CyberWire Daily - Ransomware: DarkSide, Avaddon, and Baduk. 5G threat vectors. Crytpojacking unpatched Exchange Servers. Bogus Chrome app. An espionage trial approaches sentencing.
Episode Date: May 11, 2021Updates on the DarkSide ransomware attack on Colonial Pipeline. Other ransomware strains, including Avaddon and Babuk are out, and dangerous. Guidelines on 5G threat vectors. Lemon Duck cryptojackers ...are looking for vulnerable Exchange Server instances. A bogus, malicious Chrome app is circulating by smishing. Ben Yelin examines an online facial recognition platform. Our guest is Mathieu Gorge of VigiTrust on the privacy risks of video and audio recordings. And an update on an espionage trial. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/90 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Updates on the Dark Side ransomware attack on Colonial Pipeline.
Other ransomware strains, including Avidan and Babook, are out and dangerous. Thank you. platform. Our guest is Mathieu Gorge of Vigitrust on the privacy risks of video and audio recordings
and an update on an espionage trial.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary
for Tuesday, May 11th, 2021.
The U.S. FBI confirmed yesterday that the DarkSide ransomware gang was indeed responsible for the
ransomware attack on Colonial Pipeline.
President Biden, while stopping short of calling out the Russian government as having directed the attack, did say that Moscow bore some level of unspecified responsibility. The president said,
quote, so far there is no evidence from our intelligence people that Russia is involved,
although there is some evidence that the actor's ransomware is in Russia. That quote via the Washington Post.
Amid reports of spiking fuel prices in parts of the eastern U.S., the U.S. administration also sought to ease concerns about fuel costs.
Officials also shared their hope that Colonial Pipeline might be able to substantially
restore service by week's end. Colonial is said to have been able to restore some service,
but recovery remains in progress. Colonial Pipeline's corporate website was inaccessible
early this morning. DarkSide isn't the only ransomware gang presenting an active ongoing
threat. The Australian Cyber Security Centre and the US FBI have warned,
Bleeping Computer reports,
that the Avedon threat group is active against targets worldwide.
Like DarkSide, Avedon operates as an affiliate network.
Its ransomware-as-a-service offerings have, the ACSC says,
been active against targets in at least 20 countries, mostly Western and
developed, but including China and excluding Russia, across 17 sectors. Avedon wants, on
average, $40,000 from a victim payable, naturally, in Bitcoin. The crooks promise, honest, to provide
the Avedon general decryptor in exchange for the ransom. The ACSC also recommends
the following familiar best practices. Patch operating systems and applications and keep
antivirus signatures up to date. Scan emails and attachments to detect and block malware
and implement training and processes to identify phishing and externally sourced emails, and maintain offline encrypted backups of data and regularly test your backups,
regularly conduct backup procedures and keep backups offline or in separated networks.
The Babook ransomware gang may also have resurfaced.
TechNadu reports that its ransomware has targeted Japanese power tool manufacturer Yamabiko.
The gang's leak site claims it's obtained half a terabyte of corporate-sensitive data.
Quote,
The hackers are presenting screenshots of accessed file systems, SolidWorks files, personal employee data, financial reports, testing diagrams, circuit schematics, etc.
testing diagrams, circuit schematics, etc.
Babook, which recently counted coup against the Washington, D.C. Metropolitan Police,
has said that henceforth it won't bother encrypting victims' files.
That doesn't mean they've reformed, just that they're returning to data theft as their preferred method of extortion.
The U.S. Office of the Director of National Intelligence, CISA, and NSA
have published a study of the threat environment 5G technology will occupy.
Their analysis, designed to support the strategy outlined by the National Telecommunications and Information Administration, was conducted by in 5G, standards, the supply chain, and threats to systems architecture, and includes an aggregated list of known and potential threats to the 5G environment, sample scenarios of where 5G may be adopted, and assessed risks to 5G core technologies.
technologies. Cisco Talos says it's determined that the Lemon Duck crypto jacking group has continued to turn its attention to vulnerable instances of Microsoft Exchange server. Decipher
notes that the gang has adopted some new tactics, techniques, and procedures, several of them
intended to serve better obfuscation. Pradeo warns that a new sophisticated smishing campaign impersonates a Chrome app.
Victims are asked to pay a small fee to release a package that's been shipped to them.
Should victims install the link provided, they are invited to update Chrome.
