CyberWire Daily - Ransomware, doxxing, and data breaches, oh my! State fronts and cyber offensives.
Episode Date: May 15, 2023Discord sees a third-party data breach. Black Basta conducts a ransomware attack against technology company ABB. Intrusion Truth returns to dox APT41. Anonymous Sudan looks like a Russian front operat...ion. Attribution and motivation of "RedStinger" remain murky. CISA summarizes Russian cyber offensives. Remote code execution exploits Ruckus in the wild. Our guest is Dave Russell from Veeam with insights on data protection. Matt O'Neill from the US Secret Service on their efforts to thwart email compromise and romance scams. And espionage by way of YouTube comments. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/93 Selected reading. Discord discloses data breach after support agent got hacked (Bleeping Computer) Discord suffered a data after third-party support agent was hacked (Security Affairs) Multinational tech firm ABB hit by Black Basta ransomware attack (Bleeping Computer) Breaking: ABB confirms cyberattack; work underway to restore operations (ET CISO) Black Basta conducts ransomware attack against Swiss technology company ABB (The CyberWire) They dox Chinese hackers. Now, they’re back. (Washington Post) What’s Cracking at the Kerui Cracking Academy? (Intrusion Truth) Posing as Islamists, Russian Hackers Take Aim at Sweden (Bloomberg) Anonymous Sudan: Threat Intelligence Report (TrueSec) Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020 (Malwarebytes) Russian ‘Red Stealer’ cyberattacks target breakaway territories in Ukraine (Cybernews) Russia Cyber Threat Overview and Advisories (CISA) Known Exploited Vulnerabilities Catalog (CISA) CISA Adds Seven Known Exploited Vulnerabilities to Catalog (CISA) CISA warns of critical Ruckus bug used to infect Wi-Fi access points (Bleeping Computer) Security Bulletins (Ruckus) ROK union leaders charged with spying for North Korea in ‘movie-like’ scheme (NK News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Discord sees a third-party data breach.
Black Basta conducts a ransomware attack against technology company ABB.
Intrusion Truth returns to docks APT41.
Anonymous Sudan looks like a Russian front operation.
Attribution and motivation of Red Stinger remains murky.
CISA summarizes Russian cyber offenses.
Remote code execution exploits Ruckus in the wild.
Our guest is Dave Russell from Veeam with insights on data protection.
Matt O'Neill from the U.S. Secret Service on their efforts to thwart email compromise and romance scams.
And espionage by way of comments on YouTube.
I'm Dave Bittner with your CyberWire Intel briefing for Monday, May 15th, 2023. Bleeping Computer reports that Discord,
the well-known voice-over IP and instant messaging social platform,
has experienced a data breach through the compromised account of a third-party support agent.
Discord says the exposed ticket queue of the support agent contained user email
addresses, messages exchanged with Discord support, and any attachments sent as part of the tickets.
The company quickly disabled the agent's account and did a malware sweep of the device.
Security Affairs reports that Discord is also working with its third-party support provider
to improve their cybersecurity posture
and prevent an incident like this from taking place again.
Discord told affected users that they believe the risk from the breach is minimal,
but that they advise vigilance against potential fraud or phishing attempts.
Swiss technology company ABB confirmed Friday that they are experiencing technical issues relating to a cyber attack.
Bleeping Computer reports that the Black Basta ransomware gang was behind the attack, but ABB has yet to confirm this.
The outlet reports that employees have noted that the attack has impacted the company's Windows Active Directory, affecting hundreds of devices.
Active Directory, affecting hundreds of devices. ABB seems to remain mostly operational. An ABB spokesperson told Etsiso, the vast majority of its systems and factories are up and running,
and ABB continues to serve its customers in a secure manner. The Washington Post reports that
Intrusion Truth, the anonymous bloggers who've made a specialty of exposing
Chinese Ministry of State Security's cyber operations, resurfaced last week to publish
an account of APT41's recent activities. In this case, it's a claimed expose of the MSS's
Kiru Cracking Academy, located in Wuhan. Mandiant describes APT41 as a China nexus cyber espionage actor
focused on obtaining information that can provide the Chinese government and state-owned enterprises
with political, economic, and military advantages. It's less clear who Intrusion Truth is. The group
presents itself as a collection of hacktivists, but there's speculation that in fact they're a cybersecurity firm or an activity run by a Western intelligence service.
