CyberWire Daily - Radiation disinformation. CISA warns that Trickbot is surging. FBI releases Internet Crime Report, Crytpers get commodified. And notes from the underworld.
Episode Date: March 18, 2021Disinformation about a radiation leak that wasn’t. Another warning about Trickbot. The FBI says cybercrime cost victims more than $4.2 billion last year. Investigation and remediation of the SolarWi...nds and Exchange Server compromises continue. Crypters become a commodity for malware developers. Robert M. Lee from Dragos on lessons from the recent Texas power outages. Our guest is Bob Shaker from Norton Lifelock looking at baddies targeting online gamers. And some people are looking for jobs in all the wrong places. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/52 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Disinformation about a radiation leak that wasn't.
Another warning about TrickBot.
The FBI says cybercrime cost victims more than $4.2 billion last year. Disinformation about a radiation leak, that wasn't. Another warning about TrickBot.
The FBI says cybercrime cost victims more than $4.2 billion last year.
Investigation and remediation of the solar winds and exchange server compromises continue.
Cryptos become a commodity for malware developers. Robert M. Lee from Dragos on lessons from the recent Texas power outages.
Our guest is Bob Shaker from Norton LifeLock looking at baddies targeting online gamers.
And some people are looking for jobs
in all the wrong places.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, March 18, 2021.
Poland's government has provisionally attributed a disinformation effort about a bogus radiation threat to Russia, the Washington Post reports.
There were three channels for the propaganda.
Websites of the National Atomic Energy Agency and the health ministry were compromised
to briefly display fabricated claims of nuclear waste leaking into Poland from neighboring Lithuania.
waste leaking into Poland from neighboring Lithuania, and a Twitter account belonging to a journalist whose beat is Russia and Eastern Europe was also hijacked to push the same story.
It is, of course, bogus. There's no radiation leak in Lithuania, and there's no corresponding
threat to Poland. The Polish government representative who attributed the incident
to Russia did so on grounds of a priori probability,
but it's a pretty good guess as an argument to best explanation. Stanislaw Zarin, speaking for
the head of Poland's security services, told the Associated Press that, quote, the whole story
looked like a typical Russian attempt to sow suspicion and division among Western allies,
end quote. So Warsaw's betting
on form, and it's not a sucker bet either. CISA, the U.S. Cybersecurity and Infrastructure
Security Agency, yesterday issued an alert on the resurgence of TrickBot, the Trojan that was
identified back in 2016. The criminals using TrickBot are distributing it through highly targeted phishing emails.
TrickBot was originally a banking trojan, but it's now evolved into an adaptable multi-stage
piece of malware. Once it's in the victim's systems, TrickBot is used to drop other malware,
often either Raiuk or Conti ransomware, or to serve as an Emotet downloader.
The alert, prepared in partnership
with the FBI, contains an extensive list of signatures and an equally extensive list of
recommended steps for mitigation. Speaking of the FBI, the FBI's Internet Crime Report for 2020
is out. Phishing retains its position as the leading form of criminal activity.
Phishing retains its position as the leading form of criminal activity.
Losses to all varieties of Internet crime were high, officially a bit north of $4.2 billion.
And that's real money in anybody's book.
The U.S. House Energy and Commerce Committee yesterday pressed federal agency leaders for details on the scope of Holiday Bear's compromises of SolarWinds, the Hill reports.
A parallel Senate inquiry suggests, according to CSO,
that U.S. organizations are generally unprepared for such supply chain attacks.
The Washington Post describes how the Senate Homeland Security Committee's investigation
is expected to continue today with an inquiry into how such attacks might be prevented.
Security firm Radware has added its warning to those in circulation about exploitation of Microsoft Exchange Server.
Publishing its findings in ITWire, the company says it assesses the threat as critical
and it doesn't think the threat is confined to any geographical region or economic sector.
and it doesn't think the threat is confined to any geographical region or economic sector.
While it began, as is now generally known,
as a Chinese government cyber espionage operation going after governments,
pharmaceutical research and development organizations,
and research institutions generally, including corporate research arms,
the exploitation last week had clearly been added to the capabilities of criminal gangs.
The crooks have added ransomware and cryptojacking to information theft,
and their operations are indiscriminate, opportunistically hitting a range of sectors in most parts of the world.
Tracking the way in which Exchange server exploits have spread, domain tools Joe Slowik tweeted an interesting graphic that summarizes the known
and suspected threat actors involved in Exchange server exploitation. It divides the actor's
operation into initial exploitation, pre-disclosure share, immediate opportunistic exploitation,
and lagging opportunistic exploitation. The lagging opportunistic exploitation is the activity
Radware is talking about. Another point about lagging opportunistic exploitation
is that it often follows the public release of a patch. Microsoft moved up its scheduled patch
of the Exchange server zero days when it became clear that Hafnium was exploiting them in an
unusually restrained way,
and the exploits quickly found their way into other hands.
