CyberWire Daily - Notes from the underworld: phishing with hardware, DarkSide impersonation, and cyber vigilantes. Data incidents, and a conviction for a crypter.
Episode Date: June 18, 2021Phishing, with a bogus hardware wallet as bait. Empty threats from a DarkSide impersonator. Cyber vigilantes may be distributing anti-piracy malware. Data security incidents at a cruise line and a US ...grocery chain. Malek Ben Salem from Accenture looks at optimizing security scanning. Our guest is Edward Roberts of Imperva on their 2021 Bad Bots Report. And a conviction for a crypter, with sentencing to follow. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/117 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Fishing with a bogus hardware wallet as bait,
empty threats from a dark-side impersonator,
cyber vigilantes may be distributing anti-piracy malware,
data security incidents at a cruise line and a U.S. grocery chain.
Malek Ben-Salem from Accenture looks at optimizing security scanning.
Our guest is Edward Roberts of Imperva on their 2021 bad box report
and a conviction for a cryptor with a sentence to follow.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
June 18th, 2021.
We're accustomed to phishing by email, and phishing is also now a fairly commonplace threat.
by email and vishing is also now a fairly commonplace threat. There's a new approach,
however, that dangles its bait in the form of a dongle. Hot for Security, reminding readers that almost three-quarters of a million customers of the hardware wallet Ledger had their email and
physical addresses compromised last December, thinks we now know why. It appears to have been the onset of an elaborate phishing
effort. Some Ledger users have received what appear to be replacement wallet hardware units.
They are, however, bogus and represent an attempt to steal keys and cryptocurrency.
Bleeping Computer has pictures of the devices and an account of the poorly written scam text that accompanied them.
The device itself came in a slick, well-made, and professionally shrink-wrapped box,
and the bogus key looks legit enough to be persuasive,
but the accompanying letter should have blown the gaff to any moderately aware recipient,
composed, as it was, in jarringly bad English, with the poor idiomatic
control characteristic of the cybercriminal. Here's a sample Bleeping Computer shared.
It starts off well enough. The letterhead is convincing, and the first two paragraphs
explain in respectable enough discourse prose that, unfortunately, Ledger was subjected to
a cyberattack in July of last year,
and that contents of its customer database were dumped on RaidForum.
So far, so good.
But after the first two paragraphs, the quality of the prose falls off dramatically.
The crooks write, quote,
For this reason, for security purposes, we have sent you a new device.
You must switch to a new device to stay safe. There is a manual inside your new box. As the copy editors say, sick, especially after kinda.
It's not quite shadow brokeries, but it's on that path.
All in all, however, someone went to a lot of trouble to be convincing.
When the criminal market starts to advertise for editors, Katie bar the door.
Another point worth noting is the way in which the lie is surrounded with the customary bodyguard of truth.
In fact, information about Ledger customers was indeed dumped on the Raid Forum hackers' site last year.
Ledger has been warning its customers about the breach since December 20th.
Success breeds imitation, proverbially the sincerest form of flattery,
and this is no less true of criminal success than it is of legitimate achievement.
Sometimes that imitation rises to the level of impersonation.
Dark Side is the latest subject of such flattery.
Trend Micro this morning reported that imitators are sending extortion emails
to companies in the energy and food sectors.
The target selection would seem to
be shaped by the recent notoriety of ransomware attacks against Colonial Pipeline and the JBS
Food Processing Company. The emails began to circulate on June 4th, with a few being dispatched
daily. The text begins with a matey, hi, this is DarkSide, and goes on to talk large about what it's accomplished
against the recipient's systems. Quote, it took us a lot of time to hack your servers and access
all your accounting reporting. Also, we got access to many financial documents and other data that
can greatly affect your reputation if we publish them. It was difficult, but luck was helped by us.
One of your employees is extremely unqualified in network security issues.
You could hear about us from the press.
Recently, we held a successful attack on the JBS.
For non-disclosure of your confidential information, we require not so much.
100 bitcoins.
Think about it.
These documents may be interesting not only by ordinary people,
but also by the tax service and other organizations.
