CyberWire Daily - Possible consequences of Afghanistan’s fall to the Taliban. Non-state actors’ political motives. Poly Network rewards “Mr. White Hat.” C2C offering will check your alt-coin. Breach at T-Mobile?
Episode Date: August 16, 2021The Taliban has effectively taken control of Afghanistan, and the fall of Kabul is likely to have a quick, near-term effect on all forms of security. The Indra Group’s actions against Iranian intere...sts suggest the potential of non-state, politically motivated actors. Crooks returned almost all the money rifled from DeFi provider Poly Network. A new C2C service tells hoods if their alt-coin is clean. DeepBlueMagic is a new strain of ransomware. Chris Novak of Verizon on advancing incident response. Rick Howard is taking on Orchestration in this week’s CSO Perspectives. And T-Mobile investigates claims of a data breach. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/157 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Taliban has effectively taken control of Afghanistan,
and the fall of Kabul is likely to have a quick near-term effect on all forms of security. The Taliban has effectively taken control of Afghanistan,
and the fall of Kabul is likely to have a quick, near-term effect on all forms of security.
The Indra Group's actions against Iranian interests suggest the potential of non-state politically motivated actors.
Crooks return almost all the money rifled from DeFi provider Poly Network. A new C2C service tells hoods if their altcoin is clean.
Deep blue magic is a new strain of ransomware. Chris Novak from Verizon on advancing incident response. Rick Howard is taking
on orchestration in this week's CSO Perspectives podcast. And T-Mobile investigates claims of a data From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Monday, August 16th, 2021. The Taliban yesterday took Kabul and announced from the presidential palace the restoration of the Emirate of Afghanistan.
The effective collapse of Afghanistan's government Sunday and the country's general fall to the Taliban obviously represent a humanitarian disaster.
U.S. President Biden intends to address the fall of Kabul later this afternoon.
The details of the Taliban's swift return to power after the withdrawal of U.S. forces are
beyond the scope of our coverage, but the implications of the fall of Kabul for cybersecurity
will become clearer over the coming weeks.
ABC News reports that from the U.S. point of view,
it seems to have been more policy failure than intelligence failure,
or at least an intelligence failure in the sense that,
as sources in the U.S. intelligence community said anonymously,
that their assessments were disregarded.
General Sir Nick Carter,
chief of the UK defence staff, told ABC News that the situation would inevitably embolden
Islamist radicalism, both in Afghanistan and elsewhere.
If we end up with a scenario where state fractures and you end up essentially with a security vacuum,
then there's absolutely the ideal conditions for international terrorism
and violent extremism to prosper yet again.
Go to ABC News and listen to the entire interview.
The Taliban's ascendancy may also augur an increase
in newly emboldened Islamist activity in cyberspace.
Historically, that had been largely concentrated on recruitment and operational
planning, then on radicalization and inspiration, and of course on website defacement. Website
defacement is unlikely to rise above the nuisance levels it achieved earlier. Whether sufficient
talent has or will be attracted to the movement to mount more disruptive or destructive attacks remains to be seen.
And, of course, a surge in radical inspiration in cyberspace can be expected to follow any Islamist success,
and the fall of Afghanistan is a major Islamist success indeed.
An example of what a non-state actor can accomplish in the ways of politically motivated cyber attacks may be seen in Iran's recent experience.
Security firm Checkpoint has more on the Indra group, an Iranian opposition group it believes to have been responsible for recent cyber attacks affecting Iran's rail system.
Some of the effects amounted to taunting defacement in station message boards.
But Checkpoint says that there was more to it than that.
The group deployed wipers against some of its targets,
and the code suggests that they were also behind operations against a range of companies in Syria during 2019 and 2020.
The company said, quote,
Checkpoint analyzed artifacts left by the cyberattack on Iran's train system,
learning that the attack tools were technically and tactically similar to those used in malicious
activity against multiple companies in Syria, end quote. The New York Times thinks the incidents
illustrate the growing capability of non-state actors, quote, an opposition group without the
budget, personnel, or abilities of a government
could still inflict a good deal of damage. End quote. The Wall Street Journal reports that the
thieves have returned almost all of the over $600 million taken from Poly Network. All but about
$33 million has been returned, with the outstanding balance entirely in Tether tokens
that Tether had frozen in an attempt to recover its funds. Reuters confirms that Poly Network
has offered the hackers a $500,000 bug bounty. The company has also publicly thanked the hacker,
whom they refer to as Mr. White Hat, for helping them improve their security.
referred to as Mr. White Hat, for helping them improve their security.
A question.
Is this a case in which the distinction between a bounty and an extortion payoff amounts to a distinction without a difference?