The update is, of course, malicious and installs malware that further disseminates the smishing.
installs malware that further disseminates the smishing. And finally, Stars and Stripes reports that U.S. federal prosecutors have asked for a sentence of 17 years in the case of Peter Raphael
Zbinski-Debbins, a former U.S. Army Special Forces officer. Mr. Debbins took a guilty plea last
November to a charge of participating in an espionage conspiracy with Russian agents between December 1996 and January 2011.
Although Mr. Debbins left the Army under a cloud in 2005,
after being removed from command over what Stars and Stripes characterizes as violating protocols while serving in Afghanistan,
he worked for several years as an intelligence contractor.
His contact with the GRU went back to his days as an ROTC cadet at the University of Minnesota.
It seems remarkable that he retained his access to classified material as long as he did.
His contacts with the GRU came to light only after he failed a polygraph examination in 2019.
His attorney has asked for leniency on the grounds that Mr. Devens suffered from
quote, psychological pathologies, end quote.
Mr. Devens, who has family ties to Russia, said that he sought out intelligence work
because of his strong disapproval of the Russian regime
and a desire to change that regime from the outside.
of the Russian regime and a desire to change that regime from the outside.
In 2014, however, he said that he, quote,
embraced an occult belief in a system which I believed was my own god and thought I could conform to my will.
I created an imaginary advisory council of current and historical figures
to guide and assist me.
Instead of changing Russia, I descended into insanity,
unable to distinguish between reality and fantasy.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The recent data breach at video surveillance and security platform provider Verkada
brought to light issues with both third-party risk and how
companies should be considering their care and storage of video assets.
Mathieu Gorge is CEO and founder of Vigitrust,
an integrated risk management software-as-a-service solutions provider,
and author of the book, The Cyber Elephant in the Boardroom.
I think that every company is a target.
And the issue with video is oftentimes not covered the right way
by security and compliance people.
And unfortunately, it doesn't necessarily make it to the priority list.
So I wasn't really surprised. And I actually expect that we're going
to see more of that in the next few months. Can you dig into why you think folks don't
treat security the way they do some other issues in terms of the video?
Because I think that, you know, when you think about security, you think about cyber security,
generally speaking. So the security of your networks, the security right now of your remote workers with the pandemic, security of your servers and so on.
You don't necessarily think of the hidden threats or issues with video.
Let me give you a few examples.
Let me give you a few examples.
If you've got video security within your system,
those systems are typically IP-enabled,
and you use them for physical security. You use them for maybe to track where people are going
or how many people come into your business,
especially in retail and so on.
And all of that data ends up on your network and yet
because it's not seen as personal data like credit card holder data or health data it's not actually
being treated as such the issue with that is that you you end up with a geolocation data you end up with geolocation data, you end up with biometric data,
you also end up with potentially some data pertaining to documents.
And an example of that is, especially in government or in semi-state,
where you go in, for instance, to get your driver's license,
you go to the till and you're asked for a copy of your ID,
maybe a credit card and so on.
And there will always be a camera somewhere
that if it's pointed the wrong direction
can actually capture copies of that information,
which ends up being on your systems,
ends up being backed up and somebody with access
and with malicious intent can actually replay it
and get access to your personal data. Another example would be, say, maybe a gym or a fitness
or a spa where people come in and when they go to reception, they give their credit card
and then the whole copy of the credit card is actually taken within the system.
Now, the funny thing, if I may, is that if you look at IVR, interactive voice recording, that always makes it onto an asset list within ISO 27001.
And ironically, the video systems don't.
So we think of audio systems in terms of contact centers and so on,
and we cover that data because it actually ends up on the systems,
and we know that it's managed by a computer system
and a program in the back end.
But for some reason, video doesn't make it.
That's Mathieu Gorge from Vigitrust.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's
why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
and joining me once again is ben yellen he's from the university of maryland center for health and homeland security and also my co-host over on the caveat podcast ben always great to have you back
good to be with you again dave uh interesting article over on cnn business this is written by
rachel metz uh it's titled anyone can Can Use This Powerful Facial Recognition Tool,
and That's the Problem.
Talking about an online service called PIMEyes, P-I-M-Eyes.
What's going on here, Ben?
So this is an online service.
You can get some of its benefits for free.
Some of what they're offering requires a monthly or annual subscription.
You might actually get more by paying that subscription,
but I'll get to that in a second.
So basically how it works is you upload a photo of yourself
and you find any photo on the entire internet
that matches the photo that you've uploaded. So you can find out
what photos of you are out there on the internet for good and bad. And these can be photos,
good photos from your vacations, from graduations, from the website of your place of employment,
or it can be really negative things like potential pornographic videos. So it really
runs the gamut. There are a lot of risks inherent in this service.