In any case, their reports have a good track record of confirmation by independent sources.
Sudan, which represents itself as an Islamist Sudanese hacktivist collective, appears in fact to be a false flag operation of Russian intelligence services. Research published in February by the
Swedish cybersecurity firm TruSec concludes that Anonymous Sudan is instead, in all probability,
a Russian operation directed at Sweden. Its aim is to interfere with Sweden's accession to NATO
using a mix of nuisance-level DDoS attacks and influence operations
directed at Sweden's Muslim minority and at Turkish public opinion.
The DDoS attacks, apart from the irritation they represent,
lends some plausibility to Anonymous Sudan's self-presentation as a hacktivist group.
DDoS, after all, is, along with website defacements, a common hacktivist tactic.
But TruSec concludes that Anonymous Sudan displays both a detailed, close knowledge of
Sweden's political climate and a level of funding that far exceeds what's reasonably available to
genuine hacktivist groups.
The hacktivists, however committed they may be, and however good their day jobs are,
usually aren't able to afford pricey server rentals.
Bloomberg cites a professor of international relations at the Norwegian Institute for Defense Studies in Oslo,
who's seen the timing and organization of the attacks,
the hackers' knowledge of religious and political friction points in Sweden, and the attack's similarities
to other Russian influence operations, which led her to the conclusion that there was a Russian
intelligence affiliation. For its own part, Anonymous Sudan insists they're not Russian,
they say, but Russian has helped them in the past, and this is just their way of giving back.
A look at the sad ongoing violence in Sudan would suggest that this is implausible.
Actual hacktivists, especially actual Sudanese Islamist hacktivists, would have more immediate concerns than doing their Russian buddies a solid.
immediate concerns than doing their Russian buddies a solid. The Red Stinger campaign Malwarebytes described last week seems to have been active against both Ukrainian and Russian targets.
A discussion in CyberNews notes that while the APT group, which the outlet refers to as Red Steeler,
is known to have been active between 2020 and 2022 and seems to be Russian, its motivation is curious as it's collected against targets on both sides of Russia's war with Ukraine.
One possible explanation is that Red Stinger was interested in quasi-domestic surveillance
of officials in Ukrainian provinces illegally annexed by Russia.
The U.S. Cybersecurity and Infrastructure Security Agency has published
a collection of its studies of the Russian government's malicious cyber activities.
The most recent entry is last week's discussion of the snake malware and its disruption by the
Five Eyes. The oldest entry goes back to December 29, 2016, and covers the grisly STEP operation conducted against U.S.
targets associated with the 2016 U.S. elections. It's noteworthy that CISA's compendium addresses
only Russian government malicious activity. The large and active Russian cyber underworld
is outside the scope of the summary. CISA logged seven new issues into its known exploited vulnerabilities catalog on Friday.
One of the more noteworthy vulnerabilities they added was the critical remote code execution issue
affecting multiple Ruckus products.
Bleeping Computer reports that the flaw concerns devices using the Ruckus wireless admin panel.
The vulnerability, while first
acknowledged in February, has probably not seen many patches on vulnerable Wi-Fi access points,
which in these attacks have been targeted by Andorriu bot malware. The malware, once within
the system, adds the compromised device to a botnet for use in DDoS attacks. Ruckus released a security bulletin in February that was updated last week
detailing the almost 60 devices impacted and the patches that are available.
Many end-of-life devices, however, have no patch available.
And finally, dead drops used to use things like trash bags beneath North Virginia footbridges,
maybe signaled with a chalk mark on a mailbox or some chewing gum on a lamppost.
Now they can use comments in YouTube videos.
The Suwon District Prosecutor's Office has charged four members of the Korean Confederation of Trade Unions
with spying for North Korea.
The South Korean trade unionists are accused, according to NK News,
of communicating with their handlers by leaving a prearranged comment in a YouTube tutorial video.