It seems unlikely that a criminal would swap $600 million for $500,000,
so the crooks may have felt the approach of the law and decided that discretion was the better part of valor.
On the other hand, half a million bucks is an awfully big bounty.
We imagine that there's more to this story.
As authorities and victims of various forms of online fraud have shown an ability to track and claw back ill-gotten altcoin, a subsector of the
C2C market has emerged, offering to verify that cryptocurrency being used for illicit
purposes is clean, untrackable, and unrecoverable.
The BBC reports that the analysis firm Elliptic has found and looked into a service on the
darknet that's designed to do just that.
and looked into a service on the darknet that's designed to do just that.
Elliptic told the BBC,
quote,
It's called anti-analysis,
and criminals are now able to check their own Bitcoin wallets and see whether any association with criminal activity could be flagged by authorities.
End quote.
So far it's imperfect,
but of course that can be expected to change
should anti-analysis proprietors be unmolested to improve their product.
Heimdall, the security company named for the guardian of Asgard's Rainbow Bridge,
late last week described a new strain of ransomware, Deep Blue Magic,
that abuses a legitimate third-party disk encryption tool by initiating but not finishing the encryption process.
DeepBlueMagic disables security software before beginning encryption,
subsequently deleting its own executables,
rendering it resistant to forensic analysis.
Heimdall says that it's found a way of restoring affected systems,
but DeepBlueMagic will bear watching.
affected systems, but Deep Blue Magic will bear watching.
Various ransomware gangs are actively exploiting the print nightmare Windows vulnerability,
CyberScoop reports. CrowdStrike last week reported that MagnaBur operators were using the vulnerability against targets in South Korea. A little later, Cisco Talos described how the
Vice Society, a criminal group that made its creepy bones by hitting school districts and healthcare organizations, has also turned to Print Nightmare.
This particular vulnerability has proven unusually difficult to fix.
Microsoft, and we disclose that Microsoft is a sponsor of the Cyber Wire, has both patched various aspects of the the print spooler issue and recommended that users disable this particular service.
And finally, T-Mobile is investigating a criminal's claim to have breached a very large set of
customer data, possibly 100 million fulls, held by the mobile company, Reuters reports.
As we speak today, that investigation remains in progress
and we'll have some updates and industry reactions
in this afternoon's pro-privacy briefing.
One effect of the story, however, was already evident by late morning.
Barron's reports that T-Mobile stock was down by 3.5% in early trading.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is rick howard he is the cyber wires chief security officer also our chief analyst but more important than any of that he is the host of the cso perspectives podcast
which is part of cyber wire pro rick it's always great to have you back thanks dave i appreciate
that so on this week's cso, you are talking about orchestration.
Now, I'm going to go out on a limb here and assume that you have not replaced Dimitar Nikolov as the musical director for the Philharmonia Orchestra in our great city of Baltimore.
So what exactly is going on here, Rick?
Well, you're right about that, Dave.
I had just under three years,
count them, three of my mom force marching me to accordion lessons when I was just a wee lad. So
yeah, I know. Oh boy. Unless we want to, you know, the people of Baltimore want to hear a
55 year old rendition of it. That's a more. Okay. I think it's best that I stay off the stage.
Were the young ladies lined up around the block when they heard you playing the accordion?
I can only imagine.
They absolutely did.
Yeah.
And yes, I want to make that perfectly clear to everybody.
I said accordion lessons.
Yes, that was accordion.
Well, I learned something new here today.
And in addition to the endless pit of talent that you bring to the CyberWire, which never ceases to amaze me, what exactly is going on here when we're talking about orchestration?
Yeah, we're talking about orchestrating the security stack. update with high velocity, all of that software and hardware you're using to implement things like,
you know, zero trust and intrusion kill chain prevention, resilience, and risk forecasting.
Well, you know, I'm no expert when it comes to these things, but are you saying to me that
security people shouldn't just remotely log into these systems and just start making changes
manually? I mean, come on. What is the better way?
You know, a sad face. I think a lot of people are still doing that, all right? Because the crux of
it is that there are many different approaches, but none have really caught on as the community's
best practice that most of us are using. We have everything from using a standard DevOps model to using our source seam tools to
sort of bridge to the DevOps model to installing a single vendor orchestration platform from one
of the big firewall vendors. And finally, maybe moving our entire organization over to some
sassy architecture. And I realized that I just threw a metric ton of acronyms at everybody,
all right? But if they want to find out what all that means, they should just come listen to the architecture. And I realized that I just threw a metric ton of acronyms at everybody. All right.
But if they want to find out what all that means, they should just come listen to the show.
All right. Well, it is CSO Perspectives. It is part of CyberWire Pro. You can find out all about
that on our website, thecyberwire.com. And not only is he a chief security officer,
he is an accordion player. The chief accordion officer.
