CyberWire Daily - Ransomware gangs talk about retiring, and about deception. High-level Russo-American talks. US sanctions four spyware vendors. CISA tells US agencies to patch known, exploited vulnerbalities.
Episode Date: November 3, 2021The BlackMatter ransomware gang says that it’s retiring under pressure from the authorities. The spokesman for the Groove group says his gang doesn’t exist--he was just playing the media. Quiet, h...igh-level talks held between senior US and Russian officials. The US Commerce Department sanctions four spyware vendors. Carole Theriault wonders if you can train yourself free of social engineering. Josh Ray from Accenture Security with insights from their Cyber Investigations and Forensic Response team. CISA tells Federal agencies to get patching. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/212 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Black Matter ransomware gang says that it's retiring under pressure from the authorities.
The spokesman for the Groove Group says his gang doesn't exist.
He was just playing the media.
Quiet, high-level talks held between senior U.S. and Russian officials.
The U.S. Commerce Department sanctions four spyware vendors.
Kirill Terrio wonders if you can train yourself free of social engineering.
Josh Ray from Accenture Security with insights from their cyber investigations
and forensic response team.
And CISA tells federal agencies
to get patching.
A quick program note, we are in the midst
of the Data Tribe Challenge here at our
studios today, with cybersecurity
startups competing for seed funding.
So if some of the festivities
bleed into our audio, that's why.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 3rd, 2021. Group IB reported this morning that the Black Matter Ransomware as a Service gang,
apparently itself a rebranding of The Dark Side, has announced that it's shuttering its criminal business. The gang cited certain unsolvable circumstances associated with pressures from authorities
as the reason for its decision to close. Rump Services will continue for an indeterminate
period of time in order to give its affiliates information and decryptors, but the final word
to the affiliates is a farewell wish for their further
success. Here's what they said, quote, due to certain unsolvable circumstances associated with
pressure from the authorities, part of the team is no longer available after the latest news,
the project is closed. After 48 hours, the entire infrastructure will be turned off.
It is allowed to issue mail to companies for
further communication. Get decryptors for this, right? Give a decryptor inside the company chat
where they are needed. We wish you all success. We were glad to work. End quote. So, farewell,
Black Matter. Maybe. We can hope. But what of Black Matter's affiliates, the ones the gang
wished well in its valediction? They'll probably simply move elsewhere in the C2C market, where
there is, for now at least, no shortage of suppliers. The Black Matter gang itself may or
may not resurface in some form. Other criminal gangs are proving similarly protean. Take Groove,
for instance, which appeared in online fora with some eclat on October 22nd, when a nominal
spokesman called upon their business brothers for attacks against the real enemy, basically the
United States. The communique urged, stop competing, unite, and begin to destroy the U.S. public sector.
Anywho, the spokesperson or persons who go by the hacker name Boris Sillison and Orange said it's all a goof.
Groove, security firm Flashpoint reports, now says its call for attacks against the U.S. was simply designed to embarrass Western media.
What's more, Groove
adds, there's no such thing as itself anyway. Groove says its blog is just a one-person operation,
that the gang, as a gang, doesn't really exist, and that the whole thing was just an attempt to
see whether it was possible to manipulate the Western media through a ransomware blog. In any
case, the cybercriminal's name is Legion,
and they shift, fracture, combine, and rebrand themselves often.
And, goof or no goof, the call to destroy the U.S. public sector
was howling that would be heard by various wolves,
known, lone, or unknown,
so the distinction Mr. Orange draws may be one without a difference.
Security firm Intel 471 told the Washington Post,
quote,
While it's possible that a single-actor concocted groove
is a way to troll security researchers and the media,
we believe it's more likely that the actors' attempt to create their own ransomware group
didn't work out as they had planned.
It's also important to remember that the true identity
and nature of any ransomware-as-a-service gang is not always clear, and the membership makeup
or affiliates of these gangs can be fluid. M. Sosoff's judgment is even harsher. The
anti-ransomware specialists told the Post, quote, There's no reason to believe that ransomware
hackers are ever telling the truth about anything.
The default assumption should be that they're lying,
or at the very best simply telling the pieces of the story they wish to become public, end quote.
To return to Black Matter for a moment,
what might one make of its claims that they were feeling local pressure,
and the hint that part of the
team is no longer available. There's been some speculation that recent quiet efforts at
conciliation between Russia and the U.S. in cyberspace may have been an occasion for Russian
authorities to make a token gesture of goodwill by pressuring some of the less favored gangs.
U.S. Director of Central Intelligence
William Burns met with a senior Russian security official yesterday to discuss a range of issues
in the bilateral relationship, so dark matter may have been crowded, or of course their statements
to that effect may be so much smoke and mirrors. The U.S. Department of Commerce has sanctioned four companies
for providing foreign governments spyware.
NSO Group and Candiru, both based in Israel,
have been added to the entity list,
as have Positive Technologies, a Russian firm,
and the Computer Security Initiative Consultancy, PTE,
headquartered in Singapore.
Of the two Israeli firms,
Commerce said they were added to the entity list based on evidence that these entities developed
and supplied spyware to foreign governments that use these tools to maliciously target government
officials, journalists, business people, activists, academics, and embassy workers.
These tools have also enabled foreign governments to conduct
transnational repression, which is the practice of authoritarian governments targeting dissidents,
journalists, and activists outside of their sovereign borders to silence dissent.
