CyberWire Daily - Notes from the underground: data breach extortion and a criminal market shuts down. International cooperation against ransomware. Cyber risk and higher education.
Episode Date: October 14, 2021Data breach extortion seems to be an emerging criminal trend. Notes on a darknet market’s retirement. Verizon advises Visible users to look to their credentials. Windows users’ attention is drawn ...to seven potentially serious vulnerabilities (all patchable). The Necro botnet is installing Monero cryptojackers. Organizing an international response to ransomware. Carole Theriault shares thoughts on social engineering. Dinah Davis from Arctic Wolf on the supply chain attack framework. And a quick look at the state of cyber risk in higher education. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/198 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Data breach extortion seems to be an emerging criminal trend.
Notes on a darknet market's retirement.
Verizon advises visible users to look to their credentials.
Windows users' attention is drawn to seven potentially serious vulnerabilities.
The necro botnet is installing Monero cryptojackers.
Organizing an international response to ransomware.
Carol Terrio shares thoughts on
social engineering, Dinah Davis from Arctic Wolf on the supply chain attack framework,
and a quick look at the state of cyber risk in higher education.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 14th, 2021.
Ransomware has, over the last two years, evolved to the point where double extortion, that is, encryption by ransomware accompanied by data theft and an attendant threat to release
stolen information, has become the expected norm in such criminal attacks. But we may be seeing
the beginning of a further trend in which criminals
don't even bother with ransomware but simply go for data theft. NCC Group describes an extortion
operation that skips the customary ransomware stage of the process. SnapMC, which NCC Group
says it's been unable to link to any other known actor, is simply moving directly to data theft with no encryption of the victim's data.
This probably represents a trend as more gangs can be expected to engage in data breach extortion.
This kind of attack requires even less technical capability
than the already highly commodified ransomware attacks need.
The criminals' calculation of return on investment would be
interesting to unmask. Can they make more from extortion than they could simply by selling
stolen information? Apparently so, which suggests that some forms of data at least are of more value
to the organization that owns them than they are to the criminals or, as sometimes suspected, the competitors who might buy them.
Group Sense emailed us late this morning to share an observation about the darknet.
One of the larger underworld markets, White House, has announced its retirement.
Group Sense wrote, quote,
Administrators, the persona Mr. White, said,
We have reached our goal and now, according to plan, it's time for us to retire. The record had earlier noticed this underground market's retirement.
White House is or was a darknet contraband market that slid into the criminal ecological niche
left behind by the 2019 departures of the Dream Market in an exit scam,
the Empire Market, evidently a retirement,
and Valhalla and the Wall Street Market, both of which were taken down by U.S. and European authorities.
Groups since characterized the White House as a place where you could buy basically anything street market, both of which were taken down by U.S. and European authorities.
GroupSense characterized the White House as a place where you could buy basically anything you probably shouldn't be buying. Bryce Webster Jacobson, GroupSense's Director of Intelligence
Operations, wrote, quote, The market sells many products across categories like drugs,
fraud, software, and services. Drugs like fentanyl, which are banned on almost all other Why might the White House be shutting down?
Probably not because they're moderate types who've decided they've made just enough money.
As GroupSense's Webster Jacobson puts it,
quote,
down. It is rare for marketplace administrators to announce their retirements, but perhaps they are trying to preserve a positive reputation with their customer base should they decide to start a
new venture. End quote. That seems right. Look at the difficulty our evil has had re-establishing
what passes for trust in criminal circles. Since nature seems to abhor a criminal vacuum as much
as she does the other kinds,
it will be interesting to see what emerges to fill the void left by the White House.
It may well be the White House, perhaps under another name. Number 10? Who knows?
The White House contraband market, should you be wondering, is as far as anyone knows
unconnected with the executive mansion in Washington,
which is where the U.S. president lives it up.
Verizon recommended yesterday that users of its visible wireless service
should change any visible usernames and passwords
they may have used to access other sites or services.
Quote,
Our investigation indicates that threat actors
were able to access username passwords from outside sources and exploit that information
to log into visible accounts. If you use your visible username and password across multiple
accounts, including your bank or other financial accounts, we recommend updating your username and password with those services.
End quote.
The record says Verizon denied any compromise of its back-end infrastructure.
The attackers who obtained access to customer accounts appear,
fierce wireless reports, to have used credentials obtained from other sites in other breaches.
And so it's another reason to avoid reusing credentials.
breaches. And so, it's another reason to avoid reusing credentials.
Security firm FieldEffect says that they have identified a cluster of seven Windows Zero Days the security firm refers to collectively as Black Swan. Six represent a privilege escalation risk.