At the second session of the 7th Annual Virtual Cybersecurity Conference for Executives,
hosted by ANCURA and Johns Hopkins University Information Security Institute,
which we attended yesterday,
we heard Avi Rubin, Technical Director of the JHU Information Security Institute,
discuss controls that can reduce an organization's risk. Timely patching, he rightly pointed out,
is important, especially when it can be done before the vulnerability being fixed has been discovered and weaponized by the bad actors. But releasing a patch inevitably brings exploitation
of unpatched systems in its train.
The risk associated with a vulnerability rises significantly after a patch has been released,
since the patch allows attackers to hone in on the vulnerability and create an exploit.
Rubin said, quote,
There's a race against time as to when the patch is distributed.
If you don't apply the patch, you're much more vulnerable than before it was even patched in the first place, end quote. Patching isn't always as straightforward as we
might think it, but all things being equal, better to patch sooner than later. You'll find our report
of the conference's second session on our website. Deputy National Security Advisor for Cyber
Neuberger outlined the federal response to the various campaigns, both criminal and state-directed, against vulnerable Microsoft Exchange server instances.
She, too, emphasized the importance of patching and stressed the government's willingness to help the private sector, including small businesses, deal with the threat.
Cryptos are now becoming a commodity in the cyber underworld's criminal markets.
Two security companies have been devoting
some research attention to cryptors,
modules that help malware evade detection.
Avast has released its study of OnionCryptor,
and Morphosec has an account of HCrypt,
an active crypto-as-a-service operation.
And finally, there are a few more notes
from the underground.
Economic hardship has driven an influx
of newbies into the dark web's
underworld, a study by security
firm Checkpoint finds.
One depressing trend, it used
to be the gangs who did most of the
advertising on the criminal job boards.
Now it's the job seekers. As Checkpoint writes,
quote,
However, it looks like shipping, end quote.
However, it looks like the tables have turned.
From the beginning of 2021, we noticed that there was an increase in the number of individuals taking the initiative to send out ads seeking work.
In fact, we started observing 10 to 16 new ads being placed monthly in select hacking forums, end quote.
New ads being placed monthly in select hacking forums, end quote.
Some of it's greed, some of it's desperation,
but whatever's driving people to tell the hoods that they're willing to be recruited,
it looks like a long-term shift in the underworld.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, Thank you. $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
During this time of pandemic lockdown, my teenage son has been spending a lot of time online gaming.
It has become the primary way he gets to socialize and hang out with his friends.
That's all good, but of course there are security concerns. Those games aren't free, and we've got our credit card information filed into
his account. Bob Shaker is head of gaming at Norton LifeLock and an avid gamer himself. He and
his team recently published their gaming and cybercrime study, and Bob Shaker joins us with
the results. I think we're beginning to see a positive shift in the way gamers think about security.
But in this study that we did with the Harris Poll, and we did this across several countries, the US, UK, Australia, Germany, New Zealand, we found there's still a gap between what gamers understand about the cyber risks that pertain to them and their likelihood of being attacked and what really could happen.
And what we thought was interesting about this was how many of them had already been hacked
and yet still had that somewhat of a gap in there.
And that was over 2,000 gamers that we included.
Well, what are some of the specific ways that gamers are targeted?
What are their particular vulnerabilities?
Gamers are targeted in a few different ways that really everybody is targeted,
except that there's a bigger landscape when you're a gamer.
So for like a phishing attack or a fake website that's promising,
you know, we're going to give you the best, newest, latest skins
for this new game, click here, and, you know, we'll hook you up. Those still exist, but with
gamers, the landscape expands because we have access to tools that the average non-gamer doesn't
use, like Discord or Twitch or, you know, some of the deeper Reddit boards about gaming, where because gamers have this
competitive nature, in Discord, I can set up an entire server all about getting the latest and
greatest cool things that you need for whatever game that I create the server about, and then
start sending invitations. and because it's inherent in
most gamers to trust Discord they have a tendency to trust Discord servers and it's you know with
when you look at the gamer demographic it's very broad I mean gamers can start look at my kids my
kids started gaming when they were you know tiny, three years old. We'd be playing together. But gamers go all the way up into the 60s, 70s age range. But when you look at the crux of gamers, you start getting into that 12 to 35 range and you get a lot of people who haven't experienced cyber attacks and get let in. So, you know, young people are trusting of Discord.
