CyberWire Daily - Ransomware and privateering, counteroffense and deterrence. The US State Department will reestablish its cyber office. And looking forward to Halloween.
Episode Date: October 26, 2021Notes on ransomware and privateering: Conti’s barking at its victims, someone’s exploiting billing software, and BlackMatter repeated some coding errors its DarkSide predecessor committed. GCHQ su...ggests that the UK will undertake a more assertive imposition of costs on cyber gangs. The US State Department will reestablish its cyber bureau. Software supply chain cyberespionage, and what can be done about it. Ben Yelin on school laptop privacy concerns. Our guest is David White of Axio to discuss Ransomware Preparedness. And some more scare-notes for Halloween. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/206 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Notes on ransomware and privateering,
Conti's barking at its victims,
someone's exploiting billing software, and Black Matter repeated some coding errors its dark side predecessor committed.
GCHQ suggests that the UK will undertake a more assertive imposition of costs on cyber gangs.
The U.S. State Department will reestablish its cyber bureau, software supply chain cyber espionage, and what can be done about it.
Ben Yellen
on school laptop privacy concerns, our guest is David White of Axio to discuss ransomware
preparedness, and some more scare notes for Halloween.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 26th, 2021.
There's more out today on the ransomware front.
The Conti gang, whose smugly, self-righteous protestations that they're actually the good guys, that's it, that's right,
practically freedom fighters or something like that,
whose valediction forbidding law enforcement we heard about yesterday
may have changed its business model.
Krebs on Security has a discussion of
the Conti ransomware gang's decision to sell either victims' data or access to victims' networks.
It's not clear which exactly, but they want the victims to know that those who don't pay
are in big trouble. The gang recently posted a note that reads, in part,
quote, If you are a client who declined the deal and did not find your data on Cartel's website
or did not find valuable files,
this does not mean that we forgot about you.
It only means that data was sold
and only therefore it did not publish in free access.
End quote.
The Hoods go on to say,
quote,
We are looking for a buyer to access the network of this organization
and sell data from their network, end quote.
So the communique or threat Conti posted is ambiguous
with respect to what precisely is being offered for sale.
Are they selling data or are they getting into the access broker business?
But is this tactical ambiguity or is is it a why-not-do-both strategy,
or is it simply poor idiomatic control?
Maybe all three.
Whatever the case may be, Conti hopes to punish uncooperative victims.
Publicly naming the companies whose access one hopes to sell
would seem to be self-defeating.
One possible explanation might
be that the gang is itself feeling the hot breath of law enforcement on its neck.
Emsisoft, for one, speculated to Krebs on Security that Conti may be considering an exit.
Conti's shift in strategy comes days after the gang issued a self-righteous and puerile
valediction for our evil, taken down last week by a coordinated international law enforcement action.
In Vice's account, Conte argues that ransomware is good, somehow,
but their argument amounts to little more than an implausible denial.
The U.S., you see, is really pushing ransomware when it takes down criminal servers.
We suppose that's one way of looking at it.
Other ransomware operators are exploiting known vulnerabilities
in BillQuick billing software to distribute ransomware,
bleeping computer reports.
Huntress Labs has an account of the vulnerabilities.
Reports indicate that some are fixed.
Fixes are in progress for others.
Security firm Emsisoft has been able to take advantage of
slovenly coding by the Black Matter ransomware gang to damage the gang's operations by enabling
victims to recover files without paying ransom. Black Matter represents a rebranding of the
DarkSide gang, and Emsisoft found that the reorganized gang had repeated a coding error that its
predecessor had committed. That error enabled Emsisoft to quietly help Black Matter victims.
While Emsisoft kept its discovery of the flaw quiet, others who came across it did not,
and Black Matter upped its game and fixed the problem. But Emsisoft says it continues to keep
an eye out for other criminal missteps,
and it encourages its colleagues and partners to do the same.