One of them is that there's no way for the site to enforce
that you're uploading your own picture.
So you could potentially upload the picture of somebody else
and get all of the results, get their results
and see where their pictures are posted on the internet.
And you can imagine how this could be used for very nefarious purposes.
So if you're an online stalker and you want to know what the person that you're stalking
has been up to, then you can upload a photo of that person and they might gather that
person's photos from Twitter, Facebook, Instagram, social media, all in one location.
And that would actually give the
stalker access to pretty useful information. Now, there's nothing personally identifiable.
So there's no names that come with this photo. But, you know, there are tools you could use,
reverse Google image searches, etc., to put a name to the face. So that's not entirely foolproof.
There are major differences in the free version of this
and the paid versions.
So in the free version, you just get a bunch of pixelated images.
You might get a decent idea.
I mean, I might be like, oh, I recognize that.
I remember that picture of me on the internet,
that shirt I was wearing, et cetera.
But that's not going to offer you much information.
But if you pay a monthly fee of $29.99 a month
as an individual
then you can do this on a much larger scale
it gives you access to greater search features
and will make sure that it gets you images that are not pixelated
and then a business
and this is something that's kind of scary if you think about
could pay $300 and have the ability to do unlimited searches under this service.
So this article mentions the possibility that your employer uses it.
Maybe they've got a picture of you on their security cam when you came in for the interview.
They upload that photo and they find the time you partied in college with a six-pack in public when you were drinking as a minor.
And they decline you employment.
So I think there are potential good uses for this type of technology,
but also a lot of potential bad uses for this technology.
It's really interesting, though.
Well, let me tell you, I took one for the team here,
and I uploaded a picture of myself.
I uploaded my official CyberWire headshot from the website
just to see what would come up with the free version of the search here.
And sure enough, it found lots of pictures of me.
I'd say there are some pictures in here dating back to when I was in my 20s,
which is a long time ago.
You don't want to age yourself, but that was not yesterday.
Let's put it that way.
No, not yesterday.
I mean, that was really almost, well, I mean, pre-YouTube,
a lot of this stuff.
So that's an older picture.
But there's a variety of photos of me in different scenarios,
both pictures where I'm part of a group photo or I was at an event,
something like that, as you say.
But also of great interest to me is it lists a bunch of photos
that it categorizes as being lower score results,
and none of them are me.
It's a whole gallery of people who, I'll admit,
kind of look like me. Just look like you?
Yeah, they look like me. I could see, you know, they could be related to me,
some more than others. So you can see how the algorithm would think, yeah, this might be Dave,
but it's not me. But yeah, fascinating. I guess, as you say, boy, the widespread availability of this is the thing, right?
Because there's no verification that the picture you're uploading is you.
It could be anybody.
So you could be a stalker or whatever and use this service to try to – it's all open source information.
It is open source information. It is open source information. Now, one thing that they mentioned in the article that could be a good use of this service is, you know, if you're a potential celebrity or somebody who thinks they've been the victim of revenge porn, if you do a search under the service, you could find out, you know, whether your image has been used in pornography.
And that could be a very useful mechanism without having to scour the entire internet.
So there's a lot of potential here.
It's just very ripe for negative consequences.
And I think it worries me,
potentially when we talk about stalkers
and potential employers.
We get into some pretty dangerous territory there,
in my view.
There's a picture of me here, and I'm wearing a tuxedo. I was emceeing an event, and I know
exactly what event it is. But what's intriguing is it has tagged it as a potentially explicit result.
Were you wearing a tuxedo or a birthday suit?
It was definitely a tuxedo. And you can't tell from this
photo, but I swear I was wearing pants. Uh, and what's and, uh, but here's the catch, right? If
I want to click through and find out the website on here, that's potentially explicit. It's going
to cost me 30 bucks. Yeah, that's how they get you. So they get me. So, i'm not gonna do it but um again interesting article this is uh over on
cnn business uh the articles by rachel metz uh anyone can use this powerful facial recognition
tool and that's the problem uh the website is called pim eyes uh worth a look i think um for
better for worse this is kind of the shape of things to come. I am discovering that there's one guy on the internet, because I did this search myself,
who apparently has very similar facial features to me.
Yeah.
Because I got like 30 versions of this person's photo.
So I'm going to have to meet this doppelganger in person someday.
That's right.
That's right.
Right.
Separated at birth.
All right.
Well, Ben Yellen, thanks for joining us.
Thank you. Right, separated at birth. All right, well, Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.