and it's so good, cats ask for it by name.
Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Harold Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.