The seventh the researchers characterize as an information leak vulnerability.
FieldEffect thinks the vulnerabilities should motivate users toward greater diligence with respect to patching.
Microsoft, a CyberWire sponsor, has patched all seven of the issues between July and October of this year,
so fixes are readily available.
The NecroBot, a Python bot, is actively installing a Monero cryptojacker in vulnerable Visual Tools DVR VX16 instances, Juniper Networks reports.
Necro works in both Linux and Windows environments.
From Cyberscoop's account, it appears that the theme of the U.S. convened conference on ransomware is that the threat is transnational and therefore demands an international response. CyberScoop quotes U.S. National Security Advisor
Jake Sullivan as saying at yesterday's sessions, quote, no one country, no one group can solve
this problem. Transnational criminals are most often the perpetrators of ransomware crime,
and they often leverage global infrastructure and money laundering networks across multiple countries,
multiple jurisdictions to carry out their attacks.
End quote.
The gangs may be transnational, but there seems to be little doubt that they receive a safe harbor
and arguably a degree of toleration and encouragement from various states,
degree of toleration and encouragement from various states, especially Russia, which is most often mentioned in dispatches as the principal enabler of ransomware groups.
Australia's government has used the occasion of the conference to explain its own national
approach to ransomware, which its published strategy characterizes as aiming to make Australia
a harder target for this particular kind of attack, the legislative goals of the strategy are worth noting.
First, introducing a specific mandatory ransomware incident reporting to the Australian government,
introducing a standalone offense for all forms of cyber extortion,
introducing a standalone aggravated offense for cybercriminals seeking to target critical infrastructure
as opposed to be regulated by the Security Legislation Amendment,
modernizing legislation to ensure that cybercriminals are held to account for their actions
and law enforcement is able to track and seize or freeze their ill-gotten gains.
Comparable laws are likely to emerge in other nations concerned about controlling ransomware.
And finally, Moody's Investors Service has released a sector report in its series of
global cyber risk issuer surveys that looks at higher education. Some of the trends they note
are unsurprising. Cloud adoption by colleges and universities is up, for example, as it is in most other places.
Others are less obvious.
Private institutions, for example,
are spending more on cybersecurity
than are their public counterparts.
Moody's thinks this is probably due
to public universities' greater willingness
to rely on government-provided protection.
And institutions of higher education
are buying cyber insurance,
too. As Moody's puts it, among universities that carry standalone cyber insurance, the most common
policies include coverage of ransom payments, incident response, business interruption, and
regulatory fines. That is, colleges and universities are transferring about the same kinds of risk
that other businesses are insuring themselves against.
Do you know the status of your compliance controls right now? Like, right now?
controls right now, like right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Chances are you or someone you know has been the target of social engineering,
and increasingly those seeking to do wrong are targeting specific high-value executives within an organization.
Our CyberWire UK correspondent, Carol Terrio,
shares this commentary on how bosses need to be mindful that they aren't inadvertently part of
the problem. In a recent conversation with Chris Kirsch, who's a social engineering expert,
in fact, he is one of the winners of DEF CON's social engineering capture the flag competitions.
I asked him, you know, the question that we ask all people that are experts in this space,
what can people do to protect themselves? What should people look out for? Well, look, first,
let's listen to what he said. And then let's chat a bit about how bosses can help or hinder cybersecurity.
The first one is if anybody calls you and you don't know them, like you don't know them by their voice or know exactly who they are and you'd recognize them.
You say, hey, can I call you back?
Right.
I'm sorry.
Can you give me 10 minutes?
I'll call you back. That allows you to verify their identity, to call them back on a
known number. They might give you a number because otherwise you're calling them back on their line,
you haven't gained anything. But if you're able to verify that number on a public resource,
on the company webpage, for example, and call them back, now you have a verified connection.
Another thing is if anybody puts time pressure on you to do something right then and there,
often combined with emotional pressure.
So, hey, I'm a CEO and we have to get this out for the board meeting right now.
Of course, you want to be helpful, even if it's the CEO or the assistant of the CEO.
If you say, hey, I'm sure you're aware there are a lot of people out there
that are scamming companies in this way.
I just want to make sure that we're doing the right thing.
I will prioritize this on my list.
I will get back to you immediately.
I just want to make sure that this is a legitimate call.
I think you won't ever get into trouble for that because I think there is more times where
the person who's calling you is actually a scammer in these situations than a real emergency that needs to be handled then and there.
And I would say, shout to all the bosses out there, if you kind of call someone and they
ask to verify you, you don't go scream at them saying, don't you know who I am, right?
Exactly.
Yeah.
Support that employee of putting that extra hurdle in place that might stop you actually getting ripped off.