The KCTU members are accused of violating the Republic of Korea's National Security Act
through both espionage and serving as agents of influence.
through both espionage and serving as agents of influence.
The alleged influence is incitement of anti-Japanese and anti-American sentiment.
Interestingly, not all of the signaling was digital.
The four accused also allegedly used old-school tradecraft that would be familiar to any reader of spy novels from Jean-Lay Carré.
Coming up after the break,
our guest Dave Russell from Veeam with insights on data protection.
Matt O'Neill from the U.S. Secret Service
explains their efforts to thwart email compromise
and romance scams.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when
it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000
companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io. Veeam Software is a data backup and protection company, and they recently released
the results of their 2023 Data Protection Trends Report. For insights on the report,
I spoke with Dave Russell, Vice President of Enterprise Strategy at Veeam.
You know, I always like a little bit of myth busting. So, you know, one myth is that the
cloud and cloud first or hybrid cloud, multi-cloud is coming. But our research shows that it's
already here, meaning that in the pandemic years, these last roughly three years, it's a pretty even split on-prem and off, meaning right
now 4,200 organizations that we surveyed across 28 countries. They report that actually they're
slightly more physical than virtual on-prem, and that totals 53% of their workloads. And in the
hybrid cloud, multi-cloud universe, meaning off-prem, they're 47%.
So nearly half and going to 52%
are just over half next year.
What do you make of that?
I mean, what are the real world ramifications
of those numbers?
To me, it's an interesting mix of,
oh, wow, we didn't turn anything off.
We still have a lot of physical servers. We obviously have a lot of virtual servers. We're commissioning more, actually more
of both, meaning commissioning physical servers on-prem as well. But we're also expanding out
into the cloud. And when we say a word like cloud, it actually means many, many different things.
It could mean infrastructure as a service. Most of us have multiple software as a service applications that we're running, maybe PAS applications as well.
So if you're an administrator trying to get your arms around that, or if you're a C-level person, a CIO or chief information security officer, you've got an awful lot to contend with.
Let's dig into some of the other things the report
covers here. You touch on data protection and disaster recovery. What sort of things are you
tracking there? Yeah, well, selfishly being a data protection vendor, we really want to know
what the market's feeling and thinking, both in terms of what do they seek and but also what would drive them to change.
And the reality is there's a lot of frustration. And I should mention, this is a blind survey,
meaning no one knew that Veeam was asking the questions. And it's certainly not just
Veeam customers. In fact, Veeam makes up fewer than 8% of those 4,200 respondents.
And that's by design. So one of the things that really
struck me or shook me, I guess I should say, is that organizations self-report. The administrators
say that they think they have a protection gap in terms of how much data they would lose in a
recovery scenario and a gap in terms of how long it would take them to get the data back.
In fact, those numbers are 79% not going to hit my data loss objectives, meaning I'm going to
lose more data. And 80%, I don't think I can get the data back in time in which the business expects
it to be. So if the administrators, those that are actually in charge of the systems, are reporting, hey, I don't think we can do this, that's a pretty unnerving set of statistics.
And what is the impediment here? I mean, what's keeping them all from closing that gap?
the different types of deployments.
But the other thing that really was interesting to me is we've been asking now for the last three years,
what was the number one
and please rank all causes of unplanned outages?
And what's amazing is all of the things
that literally for half a century
we've worried about in the data center,
like server outages, network misconfiguration, etc. Those
things still happen with amazing frequency, despite the rise of redundant power supplies
and high mean time to failure components. We still have those things happening. But what rose to the
top the last two years has been cybersecurity. So now you've got to worry about all kinds of configuration
issues and component failures, as well as cyber. And when we added all that up,
it actually, they can check all, it adds up to 500%. So that means on average,
there are five different things taking down a server in a 24-month period.
What is your sense in terms of the folks who are responsible for protecting these systems
being able to tell that story and get the resources they need
to the powers that be at their organizations?
In a strange way, I think that story or situation is getting better.
