CyberWire Daily - Ransomware gangs, paycard skimmers, and Grinchbots. Russia blocks Tor, and the US Senate holds hearings on social media and its arguably malign influence on youth.
Episode Date: December 9, 2021Conti continues, undeterred. Magecart skimmers are infesting WooCommerce instances. Users are finding url redirection attacks difficult to detect. A quick look at the workings of the Hive ransomware g...ang. Russia blocks Tor. The US Senate holds hearings on social media and adolescent mental health. Dinah Davis from Arctic Wolf on assessing your security posture. Our guest Neal Dennis of Cyware discusses Automation And Unification. And Grinchbots are still prowling for presents. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/235 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Conti continues undeterred.
Magecart skimmers are infesting WooCommerce instances.
Users are finding URL redirection attacks difficult to detect. A quick look at the workings of the Hive ransomware gang.
Russia blocks tour. The U.S. Senate holds hearings on social media and adolescent mental health.
Dinah Davis from Arctic Wolf on assessing your security posture. Our guest Neil Dennis of
Cyware discusses automation and unification,
and Grinch bots are still prowling for presence.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Thursday, December 9th, 2021.
The Russophone Conti ransomware gang does not appear to have been inhibited by recent anxieties circulating in the underworld.
Over the weekend, CS Energy, a major electrical utility in the Australian state of Queensland,
sustained a ransomware attack that was initially widely attributed to Chinese state actors.
Not so, it turns out, Reuters says, that the Conti gang was responsible.
The gang has listed CS Energy on its leak site. Not so, it turns out. Reuters says that the Conti gang was responsible.
The gang has listed CS Energy on its leak site.
On the other side of the world, Intelligent CIO reports that Nordic Choice Hotels has also disclosed that it was hit by Conti. The report says, quote,
The incident primarily impacts the hotel's guest reservation and room key card systems.
Although there is no indication of passwords or payment information being affected,
information pertaining to guest bookings was potentially leaked.
End quote.
RiskIQ reports finding three MageCard skimmers deployed in WooCommerce checkout pages.
WooCommerce is a WordPress plugin widely used by e-commerce sites.
Such businesses should be alert for the possibility that Magecart has been introduced into their sites.
Proofpoint describes large-scale URL redirection attacks exploiting vulnerabilities in popular
OAuth 2.0 implementations. Microsofts and GitHubs are particularly mentioned.
URL redirection attacks have fewer of the telltale signs
users have come to associate with phishing.
Proofpoint writes, quote,
The detected campaigns include, among others,
Outlook web access phishing, PayPal login phishing,
and credit card harvesting,
and these campaigns are still
alive and evolving.
Group IB has been looking into the workings of the Hive ransomware operation.
The rise of ransomware-as-a-service offerings in the C2C market has driven the increased
commodification and scope of this form of criminal activity during 2021, and Hive has
been a prominent player in the ransomware-as-a-service market. Group IB's researchers
took advantage of errors in Hive's API to gain some insight into the gang's activities.
By October 16th, Hive's API held records of 312 companies that most likely fell victim to Hive's operators.
According to Reuters, the Russian government has extended its increasingly autarkic control
over information transiting its Internet precincts by blocking the private service Tor.
Tor has responded by offering affected users a workaround involving a mirror site,
but it seems likely the Kremlin will itself respond with further restrictions.
The Senate Commerce Subcommittee on Consumer Protection yesterday held hearings on the
impact of social media on young people. Subcommittee Chair Senator Richard Blumenthal,
Democrat of Connecticut,
framed the discussion. In this series of hearings, we've heard some pretty powerful and compelling evidence about the dangers of big tech to children's health, well-being, and futures.
Our nation is in the midst of a teen mental health crisis. Social media didn't create it, but it certainly
fanned the flames and it's fueled it. And if anybody has any doubts about the potential
harmful effects of social media, the Surgeon General yesterday issued a powerful report
about the implications of social media,
as well as video gaming and other technologies, on teen mental health.
And that's part of the reason we're here.
The report the senator alludes to in his remarks is
Protecting Young Mental Health,
which came out Tuesday under the signature of the U.S. Surgeon General.
The Surgeon General wrote in his cover letter that,
quote, When not deployed responsibly and safely, these tools can pit us against each other,
reinforce negative behaviors like bullying and exclusion,
and undermine the safe and supportive environments young people need and deserve.
End quote.
The mental health issues the report is particularly concerned with are depressive symptoms and suicidal ideation.
Senator Blumenthal went on to say that in his view the era of self-policing was
over and that big tech has forfeited the trust on which any effective system of self-policing
would depend. He argued the algorithms were the 600-pound gorillas menacing children and that
the platform's offers of self-regulation are inadequate to restraining the gorillas.
offers of self-regulation are inadequate to restraining the guerrillas.
