CyberWire Daily - Official online channels hijacked in separate US, Philippine incidents. Update on MosesStaff, a ransomware group interested in politics, not profit. Costco breach. Ryuk money-laundering case.
Episode Date: November 15, 2021Exploitation of a configuration error in the FBI’s Law Enforcement Enterprise Portal enables hackers to send bogus warning emails. Philippine Office of Civil Defense Twitter account briefly hijacked.... Update on Iranian politically motivated threat group MosesStaff. Discount retailer Costco discloses a point-of-sale skimmer incident. Dinah Davis from Arctic Wolf track zero days. Rick the Toolman Howard drops by the studio. And the US seeks extradition of a Russian alt-coin baron on charges of laundering Ryuk’s money. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/219 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Exploitation of a configuration error in the FBI's law enforcement enterprise portal
enables hackers
to send bogus warning emails. The Philippine Office of Civil Defense Twitter account was
briefly hijacked. Update on Iranian politically motivated threat group Moses Staff. Discount
retailer Costco discloses a point-of-sale skimmer incident. Dinah Davis from Arctic Wolf tracks Zero Days, Rick the Toolman Howard drops by the studio,
and the U.S. seeks extradition of a Russian altcoin baron on charges of laundering Ryuk's money.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Monday, November 15th, 2021.
Messages that looked as if they were from the FBI early Saturday morning weren't.
That is, they came from the Bureau's Law Enforcement Enterprise Portal, known as LEAP, a platform used to communicate with the FBI's partners in state and local law enforcement.
But they were, in fact, sent by hackers, not by the FBI. The Bureau issued a
terse preliminary statement later Saturday, updated on Sunday. It's short enough to quote in full,
quote, the FBI is aware of a software misconfiguration that temporarily allowed
an actor to leverage the law enforcement enterprise portal to send fake emails.
the law enforcement enterprise portal to send fake emails.
LEAP is FBI IT infrastructure used to communicate with our state and local law enforcement partners.
While the illegitimate email originated from an FBI-operated server,
that server was dedicated to pushing notifications for LEAP
and was not part of the FBI's corporate email service.
No actor was able to access or compromise any data or PII on the FBI's network.
Once we learned of the incident, we quickly remediated the software vulnerability,
warned partners to disregard the fake emails, and confirmed the integrity of our networks.
End quote.
Twitter threads from both Spamhaus and Kevin Beaumont provided an interesting early account as the emails appeared.
The emails originated from FBI servers.
Their headers show an origin verified by the domain key's identified mail system.
Spamhaus reproduced the headers.
The sending IP address and the from lines look legitimate because they are. There's
no obvious criminal motive beyond perhaps the malign lulls of perhaps disrupting networks that
were shut down as a precaution or of darkening counsel by eroding confidence in FBI warnings.
Or it may be the simple coup counting one sees among cases of arrested
development who like to show the grown-ups that they're not so smart. But we shall see.
The bogus warning read as follows, quote,
Our intelligence monitoring indicated exfiltration of several of your virtualized clusters in a
sophisticated chain attack. We tried to black hole the transit nodes used by
this advanced persistent threat actor. However, there is a huge chance he will modify his attack
with fast flux technologies, which he proxies through multiple global accelerators. We identified
the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion
gang the Dark Overlord. we highly recommend you to check
your systems and ids monitoring beware this threat actor is currently working under inspection of the
nccic as we are dependent on some of his intelligence research we cannot interfere
physically within four hours which could be enough time to cause severe damage to your infrastructure. Stay safe. End quote.
And it signed, U.S. Department of Homeland Security,
Cyber Threat Detection and Analysis, Network Analysis Group.
Krebs on Security calls out poor coding on the FBI's Criminal Justice Information Services portal,
a service used for sharing law enforcement information.
The hacker who counted coup, who goes by the hacker name Pom Pom Puran,
told Krebs on security that he did what he did to show up poor security practices at the FBI,
and indeed the BRL has some digital egg on its virtual face.
There's also a gratuitous and facially ridiculous shot at Vinnie Troia,
founder of security firms Night Lion and Shadow Bite,
asserting that he's a known associate of the Dark Overlord criminal actor.