Yeah. If somebody is getting angry at you and putting on more pressure, both inside a cybersecurity global firm
and outside for all types of organizations in different industries. And I can tell you that
the worst trainee are the bosses. It seems as though the more senior you are, the more self-important you might feel, and the less
inclined you are to accept that your behavior needs to be moderated to put your company at
less risk. And it's really frustrating because if a company does not have cybersecurity as one of its core fundamental responsibilities and is serving
and trusting people, well, don't blame me if your reputation takes a hit when you get your name
dragged through the press for being irresponsible. So I say do the right thing, do the training,
pay attention, and then repeat those tenants to your employees.
That is how you build a solid culture of cyber awareness in an organization.
This was Carol Theriault for The Cyber Wire.
Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Dinah Davis.
She's the VP of R&D Operations at Arctic Wolf.
Dinah, it is always great to have you back.
You know, supply chain issues have been
in the news here, and I know it's something that you keep an eye on. I wanted to check in with you
today. What is on your mind when it comes to supply chain attacks and the whole framework around that?
So we are seeing a ton of supply chain attacks coming in, and I think it's important that we
understand how they happen. And the European Union Cybersecurity Report just recently came out, and they actually suggested a taxonomy for supply chain attacks so we could talk about them in a more constructive way so you can compare them to one another.
It's always helpful to kind of have that framework to do that.
to one another. It's always helpful to kind of have that framework to do that. Plus, you know,
I got a math mind and I just like putting things in boxes and, you know, making them nice and tidy.
Yeah, nice and tidy. But I did like the framework. I think it helps simplify for people what a supply chain attack is. So there's basically four key elements in a supply chain attack. There's the supplier itself
and the supplier's assets. Okay. So let's, we'll use Kaseya as an example as we go,
as we go through this. Okay. Okay. So Kaseya is a supplier of, you know, a networking management
tool for customers and their assets are their servers, is their code, is all of that kind of
stuff, right? Then you have the customer and the customer assets, right? And so a supply chain
attack usually is the attackers go after the supplier and some of the supplier's assets
as a first attack. And the second attack is that they use those assets
that they've compromised to get to the customer
and then compromise the customer's assets, right?
And so that's why I kind of liked this framework.
And you can think about it like,
what are the attacks like to the supplier
and what are the attacks like to the customer?
And a lot of the time, you know, the supplier attacks are around exploiting software vulnerability.
But one aspect I never really thought of with the customer one is they're actually exploiting a trusted relationship.
So there is some technical, you know, attack that they're going to do, like a malware infection or something like that in the case of Kaseya.
But the biggest piece of it is they're attacking the fact that you trust your supplier.
So you're not double-checking on things because you trust your supplier.
So I like the framework there.
It helps ground things. Some other interesting things that the report had was that there was at least 24 supply chain attacks from January 2020 to early July 2021.
Big ones, right?
And the other thing I think is kind of scary with supply chain attacks is they attack one supplier and then how many customers do they get?
There's a big multiplier effect on them.
Yeah.
That trust issue, I think, is really kind of the ballgame here.
I mean, because you think when you go through the trouble of choosing your suppliers,
a big part of that is trust.
And that could be their place in the marketplace.
It could be their place in the marketplace. It could
be their technical prowess. It could be a personal relationship that you have or built or anything
like that. It's one thing to establish that trust, but then to have it go on, to maintain it over
time. If I'm looking for my suppliers, is this a matter of checking in with them from time to time
and saying, you know, hey, you need to demonstrate to me
that you're meeting these standards?
Yeah, it absolutely is.
So like any company should make sure
they're identifying all of their suppliers, right?
You want to make sure you know what your risks are
with each supplier.
So if you look at Kaseya, Kaseya's tool
has admin access to your networks, right?
And it needs to, to do its job. There's no way it can manage your network and not have that
access, right? Right, right. So you need to define where your risks are with the suppliers,
and then look at what requirements you're going to put in place. What's the contract you signed
with them? If they are compromised, What's the contract you signed with them?
If they are compromised, what's the repercussions on them?
Do they owe you a lot of money because they've messed you up?
What are those things that are in place?
It's not easy.
It's just not going to be easy because you have to trust suppliers.
You can't build everything yourself.
So you do have to just look at what risks you're willing to take and what risks you are not willing to take.
Right. But I think that consideration, we're at the point now where that consideration needs to be a part of every business's plans is what if one of our suppliers gets popped? Are we prepared
for that? Will we be able to detect that and so on,
right? Yes, exactly. All right. Well, Dinah Davis, thanks for joining us.
And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Puru Prakash,
Justin Sabe, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris
Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.