Senator Marsha Blackburn, Republican of Tennessee and subcommittee ranking member,
opened her remarks by saying that it wasn't clear how the half-measures industry proposed could meet our common goal of protecting teens online.
She's concerned about the sheer magnitude of teenage consumption of social media and the effective impossibility of parental tracking, supervision, and intervention in that consumption.
We know that social media is an integral part of teens' daily lives.
According to the Mayo Clinic, 97% of teens between ages 13 and 17 use a social media platform. And 45% say they are online almost
constantly. So while telling teens to take a break might seem helpful on the face of things,
it's probably not going to get most teenagers to stop doing what they're doing and take a break. Educational tools
for parents can be helpful, but frankly, I'm more concerned about the things we know kids and teens
are hiding from their parents. We know that Facebook and Instagram have encouraged teens
to use secondary accounts and told them to be authentic.
So while parents might gain some insight into what their teens do on their main accounts, what do they do about the accounts they don't even know exist?
Instagram CEO Adam Mazzari was the witness the subcommittee called in for questioning.
CEO Adam Mazzeri was the witness the subcommittee called in for questioning.
He began by pointing out that little had changed,
that teenagers had always spent time with friends,
always explored their identities,
and done the other things that represent both opportunities for growth and danger.
The Internet has changed the ways in which they do this, and while he believed that Instagram shared the goal of keeping young people
safe online and could help do so, any solution had to be an industry-wide solution and not the
sole responsibility of any one company. Now I recognize that many in this room have deep
reservations about our company, but I want to assure you that we do have the same goal.
We all want teens to be safe online. The internet isn't going
away and I believe there's important work that we can do together, industry and policymakers,
to raise the standards across the internet to better serve and protect young people.
But the reality is that keeping people safe is not just about any one company. An external survey
just last month suggested that more teens
are using TikTok and YouTube than Instagram. This is an industry-wide challenge and requires
industry-wide solutions and industry-wide standards. Now we have a specific proposal.
We believe there should be an industry body that will determine the best practices when it comes
to what I think are the three most important questions with regards to youth safety. How to verify age, how to build age-appropriate
experiences, and how to build parental controls. Those standards Mr. Mazzeri proposed should be,
he thinks, the bar companies would need to reach, he argued, if they are to receive the Section 230
protections on which internet platforms have come to rely.
Senator Blumenthal brought up the view that Instagram was addictive and needed to be regulated accordingly.
Mr. Mazzeri disagreed.
Instagram is addictive.
That's the view that has been repeated again and again and again by people who are expert in this field.
Parents know it.
And for teens who see Instagram's algorithms encouraging, for example, eating disorders,
they find it almost impossible to stop.
The UK code restricts Instagram's use of addictive design.
Shouldn't we have a similar rule in the United States?
Senator, respectfully, I don't believe the research suggests that our products are addictive.
Research actually shows that on 11 of 12 difficult issues that teens face,
teens are struggling so that Instagram helps more than harms. Now, we always care about how
people feel about their experiences on our platform, and it's my responsibility as head of Instagram to do everything I can to help keep people safe,
and we're going to continue to do so. Those audio soundbites are courtesy of C-SPAN.
Concerns of this kind aren't new, and neither is congressional attention to them.
Historically-minded listeners will be reminded of the hearings on the dangers of comic books
the Senate held back in the 1950s.
There was posturing and grandstanding there as well,
and some overwrought hand-wringing over the ways in which Mad Magazine, to pick one publication,
was, in those pre-Comics Code days, leading young Americans into depravity.
Mad's publisher, Mr. William Gaines himself, testified on behalf of what mad always called the
usual gang of idiots and revealed in the case of his testimony that he was a certified teacher with
a degree in education qualified to teach in new york public schools despite all this and lest one
be inclined to dismiss hearings like these as so much playing to the electorate it's difficult to
look at accounts of the hearings
and not conclude that, the First Amendment
and the resilience of young minds aside,
there wasn't some fairly objectionable content in the comics
as there is in social media.
What can or should be done about such content is less clear.
Anywho, social media are having their comic book moment on Capitol Hill. Expect the
evolution of various forms of a social media code to follow the path set by the Comics Code
more than half a century ago. And also note that the Comics Code has faded over the past few
decades, as a stroll through any local comic book store will quickly reveal. We can also hope, as regular Joes and ordinary
Janes, that the platform Impresarios turn out to be at least as entertaining as was Mr. Gaines,
but so far, no joy. As the holiday season advances toward Christmas,
researchers at security firm Impervo report increased Grinchbot activity. They say advanced bot traffic sessions on retail
sites in November 2021 grew nearly 73% over the previous month, indicating that many bot operators
increased their efforts as the Singles Day, Black Friday, and Cyber Monday e-commerce holidays
came and went. The Grinchbot's goal is to partially corner the market for presents
that are likely to be in high demand on e-commerce retail sites.