Leaping Computer points out that Troia has long been the object of taunts and defamation
from some of the lulsters over at raid forums.
They typically warn Mr. Troia when they're about to mess with him,
and they did so this time as well. Troia retweeted their message, quote,
At Vinnie Troia, you're about to get lit up today. Spam attack involving your name, end quote.
A stupid prank, and by the way, good hunting, FBI. Troia, by the way, says he intends to blog Mr. Pompomporin's real name tomorrow.
The Twitter account of the Philippines Office of Civil Defense was briefly hacked early Sunday
and used to churn out unusual messages having nothing to do with civil defense or disaster
preparation, the Manila Inquirer reports. The tweets mostly involved celebrity-themed Bitcoin speculation.
Checkpoint this morning released an update on the Iranian threat group Moses Staff.
Activist or government-directed, Moses Staff operates like a ransomware gang,
but its motive appears to be purely political.
It seeks to damage Israeli companies by stealing data, encrypting
the victims' files with Dyscryptor, and then releasing the data online. Moses' staff issues
no ransom demands and explains its program as, quote, fighting against the resistance
and exposing the crimes of the Zionists in the occupied territories, end quote.
The large U.S. discount retailer Costco warned customers last week that it had found a credit card skimmer in one of its Chicago-area warehouses,
and that customers should be alert to the possibility of credit card fraud.
Warehouse in Costco's usage means store.
The company is commonly described as a warehouse club.
ZDNet reports that some Costco customers had complained of fraudulent paycard charges shortly before the skimmer was found.
The U.S. is seeking the extradition of Denis Dubnikov,
a Russian altcoin entrepreneur who founded EggChange and CryptoCoyote,
on charges of allegedly laundering
money on behalf of the RIAC ransomware gang, the Wall Street Journal reports. Mr. Dubnikov was
vacationing in Mexico where, on November 3rd, authorities seized him and put him on a flight
to Amsterdam, where he's currently being held by Dutch authorities on a U.S. warrant.
It's the first arrest the U.S. has sought in cases involving Rayak.
Much of the comment on Rayak and CNN's representative have mentioned Rayak's involvement in attacks on health care facilities.
Mr. Dubnikov is, of course, fighting extradition
and denies involvement in money laundering.
He intends to plead not guilty
because his attorney, Arkady Buk, says, because he had no knowledge of someone engaging in criminal
activity. Sputnik reflects the outrage of Russian cryptocurrency traders and presumably their
licit, semi-licit, and illicit customers, with a headline that says Mr. Dubnikov was
practically kidnapped by the FBI in Mexico. The semi-official Russian outlet quotes the
aforementioned Mr. Buch as their source for the kidnapping angle, quote, Dubnikov was detained
in Mexico but expelled because Mexico doesn't have such an ideal extradition policy as the
Netherlands. They have bought a ticket, in other words, they have in fact kidnapped him and sent They're thinking of cutting their extradition to the United States, end quote. They're thinking of cutting
their extradition fight short, however, and just fighting the charges in the U.S., the attorney
added, quote, so far we do not agree to extradition, but we will probably give our consent later
because the Netherlands is a country where the fight against extradition is statistically
meaningless. We are studying. Maybe it is worth agreeing to a quick extradition and sorting it Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, always great to have you back.
Hey, Dave.
So for this week's CSOP episode,
you are launching
a new series called
Rick the Toolman.
Damn straight.
Which I thought was interesting.
Yeah.
What caught my eye
in the notes that you sent over
was the obvious similarity
to how that sounded
in my head
compared to
one of my favorite
90s TV shows,
Home Improvement.
Are you going to humor me and tell me that's what you're going for here?
Well, you got it exactly right, Dave.
That's what I was going for.
The guy that starred in that show was Tim Allen,
and he's one of my favorite comics and actors,
and who, by the way, starred in Galaxy Quest, a perennial nerd favorite.
And he played Buzz Lightyear.
Buzz Lightyear, yeah.
Buzz Lightyear, man.
Come on.
Right, right.