And what I mean by that is, now I'm going on 34 years,
I've been in the backup space. I always felt like organizations were not nearly as recoverable as
they thought they were. And yet the data that I just rattled off shows a protection gap,
a recovery gap in terms of time. But it was easy to kind of kick the can down the road,
meaning we'll get to that
later. And the reason why was because we historically as an industry, we only recovered
or restored three to 5% of the data that we backed up. And the trick, of course, was you didn't know
which three to 5% and you didn't know when you would need it. Now comes cyber, where literally
without warning, 100% of your production data could have to be
recovered and then within a period of a couple months you might get hit again in fact unfortunately
the odds are not in your favor in terms of not getting hit so that has elevated the situation
to literally a board level concern you, no board typically ever wants to talk
about or much less think about backup and recovery. But if that is your last line of defense
to keep your business operational, now it's no longer a luxury item.
Well, based on the information that you all have gathered here,
what is your practical advice to folks? What are the words of wisdom here?
Yeah, the number one thing I always like
to say is, you know, download the report and read it. You owe it to yourself to get educated.
Part of that education, it might be a confirmation of what you maybe already thought as a practitioner,
but now you can have a different kind of a conversation with your management team or even
your board. And then from there, get prepared.
You know, sometimes you really can't do everything.
We all live in a world of scarcity,
but I like to say that you may not be able to do everything,
but you can do something.
You know, you can start to patch the systems
that have gone unpatched for quite some time
and represent latent threats with latent vulnerabilities.
You can start to plan for a hybrid cloud,
multi-cloud world that you're probably already in, even if you're not kind of realizing that yet.
And then in terms of cyber, everything you can do around employee training, particularly around
phishing, anything you can do about patch management, and of course, make sure you have
backups and test those backups.
That's Dave Russell from Veeam discussing their 2023 data protection trends report. And I'm pleased to be joined once again by Matt O'Neill.
He is Deputy Special Agent in Charge for Cyber with the United States Secret Service.
Matt, welcome back.
Thank you.
I want to touch today on some of the work you and your colleagues are doing
when it comes to business email compromise and romance scams.
Can we start off with just some definitions here? How do you all
describe these particular types of capers? So business email compromises or BECs and romance
scams are very much interrelated. So in a business email compromise, typically there are several sort
of areas where fraudsters could prey upon victim organizations or individuals. The first would
be a CEO impersonation scam, where they will contact somebody in the organization claiming
to be the CEO and ask them to move money. Typically, the sort of tactics that they'll use
is they'll try to put pressure on the individual who can send the money to say,
hey, this has to happen immediately. Don't tell anybody because
it could ruin whatever deal that is being done. And oh, by the way, I'm going to be out of pocket
for the next 12 to 24 hours. And I expect it to be done by the time I get back.
Are these the ones that hear, I need you to go get me some gift cards? Is that often
part of this as well? No, not typically in a business
email compromise, but that is a whole other sort of adjacent scam that does happen. It's hard to
keep track, Matt. There's a lot of them. And then also invoice-related scams where typically,
just like the majority of all of cyber incidents that we see, it starts with phishing attacks and gaining access into emails and then looking for invoices that a victim organization would receive or send.
And then trying to either change the routing coordinates of where the invoice was going to get paid.
invoice was going to get paid. And then a lot of times what will happen is it'll be several days or a week later where the victim organization will reach out to whoever they're doing business
with and ask them, where's my money? And they'll say, well, we sent it to that new routing at,
that new financial institution to which then they'll contact the secret service or the FBI,
but largely it's too late. Another one that's also something that we spend a lot of time on is real estate BECs.
And that's simply, think about you're getting ready to close on a house
and you have to send in your final payment.
Well, what fraudsters will do is they will direct that final payment to them.
And you're thinking, oh, well, this is just a change in whoever I'm, you know, the closing
attorney or the title company.
And then you'll show up to closing and they'll say, well, I'm sorry, Mr. O'Neill, we can't
close today because we never received your money.
And the victim will say, well, I sent it to the wiring account address that you suggested
to which then that's just awful situations we've had.
