CyberWire Daily - Privacy and the Pandora Papers. Flubot’s scare tactics. Exploiting an account recovery system. Conti warns victims not to talk to the press. An international meeting on cybercrime? A ransomware bust.
Episode Date: October 4, 2021The Pandora Papers leak erstwhile private financial transactions by the rich and well-connected (and it’s 150 mainstream news organizations who cooperated in bringing them to light). Flubot is using... itself to scare victims into installing Flubot. Coinbase thieves exploited account recovery systems to obtain 2FA credentials. The US plans to convene an international conference on fighting cybercrime. Conti warns its victims not to talk to reporters. Andrea Little Limbago from Interos on modeling cyber risk. Carole Theriault has thoughts on facial recognition software. And a ransomware bust in Ukraine leads us to ask, why Capri Sun. (Think about it, kids.) For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/191 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Pandora Papers leak erstwhile private financial transactions by the rich and well-connected.
FluBot is using itself to scare victims into installing FluBot.
Coinbase Themes exploited account recovery systems to obtain 2FA credentials.
The U.S. plans to convene an international conference on fighting cybercrime.
Conti warns its victims not to talk to reporters.
Andrea Little-Limbago from Interos on modeling
cyber risk, Carol Terrio has thoughts on facial recognition software, and a ransomware bust
in Ukraine leads us to ask, why Capri Sun?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 4th, 2021.
First, a quick note on a developing story.
Facebook, Instagram, and WhatsApp are all experiencing outages.
The Associated Press is calling the situation a worldwide outage.
The appearance is that Facebook withdrew DNS routes, but the cause of the outage is unclear.
Much initial speculation suggests that it's an accident, not an attack.
Facebook tweeted, quote,
We're aware that some people are having trouble accessing our apps and products.
We're working to get things back to normal as quickly as possible,
and we apologize for any inconvenience, end quote.
As we say, the story is still developing, and we'll be following it as it continues to unfold.
The Pandora Papers, a 2.94 terabyte leak of financial data about rulers, oligarchs, billionaires, and other prominent people,
has been obtained and published by the International Consortium of Investigative Journalists, the ICIJ for short.
of investigative journalists, the ICIJ for short,
quote,
millions of leaked documents and the biggest journalism partnership in history
have uncovered financial secrets
of 35 current and former world leaders,
more than 330 politicians and public officials
in 91 countries and territories,
and a global lineup of fugitives, con artists, and murderers,
end quote.
The partners in the investigation included 150 news outlets.
A small selection of that list of partners includes the Washington Post, the BBC, the Guardian, Radio France,
the Indian Express, Zimbabwe's The Standards, Morocco's Le Desc, and Ecuador's Diario El Universo.
Morocco's Le Desc and Ecuador's Diario El Universo,
the take, which itself derives from multiple sources,
noses out the single-source Panama Papers,
which had previously stood atop the leaderboard of leaks involving the lifestyles of the rich and famous.
The papers were obtained from 14 distinct financial services and law firms.
The ICIJ characterized the leak as providing, quote,
a sweeping look at an industry that helps the world's ultra-wealthy,
powerful government officials and other elites
conceal trillions of dollars from tax authorities, prosecutors, and others.
End quote.
There's nothing necessarily illegal about the shifting of funds,
as the ICIJ itself points out.
Such transactions are not against the law in many, perhaps most, jurisdictions.
The problem the ICIJ sees is that an elaborate system has grown up to shield the well-connected
from burdens others bear, and to do so without much, if any, public scrutiny.
Some U.S. states have enacted financial privacy laws that make them attractive locations for the kind of activity the report details.
Most prominently, the ICIJ quote sources telling it South Dakota, Delaware, Nevada, and Alaska.
336 politicians are mentioned in dispatches.
Ukraine leads with 38.
Russia places second with 19.
The Guardian says that a spokesman for Russian President Putin
has dismissed the material in the Pandora Papers as unsubstantiated.
FluBot's operators are running a scareware campaign
designed to get victims to install the malware.
The come-on, CERT-NZ warns, is itself a warning against FluBot.
Quote,
The installation page for FluBot has changed to look like a warning page.
If you see this page, close the page immediately and do not click install security update.
End quote.
FluBot, Bleeping Computer explains, depends heavily on social engineering to gain
access to, and eventually what amounts to complete control over, an Android device and its users'
data. Coinbase accounts used two-factor authentication, but attackers were able to
access and steal from some 6,000 users, InfoSecurity magazine reports.
The thieves obtained email addresses, password, and phone number from some other sources,
and then, Coinbase's disclosure explains,
were able to exploit a weakness in Coinbase's account recovery system to get a second-factor authentication code via SMS.
Late Friday, prompted by a nasty wave of recent ransomware privateering and the arrival of
Cybersecurity Awareness Month, U.S. President Biden announced plans to convene a discussion
among some 30 countries where they might arrive at a joint coordinated response to cybercrime.
Which nations in particular the U.S. intends to invite to the table hasn't yet been announced.