If they are in open access, we are not going to wait long. You have several days. End quote.
So there.
There are several things wrong with this, apart from the appearance of having been written by the same people
who composed the third and fourth paragraphs of the letter that accompanied those bogus Ledger hardware wallets.
For one thing, JBS wasn't hit by DarkSide, but rather by another gang, R-Evil, and that doesn't lend the pitch very much verisimilitude.
Second, there's been no reported disruption of the target's operations.
DarkSide usually sends its ransom note after the victim sees a problem.
And third, there's no offer of any sample documents as evidence that the extortionists have the goods on the victim.
So, the whole thing seems to be a tacky commercial analog of the low-grade sextortion emails that tell you, falsely,
they've got saucy pictures of you that you'd probably prefer not to be plastered across the internet.
Japan has been most affected, followed by Australia,
the United States, Argentina, Canada, and India,
with lesser rates of approach experienced by companies in China,
Colombia, Mexico, the Netherlands, Thailand, and the UK.
Trend Micro has some good news. by companies in China, Colombia, Mexico, the Netherlands, Thailand, and the UK.
Trend Micro has some good news.
They've looked at the crypto wallet the goons have directed victims to,
and they've found no signs that anyone has actually paid up.
We've heard a fair bit about cyber-privateering lately, especially in the days surrounding the now-concluded Russo-American
summit. But cyber-vigilantism hasn't been in the news much until yesterday, at any rate.
You, of course, wouldn't download pirated software any more than we would, but suppose a friend were
to ask your opinion. Rights and wrongs aside, even the basest self-interest should now lead that hypothetical friend to avoid doing so.
Sophos has described what appears to be a strain of Vigilante malware,
apparently designed to prevent infected computers from visiting pirate sites.
The malware has been distributed through BitTorrent and Discord,
disguised as pirated copies of games and other software products.
cord disguised as pirated copies of games and other software products. Vigilante is a reasonable first guess, but the operator's ultimate purpose remains murky. Sophos principal investigator
Andrew Brandt explained the ambiguities to InfoSecurity magazine. He said, quote,
On the face of it, the adversary's targets and tools suggest this could be some kind of crudely compiled anti-piracy vigilante operation. However, the attacker's vast potential target audience,
from gamers to business professionals, combined with the curious mix of dated and new tools,
techniques, and procedures, and the bizarre list of websites blocked by the malware,
all make the ultimate purpose of this operation a bit murky, end quote.
In any case, probably best to stay clear of the pirated software.
Two other data breaches are in the news today. Cruise ship Line Carnival disclosed that it
sustained a data breach in March. The company told Bleeping Computer that the attackers accessed
limited portions of its information technology systems.
Some customer, employee, and crew information is believed to have been exposed,
but Carnival thinks the probability that the data have been misused is low.
And returning to shore, two unsecured cloud databases used by U.S. grocery chain Wegmans may have exposed customers' names, home and email addresses, phone numbers, birthdates, shoppers' club numbers, and hashed passwords to their store accounts, WCVB reports.
Finally, in a case the U.S. Justice Department says is an example of how seriously it intends to take ransomware,
Russian national Oleg Koshkin has been convicted on federal charges related to his operation of crypto websites,
including Crypt4U, which helped ransomware and other malware evade detection by antivirus programs.
The Department of Justice said that Koshkin and his co-conspirators claim that their services could be used for malware
such as botnets, remote-access trojans,
keyloggers, credential stealers,
and cryptocurrency miners.
End quote.
Mr. Koshkin faces a maximum penalty
of 15 years imprisonment.
He'll be sentenced on September 20th.
And before we go, a heartfelt happy Juneteenth
on this first observance of the newest U.S. federal holiday.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges
faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
There's that old joke that on the internet, no one knows you're a dog.
And the same might be said for online bots.
Some bots are loud and obvious, while others do their best to hide the fact that they are, in fact, bots.
The team at Imperva recently published their 2021 Bad Bot Report,
and joining us with highlights is Imperva's Edward Roberts.
It's something that we've done for the past eight years.
So this is the eighth time we've published this report.