So in this 90s TV show, he plays a guy who runs a local public television show that's
kind of modeled after the real world PBS long running TV show called This Old House.
You remember watching This Old House?
Absolutely.
Yeah.
Yeah.
And so his nickname
on the show is Tim the Toolman, so I thought I would borrow that little thing for this new series.
All right, well, I'm sold. Say no more. I don't know what your series is about, but I definitely
enjoyed that show. I know, right? So here's the idea, okay? It's that security executives manage
teams of security practitioners, and these
practitioners all have a toolbox of their favorite tools they use to keep the organization safe.
Everything from hardware and software products like firewalls, intrusion detection systems,
and endpoint protection systems, but also things like frameworks and compliance standards like the
NIST cybersecurity framework and, you know, the U.S. FedRAMP program. So,
these security executives don't necessarily have to know how to turn the wrenches on these tools.
And in fact, I've been personally told in previous jobs to keep my hands out of there
because of the high probability that I would screw something up. I'm not saying that I ever
did that, but I'm not saying that. You know, I'm just going to plead the fifth here.
that, but I'm not saying that. You know, I'm just going to plead the fifth here.
Sure, sure. Got it. Got it. So, if this Rick the Toolman series is not about turning the wrenches and the dials on these tools, what exactly is it about?
Well, I think it goes without saying that it's tough to lead an organization if you don't
understand what it's capable of. And that's some combination of the skill sets on your teams
and the tools that they are using.
So as a security executive, you should have a pretty good understanding of how the tools in the toolbox can be applied to your organization.
And for this week's first show, we're going to talk about the MITRE ATT&CK framework, what it is, and how you should be thinking about it at the strategic level so that you can direct your teams tactically in their day-to-day operations.
All right. Well, it is CSO Perspectives. It is part of CyberWire Pro. You can find that on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Thank you, sir.
Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Dinah Davis.
She is VP of R&D Operations at Arctic Wolf,
also the founder and editor-in-chief at Code Like a Girl.
Dinah, it is always great to have you back.
You know, we're coming towards that time, towards the end of 2021,
and I thought it'd be a great time to check in with you
on where we are in 2021, sort of taking stock when it came to zero days.
What can you share with us?
Yeah, this one was really interesting.
I saw this article pop up on the MIT Technology Review in the past week.
And so far in 2021, we have more than doubled the amount of zero days that were found in 2020.
And the interesting thing is the article also links to a Google Doc that has all of the zero days that they have been tracking since about 2014.
And it seems to have been doubling, you know, every year for a while now.
So the question is, like, why?
Why is it doubled this year?
Are we just looking more, you know?
Are we better at looking or are they actually being spun up?
I think it's like a mix of all of those things.
You know, there's more hacking tools available today than there were before.
So people are, you know, sponsoring that and throwing money at that because those zero days are key for them in their spying espionage ways.
And so even this year, China is suspected of at least nine of the zero days of having originated with them.
What about the market for these?
I mean, people are buying and selling them.
That's active as well. Yeah. I mean, not everybody can throw all their money towards people to try
and find them, right? There's lots of these ransomware gangs out there that, you know,
want access to these zero days, but don't necessarily have the skills or the tool sets to
create them. So they're buying them and that's making the
market even hotter, right? It's a capitalism at its best, I guess. And then, you know, finally,
I think we're getting better at detecting them, right? Organizations and groups, we're spending
more money looking for them as well and protecting ourselves from them. And because of that,
and because more groups are working together, we're getting better at detecting more of the
sophisticated attacks. Like more minds together is always better, right? A bunch of smart people
in a room together are going to find more than one person on their lonesome. And then I think
the pandemic's had an effect on this as well, where a lot of security researchers and stuff were, you know, bored at home.
And they were able to do a little bit more digging and find those zero days.
And I think also the question really does remain, are there actually way more or are we finding more?
Yeah.
I think the jury's out on that one.
Yeah.
Interesting.
All right.
Well, Dinah Davis, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment
called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest
security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host. The subject
there is threat intelligence, and every week we talk to interesting people about timely
cybersecurity topics. That's at recordedfuture.com slash podcast. The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.