The relevant section of the statement says, quote,
We are also partnering closely with nations around the world on these shared threats,
including our NATO allies and G7 partners. This month, the United States will bring together
30 countries to accelerate our cooperation in combating cybercrime, improving law enforcement
collaboration, stemming the illicit use of cryptocurrency, and engaging on these issues diplomatically.
We are building a coalition of nations to advocate for and invest in trusted 5G technology
and to better secure our supply chains.
And we are bringing the full strength of our capabilities to disrupt malicious cyberactivity,
including managing both the risks and opportunities of emerging technologies, The president concludes his whole-of-nation appeal by commending digital hygiene to the citizens,
urging all Americans to lock our digital doors,
and urging tech companies to build technologies securely by design.
The Conti ransomware gang really doesn't want its victims engaging the media.
The gang has threatened to dump the data they've stolen should they get wind of a target's talking to reporters, the record says.
It's not a surprising move, given the cynical positioning ransomware gangs have engaged
in to depict themselves as something akin to a recovery service or a pen testing operation.
It seems natural that they should attempt to enforce a gangland version of a non-disclosure
agreement. The gang's statement on their policy is worth quoting in its entirety from the record.
First, if we see a clear indication of our negotiations being sent to the media,
we will terminate the negotiations and dump all the files on our blog.
We are the best team, and you can Google what estimated revenue we have.
This became possible only due to our outstanding reputation.
Thus, if we need to sacrifice another 10 million to cut the negotiations but protect our
name, don't doubt, we will do so. End quote. Note the advertorial best team, and Google it if you
don't believe them, and outstanding reputation. Second, here's what happens if you do talk to
someone. Quote, if we see our chats in public, we will also dump your files. If this happens after the
ransom is already paid by the target who shared our chats, we will dump somebody else's files as
retaliation. We will not care if you directly shared our chats with the media researchers
or if they extracted it from the virus total after you uploaded our samples there.
Since the security firms who share chats via their pocket journalists have no concept End quote.
Well, contempt for the contemptible.
May Conti's success and high reputation be rewarded with matched sets of bracelets,
courtesy of whatever jurisdiction eventually snaps them up.
And finally, the Ukrainian National Police,
with cooperation from their international partners Europol,
the French National Gendarmerie,
and the United States Federal Bureau of Investigation
made two arrests in a ransomware case.
The two gentlemen of alleged crime
were arrested last week in Kiev.
Ukrainian police said that the two were responsible
for ransomware attacks on more than 100 foreign companies.
Europol declined to name what gang, if any,
the two men were affiliated with.
The investigation is still ongoing, and Europol has no wish to tip anyone's hand.
Photographs of the alleged criminal's den of crime are remarkably unprepossessing.
There are boxes of U.S. $100 bills, Benjamin Franklin's picture easily recognizable,
and a simple table supporting what
looks like a gamer's desktop, a red dragon motif on the front and a neon-esque decoration on the
side. A keyboard, microphone, and headphones is next to the workstation proper. Musical keyboard,
that is. Poised atop the desktop are three Capri Sun juice pouches. We don't know about you, but to us, nothing says,
I am a case of arrested development living in my parents' basement than a stash of Capri Sun.
A serious crook would be drinking instant coffee.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
How do you feel about facial recognition? Your answer to that question could fall amongst a broad spectrum
of feelings and conclusions, security tool or privacy nightmare, or something else.
Our UK correspondent, Carol Theriault, has been pondering facial recognition,
and she offers these thoughts. Today, I want to talk about facial recognition or face prints. Now first, facial recognition is definitely
big business. In 2018, the facial recognition market was $4 billion, but it's predicted to
grow to $10 billion in four years time by 2025. So what exactly is facial recognition? Technopedia defines facial recognition as a biometric software
application capable of uniquely identifying or verifying a person by comparing and analyzing
patterns based on a person's facial contours. So simply put, everyone has a unique facial structure
and this software is able to analyze features to identify who you are.
Panda Security described how facial recognition worked in four simple steps. Step one is detect
a face. Amongst all the other noise, it needs to be able to say, oh, I see a face in the same way
that your smartphone might try and detect a face when you're taking a portrait. Second is facial analysis. So the photo is captured and analyzed, looking for all the tiny
points of difference in your face that makes it unique from anybody else's. Then all that
information needs to be crunched and turned into data. And that data, this code, is what is the face print. Once the face print has been converted, it can be
used to find a match in a database of other face prints. Now, of course, some of us are pushing
for increased use of this technology, particularly following a pandemic. Isn't it nice not to have to
touch things that other people are touching all the time. It's been used to authenticate students in schools.
It's been used in airlines like Delta and JetBlue to identify passengers.
It's been used in grocery stores and bars
to make sure that people are old enough to buy alcohol.
It's also been used to stop shoplifting.
It's been used by the authorities to try and identify suspects.
And let us not forget the thousands upon thousands upon thousands of apps that collect biometric data directly from your device.
But here are a few things to consider.
How long are they planning to hold on to all this data?
How are they going to use it in the future?