The UK, normally tighter-lipped about such matters than its transatlantic cousins,
has made public representations to the effect that Britain's relatively young national cyber
force, established last year, would undertake offensive cyber operations
to disrupt the infrastructure used by criminal gangs. GCHQ Director Fleming, speaking virtually
at yesterday's Cypher Brief Conference, indicated that more needed to be done to impose costs on
criminal actors, and that the National Cyber Force could be expected to play a role in doing so.
The U.S. State Department, the Wall Street Journal reports, will re-establish its Cybersecurity Bureau
to enhance its ability to coordinate diplomatic measures in support of national cyber policy.
The Wall Street Journal reports that Secretary of State Blinken is expected to announce the newly reconstituted office later this week.
Security firm Mandiant, which has been tracking software supply chain attacks of the kind Microsoft announced at the beginning of the week,
has offered advice on how organizations can remediate attacks and harden their systems against the threat.
attacks and harden their systems against the threat. Whatever successes law enforcement,
intelligence, and military organizations have recently enjoyed against Russian ransomware privateers, there seems to have been no corresponding success against Russian intelligence
agencies. The Hill sees the high op-tempo and relatively brazen Russian cyber espionage
directed toward the compromise of software supply chains as evidence
that U.S. efforts at deterrence have so far not succeeded in restraining activity of the Russian
government proper in cyberspace. Espionage is more difficult to deter than is kinetic warfare.
Mandiant's vice president of intelligence analysis John Holquist told The Hill,
quote, they have intelligence requirements that
they are tasked with fulfilling, and they are unlikely to be deterred from doing that. That's
their job. Until they think that they are not being spied on, Russia's not going to give up
espionage. End quote. And finally, yes, we're reminding you that Halloween is almost here.
The scary season stats today come courtesy of DiviCloud.
The clouds they see are, of course, of the virtual cyberspace kind,
but they can be dark, roiling, and transitional.
Organizations, DiviCloud says, are running 40% of their workloads
in the cloud. 89% of them are in various stages of cloud adoption or plan to adopt within the next
year. But more than a third of them aren't sure which standards apply to the governance of their
organization's cloud and container environments. And who goes into the cloud? The way teenagers in a horror movie go into an empty house?
Developers and engineers do, and organizations embrace self-service cloud access for them to
fuel innovation, the way indulgent adults hope to allow the horror movie teenagers a couple of hours
to have a good time. Potential security and compliance complications emerge,
the way silent, lumbering, menacing figures do from the horror movie fogs. And are the companies
concerned? Yes, yes they are. 74% of them say they're moderately or highly concerned about the
security of the public cloud. Can you do something about it? Yes. Yes, you can. Following best practices in the
cloud and sound digital hygiene are the cyber equivalent of, well, turning the lights on in
that dark house, which is even better than carrying some garlic around with you.
Pretty scary, kids, so happy Halloween, and again, let's stay safe out there.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
David White is president at cyber risk management firm Axio. I caught up with him for insights from their recently published 2021 state of ransomware report. I think that the top three findings are deficiencies in privileged
access management, and the number two is deficiencies in privileged access management,
and the number three is probably deficiencies in privileged access management. So I think that's
the big finding. You know, we saw in the data, and we believe the data, so we believe this data to be better than survey data because these are assessments that people are completing out of their desire to improve their internal preparedness for a ransomware event, which is something we're all concerned about.
And so we believe the data is very good.
On privileged access management, 80% reported that they have not implemented a privileged access management solution or PAM solution, which is an emerging and important technology for managing privileged access.
But I think for me, even more concerning than that is that 63% reported that they have not implemented multi-factor authentication for privileged access. So that sort of first step of implementing multi-factor authentication seems to be something that a lot of folks are missing.
Yeah, I guess it's surprising, discouraging that we aren't farther along with that.
Yeah, well, I think that, look, the job of any cybersecurity team is really challenging. And there's a big
drive and has long been a big drive in the community to implement more and better technology.