That way, they can resell them for a sweet profit.
So, if you've been having trouble getting a PS5
or a Pokémon 15th Anniversary Celebration Ultra Premium Collection,
well, shopper, blame the Grinch bots. Visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
The team at virtual cyber fusion platform provider,
Cyware recently commissioned Forrester Consulting to take a look at the flow of security operations data within organizations to help understand where security teams are hitting data sharing
speed bumps and how best to overcome them. Neil Dennis is a senior Intel analyst at Cyware Labs.
So I would like to say I'm surprised at this, but I really am not.
There was roughly 24% of respondents to this report said that they actually had
legit unfettered access to the data that makes their world go round.
So translation, 76% of the people out there know that there's data that makes their world go round. So translation, 76% of the people out there
know that there's data that exists
that can help make their life better,
but they can't get access to it in a free-flowing way
or access it in a way that makes their life less complicated.
So I thought that was kind of earth-shattering a little bit
to see it that far, but once again,
I'm not as surprised as I probably should be
with that status check. And then the other big one for me, when I was looking at this, there was a seemingly
lack of intent to implement SOAR automation orchestration on any front. And the responses,
roughly only about, I think it was roughly 8% or so, made mention that they were either expanding, upgrading, or intended to implement
some kind of SOAR functionality within their org. 90 plus percent of the respondents
had no SOAR in play, roughly. So that's also kind of surprising.
What are the barriers here? What's keeping people from streamlining these operations?
keeping people from streamlining these operations? I think today, a lot of it just has to do with maybe a misunderstanding of what technologies are available today and the costs associated
with those technologies versus what was maybe five, 10 years ago when the concept of SOAR and
orchestration automation really first started gaining traction five plus years back. There
was only a handful of offerings out there. It wasn't really a big thing just yet.
And the solution back then was, I'm just going to hire another person, and he is my quote-unquote
sore, basically. He, she's going to be the ones going and checking boxes. So I think there's
some lack of understanding of what it really takes to implement orchestration and automation
in an environment today. I think people misinterpret the scale required to do this. And I think they also
believe there's a good chunk of individuals who think that it really is only for incident response
solely, as in, you know, we have an email come across the line. I need to figure out what the
value of that potential email is, if it's malicious, not malicious, and do that kind of level of triage.
And then it kind of stops. I don't believe people fully understand that we can take these orchestration automation fundamentals
and apply them to so much more than just the basic levels of incident response,
the basic levels of triage within a SOC.
I mean, there's so much there that can go into play to tie a lot of things together.
than a sock. I mean, there's so much there that can go into play to tie a lot of things together.
Are there any potential speed bumps that people should know about? Any words of wisdom along the way? You know, things just to be mindful of as you're making your way through this transition.
Definitely. So when we implement SOAR, when we start talking about what it takes to break down
these silos and start to unify the org and even start to collaborate externally, we always have
to remember there's still a need for the human in the loop.
You're going to come out, you're going to create these playbooks, these automation
checkpoints within your flows.
No one should ever tell you that you're going to completely replace the human for the totality
of every single process they're writing a playbook for. Are the things that we can get the human
out of the loop for? Definitely. But at some point in time, the human still has to have access. The
human still has to have the ability to at least inject their thoughts into that process when and
where needed based off of whatever logic they've built. So in my mind, anyone who comes out and
says,
we're going to completely automate and orchestrate out every single thing that you've got going on,
or all these little things here, and you'll never have to have a human back in this.
I think we need to be wary that you should always have the opportunity to put the human back in the
loop, to pulse check things, to make sure that it's doing what it's supposed to be doing,
and even inject them as a data point into some of these unique playbooks that you might create.
I think that's a very key implementation factor.
And then lastly, some of the other hurdles to think about, these data silos.
If you go forth with implementing SOAR in your solutions as part of a solution offering, involve the rest of your staff.
Involve the rest of the teams within your org.
Look external of just the SOC.
Go to the vulnerability management team if they're not within the SOC. Go to the vulnerability management team
if they're not within the SOC. Go to the red team. Go to the threat hunters. Definitely please go to
your threat intel analyst if you have those. Look at your infrastructure management crew,
the ones who are handling the actual products out there in your security stack and making sure that
they're up and working. Involve them in these decisions. Figure out what it's like for them to
do the work they're doing, the things that you're sending them, and make sure it doesn't get stove
piped anymore. So get everybody together, implement it as a team, help break down those stove pipes
along the way, and start making that a more collaborative effort. That's Neil Dennis from
SciWare. Thank you. fault-deny approach can keep your company safe and compliant.