Remember, this is not a number that can be changed. This is your face. And unless you get drastic plastic surgery, you will be able to
be identified at any time. Think about it. This technology is not just in the hands of professionals
that have signed an oath of conduct. How much ethics training do you think the technicians are being given by companies out there with this tech? online, of using apps that collect biometric data. And just check the IoT devices like your TV or
your home assistant or your computer are not collecting and storing this information without
your full consent. Note that you may have actually agreed to it in the tiny terms and conditions. You
can always go and check those. In short, look after
your privacy by looking after your face. This was Carol Theriault for The Cyber Wire.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Andrea Little-Limbago.
She is the Vice President of Research and Analysis at Interos.
Andrea, it's always great to have you back.
I want to touch today on this whole concept of being able to model
cyber risk and get some of your insights on that. What can you share with us today?
Yeah, thanks, Dave. It's always fun to have these conversations with you.
When thinking about cyber risk, I think very much so it's one of those areas where
we're still stuck in some of these frameworks from previous eras that worked well enough,
but as the world's evolving very, very quickly and as technologies are evolving, we're starting to realize that
what we were doing before is necessary but not necessarily sufficient for where we need to be
going to be prepared for cyber risk going forward. And so a lot of the core facets that we still
rely on, multi-factor authentication, encryption, what we consider the basics of cyber hygiene,
100% are essential.
And in many cases, we still haven't actually cracked the nut
on ensuring companies are following some of those best practices.
But at the same time, what we still really rely on
are a lot of self-assessments, which makes it hard.
I mean, if you're grading yourself, we're all going to be doing great.
Not all the time, but that's generally how it goes.
And then you also, the alternate look at it is leveraging technology and machine learning and basically being able to
leverage some of those concepts to see what's exposed online and so forth. And it's nice seeing
some of the evolution in that area. But both areas where we really need to start focusing
even more so is starting to get into building out the foundation so we can have some of those
actual firm level assessments being a little bit more independent. And even some of
the independent evaluations aren't always independent, right? And then on the machine
learning side, really starting to take advantage of that and combine the two. But I'd say even on
top of that, that's sort of where we've gone so far. But then incorporating other kinds of
concepts such as what industry are the various companies and where are they located? And what we haven't done a great job is really honing in
almost on the threat model at an even higher level than just the firm, seeing where they sit within
the world. Are we at the point where we have enough data to successfully model these sorts
of things? Can the machine learning systems, do they have enough that we can be confident
that what we're getting out of them
is a certain degree of reliable?
Yeah, and that's a great question
because that's what we still, you know,
I'll be the first one to not say machine learning
solves every problem
because we see that, I think, too much
when we used to walk around the conference floors
that, you know, push the button.
I think that you can, I think,
and, you know, we're getting there and at a minimum, it can help provide some additional insights. And
cybersecurity is just such an interesting area where we're really overwhelmed with the amount
of data that is available for analysis, but at the same time, we're very data poor because we
don't have access to the right data and have a very hard time sort of filtering out and getting
to what we need to know and what we need to get to as fast as possible. So there's a lot of room for advancement there. But even at a higher level,
leveraging some aspects of data analytics and technology, we can get to the point where
we do know, you know, either based on the whole range of vendor reports that are out there,
like providing a lot of useful information as far as certain industries, or you're looking at,
you know, some analyses as far as at the country level where certain, for instance, there was a good report earlier this year on Brazil.
And basically, the ransomware that was really prevalent in Brazil wasn't the same that was prevalent elsewhere.
And so if we start thinking about looking beyond just saying everything's the same everywhere and making it more nuanced, saying, okay, within this country and within this industry, a firm is going to be more likely to be exposed to, you know, these kinds of risks. And we don't really look at it that way. And that's where you, again,
as a, from a social science perspective, those are the areas that I'd want to augment on top of what
we were already doing and really thinking about, you know, customizing that threat model based on,
you know, where they're situated as well. And that's where there's a lot of room, you know,
to do some interesting work, both by leveraging the data of a lot of vendors that have, you know,
have already been out there doing that, but also just doing our own analyses to look at, even in virus total, as far as where are some of the,
what's getting populated there and where is it coming from.
Then when you start thinking about how you're tuning your endpoint detection and so forth,
those kind of security tools, you may want to have them targeted much more so on what kind of attacks
you're going to be getting in certain locations.
And so there's a lot of interesting work, I think, that's starting up in that area and a lot more to be done
if we really sort of open the aperture of how we think about cyber risk.
So this sort of thing could provide you with insights on where to place your limited resources,
be they financial or human resources or those sorts of things,
give you a better idea
of perhaps where your actual risk lies? Yeah, no, that's exactly. And that's, you know, the goal
should be for any of these kind of risk models that are made are to help really under-resourced
companies figure out how to best use the minimal resources they have. And so the more that we can
move from cover everything from everywhere all the time to really
focusing on here's what you're more likely to see, here's how frequently it's most likely to be,
here's the vectors that they're more likely to be using, and customizing it in that way,
the better off we're going to be thinking about cyber risk. And even taking it a step further,
and not just looking at your own headquarters, but where are the rest of your larger footprint across the globe as well? Because those are the vector, those are the
entryways as well into your system, into your network.
Yeah. All right. Well, interesting stuff. Andrea Little-Limbago, thanks for joining us.
Great. Thanks so much. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.