And I think what our study indicates is that people are missing some of the basics. And we
suspect that they may be missing the basics by the drive to continue to implement new technologies.
Now, the privileged access management runs counter to that.
That's part of how we're trying to make sense out of what we're seeing.
You know, another big concern with privileged access is service accounts.
And we found that 64% are not auditing the use of privileged service accounts. But we also know that ransomware attackers have gotten really adept over the past 18 months at pivoting and escalating privilege to secure domain admin credentials.
And once they have those domain admin credentials, they can leverage the extraordinary power of Active Directory to amplify their attack, amplify their access, amplify their injury to the organization.
And so locking down privileged accounts and service accounts are key controls that a large
number of folks seem to be lagging on at this point in time. One of the things that struck me
as I was going through your publication was you touched on user awareness training and how
we still have some progress
to be made there as well.
There's good and bad news there, right?
We saw that 50% of people are training,
implementing training and awareness programs
around phishing and doing anti-phishing tests
in their organization,
but that means 50% aren't.
So we're halfway where I think we should be.
So based on the information that you have gathered here, what are your recommendations? What sort of things should
people be putting in place here? Well, we think that clearly folks need to take a very close look
at how they're managing privileged credentials. Everything from administrator access on user endpoints to those most precious privileged credentials, the domain admin accounts.
And so our number one recommendation is more rigor is needed around privilege access management.
Supply chain risk, as we've talked about, key element. We also found a large number of, a large percent of folks have not implemented a
ransomware recovery playbook as part of their incident response. And given that, you know,
I think it was ThreatPost who just said that in the first six months of 2021, we've seen
150% increase in ransomware events compared to 2020. So ransomware continues to grow.
And one of the keys to limiting
organizational impact is recovering quickly. So being able to respond with a competent and
prepared incident response team is critical. So it's really important that people develop that
incident response muscle for ransomware so they know what to do if they have that unfortunate day.
That's David White from Axio.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting story from the folks over at Wired.
This is written by Sidney Fussell,
and it's titled, Borrowed a School Laptop, Mind Your Open Tabs. What's going
on here, Ben? So starting in March of 2020, many school-aged children in the United States had to
switch to remote learning. Luckily, most schools are back in person. That's not true for every
school, but at least at some point over the last year and a half, students ages 5 through 18 were required to have a device at home.
Many students who are of greater socioeconomic status had their own laptops, their own private
laptops. Their parents bought them. It wasn't a problem. It was a seamless transition. This was
not true for millions of students across the country. They did not have these devices. They
would not be able to engage in virtual learning unless they were given a device.
So schools were able to provide these devices to young children, which is great. That's the only way they can sustain virtual learning. Unfortunately, what this article uncovered
is that many of those devices came with student monitoring software. This particular software is
called Securely, and this software lets teachers see a student's screen in real time
and allows the teacher to close tabs if they believe that the student is off task or is not paying attention.
And so there was a limitation on how many tabs could be open when schools were employing the software.
And they limited it at first to two tabs.
So the hook in this article—
Wait, stop. Hold on. Two tabs?
Two tabs.
Two tabs?
Yeah. I don't remember the last time I had a browser open with fewer than—
I'm sitting here looking at my browser right now. So, two dozen, maybe?
Yeah, I mean, it's an insane restriction, and the hook in this article makes it clear.
There was a student who was trying to do a social studies research project.
They were looking at a bunch of different sources.
So naturally, the student was opening up a bunch of different tabs.
And these tabs just kept closing mysteriously on him.
So he wasn't able to complete his research.
Yeah.
The upshot of this is, as the Center for Democracy and Technology said, this is creating kind of a two-tiered system.
For students whose parents are able to purchase laptops who don't have to use school-issued devices,
they have carte blanche as to the type of research they can do,
as to what they can do during school hours if they're engaged in virtual learning.