And we look at it as trying to aggregate the data across our platform to see the different kinds of bot traffic and human traffic that we see.
So this is an aggregate report of data across many industries globally, telling you about the traffic that's on
the internet and on websites around the globe. Well, let us have it. I mean, what's our bot
situation these days? What did you all find? I think what we found is that the bot traffic is
increasing again. It's the worst amount of bot traffic. And we've actually gone over a quarter of all internet traffic is classified as a bad bot.
That is doing something that you haven't allowed and you do not want them on your site.
It's automation that you haven't approved.
And so normally it's been in the 19% to 22% range.
And now we're just over the 25% range.
So it's creeping up. And I guess the one thing that's
the outlier this year is that the pandemic has obviously created a scenario where more and more
people are purchasing things online and having daily activities online. And so bot operators
have also been very active in there as well. So we think that's part of the driver.
operators have also been very active in there as well. So we think that's part of the driver.
One of the interesting findings that we have in the BadBot report this year was that we saw that every business that has a login page has an account takeover attack for 16% of their time
over a year. So that's literally from January to the end of February, you've got a continuous
ATO, account takeover, credential stuffing attack happening on your login page. So think about that
as a volume. If that's something that you want to take care of, that a lot of people would not
want the fraud that would follow those types of attacks. So that's kind of the average that we see.
That's remarkable. I mean, what,
one in seven, one in eight, I suppose, somewhere around there, the login attempts are fraudulent.
Yeah, we've actually, the actual number of the number of attempts is 34% of all login attempts
are fraudulent. But the amount of time that you suffer under these attacks, we said it's 16% of the time. So that's effectively two months period.
Yeah. Let's dig into that, Sam. I mean, obviously we've heard stories in the news about things like,
you know, being able to, having a hard time getting your hands on something like a PlayStation
because, you know, bots have scooped them all up. Is that something you all have been tracking here
through the pandemic? Absolutely. That is one of the big shifts. We would classify that as automated abuse called
scalping. And people typically have known as scalping in the ticketing for shows or sporting
events where you can scalp that ticket and get a premium price somewhere else, whether you sell it outside a
stadium or what. That moved online. So scalping is a well-known problem from bots in the ticketing
industry because there's the ability to make money off it if you can resell it at a higher
price for a high-demand show. What you've now is this has moved from shows, it's moved into the retail space.
And now you've got this perfect storm of the pandemic where you weren't able to walk into stores and actually purchase these items over the counter and walk out with it.
It all went online. So you actually had to go online to it.
So the bot operators suddenly realize if they can grab as many of these consoles as possible and hoard them, they can arbitrage the price and get that increased profit margin from it.
So it's a business for these bot operators.
So grabbing as many and hoarding as many of these gaming consoles as possible and then reselling them is how they're making their money and paying their mortgage. When you all are tracking the activity of bots,
how many of the bots are out there trying to not look like bots?
Are there some that just do their business and are fine with everybody
knowing and seeing that they are bots, but others that try to look more human-like?
Yeah, I think we try and classify that as the sophistication level of the bots.
So the more sophisticated they are, they try and classify that as the sophistication level of the bots.
So the more sophisticated they are, they try and emulate human behavior.
They might move a mouse on a screen.
They might pause before clicks.
They might scroll the page.
They might have characteristics that make them appear more human-like because ultimately that's what businesses want on their website. They want humans on a browser, browsing, reading, purchasing goods, using services online.
And that's the perfect traffic for them because that's where their business is going to thrive.
What bots do is try and imitate that and look as human as possible.
So the more sophisticated they are, they try and evade whatever detections are in there, whether it be rate limits or a lot of people might be familiar with putting a capture in front of people to make them fill out, you know,. So there is definitely the range of simple bots that get caught by very simple techniques.
And then there are more sophisticated that are trying to actively evade detection methods.
That's Edward Roberts from Imperva. to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And I'm pleased to be joined once again by Malek Bensalem. She is the Technology Research Director for Security at Accenture.
Malek, it's always great to have you back.
I want to touch base with you on application security.
We've seen the recent executive order come down from the presidential administration.