And joining me once again is Dinah Davis. She's the VP of R&D Operations at Arctic Wolf,
also the founder and editor-in-chief at Code Like a Girl. Dinah, always great to have you back. You know, as we're
coming here up to the new year, I think it's that time when people sort of take stock on things, and
I want to check in with you on some tips for folks out there to assess their security posture. What
can you share with us today? Yeah, so, I mean, understanding your security posture
is really important because if you don't,
you don't actually know how to secure yourself, right?
It's like owning a house
and not knowing where all the doors are,
so you don't even know if you're locking them all, right?
So there's, you know, a few surfaces
where you really want to look at attack surfaces.
You want to look at your assets, your network, your endpoints, cloud, your people, and your vendors.
So for your assets, you want to do a vulnerability assessment.
You want to know what version of software is running on all the things you have in your system.
Because if it's at a later version and there are security patches available,
then you're vulnerable.
So the old adage of like patch early, patch often,
like just never stop patching is basically the answer there.
For your network, do you have the right firewalls in place,
the right intrusion detection systems? Are you
monitoring your network traffic to see what could be coming in and going out, right? For the end
points, you want to make sure you're running an endpoint software, right? Which, you know, like an
agent of some kind that is watching what's happening on the computers that aren't inside
your network, right? Because in this work-from-home world that we live in now, all of the computers that aren't inside your network, right? Because in this work-from-home
world that we live in now, all of the computers aren't just, you know, monitored and safe because
they're behind the company's firewall. They're out there everywhere. And so you need to monitor
what applications are getting put on the machine and watching for nefarious things in that way.
One area people don't often think about is the cloud.
They think just because something's in the cloud, it's safe.
That company is taking care of it, right?
If you think of an Office 365 or something.
But we actually at Arctic Wolf noticed a business email compromise attack just by monitoring
the Office 365 logs for one of our clients.
So we first noticed the issue when we got a login from a suspicious country for one of the company's
executives. We flagged that with the customer and we're like, hey, I don't think your company's,
your executives are supposed to be logging in from this area.
Right. Is he on vacation or in the Far East?
Yeah. And I mean, the customer decided that like no immediate action was needed. They're like,
well, this can be caused by VPN, so we don't know. And then, you know, so we kept an eye on
the situation. And that's when the second indicator of compromise came in, which was a mail rule.
Yeah, this is really common, actually. They go and they get in, and then they want to change a
mail rule. And why would they do that, right? Well, they can start forwarding all email that
says the word finance in it or bill or anything like that to them. So we indicated to the clients that, you
know, we thought there was an attack in progress. And reviewing the Office 365 logs, we actually
found that the rule they created would conceal any email replies from that account. So the hackers
were targeting a wire transfer and had already sent a wire
transfer request for $700,000. Wow. Working with the customer and their account team, we were able
to put an emergency stop on the wire transfer. And then the IT team locked down the compromised
account and reset everything, kicked them out. You know, if we hadn't have been there, they might
not have seen that happened, right? So what happened was the attacker went in and was that
person. They had their account. So they sent the wire transfer email to the bank and stopped all
replies from coming back. So if the bank replied and said, are you sure? Do you really want to do this?
Or the person wouldn't have seen those replies because of the email filter they put in.
Now, do you have any insights on the initial access here in terms of getting that user's credentials and whether or not they had multi-factor?
I don't actually.
But multi-factor makes it intensely harder, like infinitely harder.
Right?
Right.
It's kind of like that adage of like, you got to run faster than everyone else away from the bear.
Right.
The slowest one's going to lose.
So the one without the multi-factor is an easier target.
If you make yourself a slightly harder target, they're going to just move on to the next one, right? So two more areas for your attack surface, right? Your people. So 80% of what
people learn, they forget within four months unless they're re-engaged like right away, right?
So you want to do training often. You want to do it only two or three minute segments.
You want the content that is shared with
the employees to be like really relevant. And, you know, you don't want to crush the IT team while
you're doing it. So you don't have to make them do a whole bunch of work, right? So, and then the
other thing for employees is take the risk away. Implement an SSO program. When they only have to remember
one hard password, that's way better. And if you think they're compromised, you can shut down
their access to everything in your system in one shot. So SSO is really quite important.
And then finally, we have vendors. And so that's all about managing your supply chain and, you know, making sure that you understand what they have access to, what they don't have access to, and that kind of thing.
I mean, some of it, you know, you think about, oh, these are the basics. But when you list them all out like that, it's a good reminder that there really is a lot.
And, you know, security folks have a lot on their plates.
Yeah, exactly.
All right.
Well, Dinah Davis, thanks for joining us.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.