They see a new Discord server invite come their way, join, we're going to help you get the latest
game skins. They join the server. They say, hey, get your friends to join. Here's a link. Click on
this link to get the invite. The link downloads malicious software onto their machine. They then spread that link to their friends and it perpetuates through the ecosystem of their friend network.
that gamers don't really believe that they'll be attacked,
don't believe they have anything worth taking,
and are susceptible to the ecosystem of playing games, which can be very costly,
and looking for advantages in in-game items
that they may not have to spend money for.
That's Bob Shaker from Norton LifeLock.
You can find their gaming and cybercrime study on their website.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to have you back. You know, it's been a couple of weeks since the trouble that Texas had went down with the unprecedented cold temperatures and the strains that that put on their ability to deliver electricity and various critical infrastructure things.
And I wanted to check in with you to see what some of the broader things that you've been thinking about here in terms of,
are there lessons to be taken from this when it comes to things like availability?
Yeah, no, absolutely.
So I think in Texas specifically,
it's too early to really be assigning blame
and fully understand the event.
And I'm not saying that there won't be a blame
and there won't be some considerations.
But what I would coach everyone to look towards
is when these types of things happen,
whether it's a safety event in a chemical plant
and the chemical safety board gets involved
or a transportation issue or whatever, or in this case, electric, a number of different organizations do get involved and do really detailed studies of what exactly went wrong and what was the cascading effects.
and similar.
FERC came out and had a really detailed study of the blackouts in the early 2000s
that led to some of the NERC SIP regulations
and regulatory standards.
It's very common for our engineering
and operations community to deeply dig in
and get root cause analysis and share out those insights.
What I'm looking for is,
what does this mean to the broader United States?
Because we have a changing energy portfolio.
We have aspects of climate change
that are making impacts, undoubtedly,
but we also have a changing energy portfolio.
What I mean by that is we're offloading
a lot of fossil fuels like coal.
We're bringing up a lot of natural gas.
Natural gas takes up more energy,
is the source of more energy production
in the United States now than ever before.
We're also thinking about bringing nuclear back some.
We're also talking about green energy plans from the Biden administration
and distributed energy resources like solar farms and wind farms and similar that we bring online
and electric vehicle chargers and so forth and so on and so on.
So we have all of these massive changes happening all at once and in a relatively short amount of time.
these massive changes happening all at once and in a relatively short amount of time.
So it is appropriate to look at what went wrong and what can inform what we're doing in the future.
And it's going to relate to grid stability and modernization.
It's going to relate to better analytics and understanding of the data.
It's going to relate to grid storage and battery storage.
It's going to relate to not being over-dependent on any one energy resource.
It's going to relate to the operators of the grid and the reliability coordinators and what their role is.
There's going to be a lot of, I think, good takeaways to learn.
And one of the things I love about especially the electric community is they deeply study these things and look at the studies.
And they are very thoughtful with applying lessons learned.
You don't have to go coach them to apply it. They will all be digging into this and doing that.
And so I think that's what I would recommend folks to look for is the reports that come out of this.
And I would take away some confidence that the utilities themselves are most certainly going
to be digging into these. What about things like climate change? I mean, I don't think it's unrealistic for
folks to think that, you know, if my local Home Depot in Dallas isn't fully stocked up on snow
shovels, you know, like that's an unreasonable thing. You know, we have the historic weather
patterns, but we can't really rely on those the way we used to. It seems like not only
are things changing, but the rate of change is increasing as well. Yeah, for sure. I mean,
climate change, it's always funny. It becomes like a political topic. I don't know why.
There's no political topic here. Climate change is happening. End of story. If you don't like that,
that's fine. Please go buy an diesel generator. Let's not talk about grid discussions.
But for the rest of us, climate change is happening
and it's impactful and it is not unreasonable
that Texas did really not think they were going to get into
extended zero degree temperatures.
That's not unreasonable.
They didn't think about that.
However, as we know things are changing now,
is it reasonable to go forward and say,
well, what kind of events do we want to prepare for?
And if those kind of breaks take place, if it happens that we get to zero degrees Fahrenheit and we're not prepared for that,
then what is the plan ahead of time to make sure that we know how to work across our utilities to make sure that we don't burn out transformers as recycling power so that recovery takes weeks longer than it should
and things like that.
So whether or not it's unreasonable to repair,
I think we can still prepare in some way.
But I would actually say I don't think it's really unreasonable
to repair at all.
And there's already mechanisms in rate recovery
and resourcing the government, et cetera,
to do what the utilities think is the right call.
They obviously didn't think it was the right call in this case. We should understand their logic
before we cast any blame yet. Once we
understand their logic of why they thought that, then we should look to figure out
what we can amend and do better in the next time.
All right. Well, Robert M. Lee, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
The proud bird with the golden tail.
Listen for us on your Alexa smart speaker, too.
Alexa Smart Speaker 2.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.