Accordion player extraordinaire.
That's right.
That's right.
Rick Howard, thanks for joining us.
You betcha, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker the cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. And joining me once again is Chris Novak.
He's the global director of Verizon's Threat Research Advisory Center.
Chris, it's always great to have you back.
I wanted to touch today on incident response.
I know you and your team
have been focused on this lately. It's something where you're looking on advancing your capabilities
there. What can you share with us? Sure. Yeah, always great to be on the show, Dave. Thanks
again. So yeah, we're always looking to try to figure out what it is that we can be doing to
evolve our capabilities, evolve the kind of outcomes that we can bring to clients when
they're looking for help from an incident response perspective.
And, you know, when we look at things, you know, there's been the historical traditional
way of doing things.
You'd go on site, you'd grab disk images.
Heck, I remember back in the early days.
I mean, these are real early days.
I'm dating myself here.
But we'd go on site with a, you know with a binder full of floppy disks to boot up a
system. And then you'd have a hard drive you'd try to pull that data down on. And it would take
seemingly weeks to grab a forensic image. And obviously, things have evolved substantially
since then. Things have gotten so much faster. But we're trying to obviously move away from
that entire model altogether. Now, almost everything we do is able to be done remotely. We're able to extract a lot of triage data from systems without ever having to actually
physically lay hands on them. But one of the things we're trying to extend beyond that is,
you know, obviously everybody knows Verizon as a giant telco. One of the things we're trying to
take advantage of is some of our new capabilities around things like 5G and how we might be able to integrate 5G connectivity
and the speeds that that brings with our ability to provide a client
with out-of-band data collection, right?
So think of it as, you know, historically,
if we had to pull a lot of data out of an environment
for incident response purposes,
or we wanted to stream data out while there was maybe a live incident going on
and we didn't want incident going on and we
didn't want it going in and out the same pipes or crossing the same east-west corridors within
their network because, you know, maybe the threat actor is looking at it. Maybe the threat actor
has access to some of their infrastructure. Being able to drop in essentially a 5G transmitter
will allow us to actually be able to take that data and provide that organization
with a complete out-of-band mechanism of us being able to interact with them and them
being able to interact with us and being able to do it at gigabit plus speeds. And that's
something that just historically you just couldn't do before. You know, the shift we've seen, I'd say
the accelerated shift that we've seen to the cloud, thanks to so many organizations responding to COVID.
Does that make your life easier as well?
As you say, you don't necessarily have to be on site.
Yeah, it actually does.
So I think that it makes our life easier in the process of moving to cloud and replicating data from their instance to ours
for purposes of doing, you know, incident response or investigations.
I mean, that is almost as simple as a button click.
And the speed to do that is tremendous.
So that has been, you know, I'd say a huge improvement
that I think probably all of us in the incident response community have seen,
and same for our clients.
But then the other benefit we get out of that as well
is Verizon had announced that we've got a pretty extensive partnership with Amazon Web Services
as it relates to our 5G MEC capabilities. And so that actually goes one step further and says,
we not only have the ability to pull data at incredible speeds over 5G, but our 5G radio is literally
connected right to the edge of an AWS environment. So we can either push or pull data between,
think of it as a cloud environment over a gigabit plus out of band in and out of a customer
environment, just as seamlessly as we would do anything else. Yeah, that's fascinating. I mean, I have to say it's nice to hear of a specific use
case for 5G. I think for a lot of us, that's been a little fuzzy till now. So it's interesting to
hear a specific description like that. Yeah. I mean, that was something that our team was
always looking for as we said, hey, this is fantastic. It's great for streaming more movies
or all the other things people have talked about. But for us and my team as it relates to security, that out-of-band piece is critical.
I mean I'll give you a – for example, we had an organization that was suffering a fairly massive incident and they needed some really bad help.
And they were basically saying, look – they got to the point where they were basically saying that they were going to just shut down all of their internet connections worldwide.
They said, look, we need to get this under control before this gets worse. We're just going to shut down all of our internet connections. But then
the next question they had was, how do we get all of the necessary incident response data now out of
the environment? Trying to do that all via sneaker net is really just not feasible. And we said, well,
we could drop in wireless connectivity. And so we did some proof of concept around some of these
areas to be able to say, all right, let's see what we can actually move in and out.
We can drop in some of these things in strategic locations where we know we already have the 5G infrastructure in certain cities to be able to essentially pull that data out.
So that proof of concept was fantastic for us.
I expect that that'll be something that will be integrated more formally into a lot of our offerings going forward, especially as it relates to incident response.
All right.
Well, Chris Novak, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence,
and every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman, We'll see you back here tomorrow.
Thank you.