I know that's something that you and your team are working on.
Specifically, can we touch today on optimizing security scanning?
Yeah, sure. Thanks for having me back, Dave.
With the executive order, I think there has been calls for
even more scanning, more application scanning, and performing
various types of scans. The static application
security tests or SAST, D of scans, you know, the static application security scan tests or SAST, DAST
scans, IaaS scans, etc. But we know that these scans generate loads of findings that developers
may not be able to respond to in a timely manner, or they may not be able to respond to at all,
right, especially for the vulnerabilities that are not that critical.
So what we wanted to do is to help these development teams prioritize what they need to respond to.
And we do so by, you know, several optimizations.
several optimizations. Number one, we generate some exploitability rankings for these vulnerabilities so that, you know, the teams respond to the findings that have the highest exploitability.
And some of the existing scanning tools do provide that, but we take it to the next level by adding some additional information about the vulnerabilities, such as their exploitability over time, their past exploitability.
But also, you know, these are scores that are available through the NVD database, right, through their common vulnerability scoring system.
They do provide some of these scores, such as the impact of the vulnerability and its exploitability.
But it's based on the likelihood of that vulnerability being exploited.
What we add is threat intelligence information about whether that vulnerability has been actually exploited,
whether we've seen POCs, right, proofs of concept of that vulnerability being exploited,
and how many of them do we see.
Now, we also include information about the vulnerability notability.
So if vulnerability is gaining notability in the media, that means it either
has been used or is very likely to be used by malicious actors. By combining all of these scores,
we come up with better exploitability rankings for these vulnerabilities that application development teams and security teams can use to prioritize which vulnerabilities they need to mitigate or remediate first.
So is it part of the notion here that you're providing a lot more context to the information that they're getting?
Absolutely. Absolutely. And that is key for these teams who are very time constrained.
The second thing we do actually is identify any correlated vulnerabilities or in some cases,
any false positives that the scanning tools generate. We have realized that a lot of the vulnerabilities being found are actually false
positives that teams do not have necessarily to respond to. And so we do some triaging to help
these teams, and we do that through different techniques. Number one, we look at duplicates
within the same scan.
So we review the same scan,
identify if there are any vulnerabilities
that have been reported twice or more,
and we remove those so that the teams, you know,
respond to fixing the vulnerability just once.
We correlate findings between different types of scans.
So we take the SAS scan and the DAS scan,
and we try to identify if there are vulnerabilities reported in the same scan
that are actually the same vulnerability.
Again, this would help the team just respond to one, right, mitigate just one,
instead of responding twice to these vulnerabilities reported differently on
two different reports. And then the third thing, we do correlation between scans. So what I talked
about between scans in different time windows, right? So earlier I talked about correlating
vulnerabilities between SAS and a DAS scan, and that's at one snapshot.
But sometimes we can correlate a scan done, let's say, a week ago
with a scan that has been done today and look at the correlations
between the vulnerabilities between scans and remove any false positives
that have been identified in the previous scan
so that we don't have to respond to it again or analyze it in the current scan.
And what we found out is that we can identify between 50 and 80 percent of these false positives and we're able to save about 64 percent of the security
analysts time as they are reviewing um these um these findings from the scans and other as they
are trying to triage them and this can be all enabled through artificial intelligence. That's fascinating.
I mean, obviously, you know, nothing is perfect,
and I suspect, you know, the AI is not perfect as well.
But, I mean, is the system constantly feeding back on itself
so that over time the results that it generates are also improving?
Absolutely. Absolutely.
It is constantly learning, and it's constantly applying or contextualizing information for particular clients because we know that the development environment for one of our clients may be different from another client. So we are optimizing that learning per client environment.
Yeah, interesting.
All right, well, fascinating stuff.
Malik Ben Salem, thanks for joining us.
Thank you, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out this weekend's edition of Research Saturday
and my conversation with Gage Mealy and Yuri Polozov from Anomaly.
We're discussing primitive bear Gameron, and it targeting Ukraine with timely
themes. That's Research Saturday. Do check it out. The Cyber Wire podcast is proudly produced in
Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.