We have a team in our, uh, the secret services global investigative operation center. That's
been focused on recovering assets in business email, compromised scams since 2019. And they
have recovered $283 million since 2019 for victims. And there's only four employees who are extremely hardworking
and leverage contacts throughout the global financial services sort of web around the world
to try to recover the funds. Because the most important thing to understand in BEC cases is
time is of the essence. So if you don't report it within 48 hours, the odds are the money
will be gone. Our success rate in recovering funds outside of even the asset forfeiture process,
but communicating with the receiving bank and the sending bank and getting them to work together to
get the money back to the victim within 24 hours, it's approximately 56%. But typically what happened in some organizations is once they find out that the money was sent
to someone else other than the intended recipient, there comes, we like to call it the Super
Bowl of finger pointing, and they'll spend several days figuring out who's responsible.
But by the time that that happens, the money is long gone.
And so we highly encourage,
again, if you're an organization,
communicate early and often
with your local Secret Service office
through our Cyber Fraud Task Force network
to make sure that when,
if something like this happens,
that you have a contact
that you can get it to either to them and they can get it to our
global investigative operation center or through FinCEN to try to at least stop the money before
it ultimately is withdrawn at the final destination. And what about the romance scam
component of this? How does that play into this? So one of the choke points in financial fraud is money mules. And so
typically what we'll see is romance scams, unfortunately, are sort of gateway crimes.
And when I say that, I mean a victim in a romance scam. And those typically happen through
websites, dating apps, traditionally not the location-based sort of dating apps,
but more sort of the legacy online apps where you can kind of hide where you're located and
things like that. And so there's a lot of impersonation that goes on and also long-term
cultivating relationships. Sometimes it's four, five, six months. And so through a romance scam,
what'll typically happen is someone, the victim will be notified by the person they think that they've been dating to say, well, I have this great investment. You should invest in me. We've
been, you know, talking forever and, you know, I can trust you. Yes, you can trust me. I'm in on
something. We're going to make a lot of money.
Or they could say, I've been injured and I need money to get back to either visit you
or something along those lines or a family member.
A lot of times what we'll see is the first, the investment, and the second will be then
the injury.
And then what we'll see is a transition to the victim in this case becoming a winning or unwitting money mule for the bad actors.
Then it'll transition to those business email compromise cases that I was talking about where if I'm trying to get an organization to send money to me, I'll usually use one of those money mules, their accounts.
So it'll be trying to convince them to open up an account.
And hey, you're going to make some money.
I have this overseas business and I need somebody in the United States to be my accounts receivable.
Just open up an account.
Provide me with the information.
$100,000 is going to get wired in.
You get to keep 5%.
And then only thing you have to do is send it
to someone else. And then the victim will open the account. And then what will typically happen is
after the money has been moved, then law enforcement will go back to that victim and say,
you laundered $100,000 in victim proceeds. Where did it go? How did it happen? Those kinds of
things. And typically they, now they're doubly victimized because they've quote-unquote invested with the bad actor.
And now they're also being victimized because they've become an unwitting money mule.
Money mules are sort of the – one of the centers of gravity that enable cybercrime to flourish.
that enable cybercrime to flourish.
You alluded to how time is of the essence here and that it strikes me that one of the superpowers
of the Secret Service is being able to unpack
these complex financial things.
I mean, the agency has a long history of that.
Is that the message for our listeners
that really time is of the essence here, that
it may be counterintuitive to, you know, you may think, well, let's wait, but no, every minute
counts? Yes. For a victim or any organization that engages in sending wires and that sort of thing,
the most important thing is to know, A, that this fraud is rampant
and it is continuing to grow year over year.
So you can anticipate at least attempts to be made
to your organization.
The good cyber hygiene is always sort of clearly recommended.
But ultimately, yes, time is of the essence.
And typically after 72 hours,
the odds of you getting your money back are very slim. So developing the relationships before the bad day happens with your local Secret Service office, your local FBI office. Again, it doesn't matter to us. As it's often said, cyber is the ultimate team sport. It's our job to work together. It's not your job to figure out, oh, do I call the FBI on this or the Secret Service on this?
Just call somebody and we'll work it out on our end.
All right, fair enough.
Matt O'Neill is Deputy Special Agent in Charge for Cyber
with the U.S. Secret Service.
Matt, thanks so much for joining us.
Thank you. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence
routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.