And students who are of a lower socioeconomic status are being monitored by
school administrators or teachers. And of course, lower income households are going to be far more
likely to use these school-issued computers. And they, you know, are subject to these surveillance
tactics and these tracking tactics. I think that is fundamentally unfair. I mean, I think there should be some level of
equity between students who are issued school-provided devices and those who've had
their devices purchased by their parents or at home. That's a good, reasonable, actionable goal.
And I think school systems should think twice about whether it's really worth it to deploy
this type of surveillance technology,
whether that's really going to be something that improves the user experience of these students
or if it's going to be something that's unduly restrictive.
Yeah, and I mean, maybe give the teachers more leeway in what happens.
You know, like if I'm a teacher and I see that a kid has a bunch of tabs open,
but I can also see that those tabs support the homework that the kid's doing, well, no problem, right? But if I see the kid off task during class, you know, watching YouTube or something, well, then that's different.
And, you know, teachers have their hands full, but I guess don't set the absolutes in the software here.
Give the teachers the ability to dial in what works best for them
in their classroom and their teaching style.
I think that's absolutely right.
And, you know, I think after this technology was first deployed
and they realized that the two-tab limitation was somewhat ridiculous,
they did make a change to make it a five-tab limitation.
I think, which is still too low. I think the changes should be
broader than that. One of the concerns that's a little bit more significant and goes beyond the
technology is we know that there have been inequities in school discipline. We know that
students of color, for example, students of lower socioeconomic status are more likely to face
suspensions, expulsions. That helps to contribute to what's
called the school-to-prison pipeline. We don't want to create a scenario in which one student
who has a private device, somebody of means who can afford their own device, is goofing off during
class and doesn't face any disciplinary action. Whereas the student of lower socioeconomic status
who's doing the exact same thing,
you know, checking his fantasy football team,
is subject to suspension or expulsion.
I think that's an end result that we certainly want to avoid.
Yeah.
You know, interesting, just personal anecdote here.
My kid just started high school,
and we live in a county that has, you that has good resources, good amount of resources, a well-funded community in terms of our school system.
And so they provided laptops to kids who needed them.
And my son was all set.
He already had his own machine, didn't need one. But we had friends in the school system who said, no, please, even if you don't need it, go get that laptop.
Because I guess there's some sort of use it or lose it kind of thing when it comes to this sort of thing.
If they're offering you a free laptop, you take it, right?
Well, but I think also it lets them report back that we've used these many laptops.
And so we get funding to support this many laptops and that sort of thing.
So, you know, on the one hand, I get it, and, you know, we got the laptop,
and he does use the laptop from time to time,
but on the other hand, it's like, I didn't really need the laptop.
Yeah, now if it's going to be used for monitoring, you know,
and this type of surveillance, some parents are going to be more concerned about that than others.
And I don't want to suggest that there's no interest in trying to keep students on task.
I think certainly, especially younger children, there is a governmental interest in having proper teacher supervision.
My ultimate hope is that this can become relatively moot as we get
back into in-person learning. But if we are going to be in a world of virtual learning,
it probably will happen again. I think this is certainly an issue worth monitoring. And I think
it's kind of just a cost-benefit analysis. Yeah. And I have friends who are teachers,
and they made the point that when we were completely virtual, teachers were not allowed to insist that students turned on their cameras because it's a privacy issue.
Teachers were not entitled to look into that kid's home.
I think that's perfectly reasonable.
Yeah, absolutely. I mean, I was instructed the same teaching law classes that, you know, it can affect your class participation grade if you decide to turn off your camera.
Because this is, you are potentially viewing something personal when you're looking into somebody's home.
Right.
And you don't know what's going on there.
Right.
Yeah.
Interesting times, right, Ben?
It sure is.
We live in very interesting times.
As the kids say, this might be the worst timeline. Well, Ben Ye It sure is. We live in very interesting times. As the kids say,
this might be the worst timeline.
Well, Ben Yellen,
thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp, Puru Prakash, Justin Sebi, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.