Such practices threaten the rules-based international order. Positive technologies
and the Computer Security Initiative consultancy were placed on the entity list after, according to Commerce,
a determination that they traffic in cyber tools used to gain unauthorized access to information systems,
threatening the privacy and security of individuals and organizations worldwide.
The sanctions, Commerce explains, represent a move in support of human rights.
Commerce explains, represent a move in support of human rights.
Quote, this effort is aimed at improving citizens' digital security, combating cyber threats,
and mitigating unlawful surveillance, and follows a recent interim final rule released by the Commerce Department establishing controls on the export, re-export, or in-country transfer
of certain items that can be used for malicious cyber activities, end quote.
CISA has issued Binding Operational Directive 22-01,
which requires U.S. federal agencies to address known exploited vulnerabilities.
The directive, which is accompanied by a new catalog of vulnerabilities,
will require affected agencies to fix almost 300
known flaws identified between 2017 and this year.
The bugs on the list are evaluated as a significant risk to the federal enterprise.
The directive applies essentially to all federal civilian agencies other than the CIA and the
Office of the Director of National Intelligence.
The Defense Department also falls outside CISA's authority.
Language has been introduced into the U.S. House version of the Defense Authorization Act
that would add four new I's to the familiar Five Eyes intelligence-sharing group, Defense One reports.
Germany, Japan, India, and South Korea would join the five
anglophone powers in the current pact. It's not yet expansion, which of course all the eyes would
have to agree to, but rather a tentative move in that direction. Sponsors of the language and the
House Intelligence Committee say expanding the group in this way would enable more effective
cooperation against a common threat from China
and would also update the intelligence-sharing agreement by moving it beyond its 20th-century World War roots.
CISA has issued two more industrial control system advisories.
One report fixes in Sensormatic Electronics Video Edge.
The other describes an update to WeCon Pi Studio, Update A.
Finally, The Magazine Incorporated has published its inaugural list of the 250 best-led companies
in the U.S. Cloudflare, CrowdStrike, Exabeam, and KnowBefore are all mentioned in dispatches.
Congratulations to them all.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Our UK correspondent Carol Terrio has been considering the role security awareness training plays in an organization's security posture.
She files this report.
Okay, so let me put an argument out there for you listeners to noodle upon.
And that thought is this.
Most of us are sitting ducks when it comes to social engineering. And I'm citing lack of experience as a main contributing factor. Let me just pivot
from cybersecurity for a second to drive my point home here. So I live in the south of the United
Kingdom where it rarely snows. Like for every thousand times a driver goes out, once will be snowy.
And when it does snow, the roads become a mess. One, because the UK doesn't seem to have enough
machinery to clear the roads, but also because the average driver has no idea how to handle
their car in snow. I mean, these guys were careening around corners like Jessica Rabbit sachets,
or they glide through stop signs as though they're Tom Cruise in Risky Business.
But you know what? It's not their fault. If snow happens one in a thousand times,
how are they supposed to develop excellent reflexes and do those counterintuitive things
like pumping on the brake rather than slamming
on the brake when you hit ice. Sure, they may have studied a few pages of what to do in this
type of weather when they got their license, but they have little to no experience of actually
driving on snow, which means they have no muscle memory, which means I don't want to be on the roads in the UK in a snowstorm.
Now, apply this to social engineering scams. Let's say for every thousand interactions that
an average business person has, one is using social engineering tactics to gain a snippet
of information. How the heck is the average user supposed to spot these? Even if they did watch a 30-minute presentation on cybersecurity 18 months ago,
the likelihood is that they will give away that snippet of information without a second thought.
Because in the other 999 interactions, they would have been praised or thanked at least
for providing reliable information so quickly and calmly.
or thanked at least, for providing reliable information so quickly and calmly.
So I categorically do not blame the person who is being duped by a scam,
especially if they don't have hands-on experience in dealing with them.
So if you want to make your staff part of the social engineering defense,
don't just rely on a presentation that's given every six months or so.
Consider testing them regularly. Let them know this will happen so they are extra vigilant.
Make sure they have the information as to what they should do precisely if they have that niggly feeling that something isn't all okay with the communication they have had
or are having with someone, be it by phone, by email, on a Zoom call, it doesn't matter.
I mean, you don't become proficient at driving in snow by watching Fargo, right? You need to
get behind the wheel and feel your way through it with an expert beside you, ideally. This is
Carol Theriault for The Cyber Wire.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Josh Ray.
He is Managing Director and Global Cyber Defense Lead at Accenture Security.
Josh, it is always great to have you back.
You know, I know you and some of your colleagues over at Accenture on the Cyber Investigations and Forensic Response Team, recently released some information,
a mid-year review of some of the things you all have been tracking.
Can you bring us up to date here?
What attracted your attention in the report?
Absolutely, Dave, and thanks again for having me back, as always.
And I think, you know, the listeners here will find some of these statistics startling, but maybe not overly surprising to those that are in the mission space.
So the team actually found that global activity jumped 125% in the first half of 2021 compared to the same period last year.
And that's, I mean, that's a pretty startling figure.
And what we found was that this triple-digit increase
was really driven primarily by a lot of web shell activity
and targeted ransomware and extortion operations,
as you can imagine, but also, as we've seen,
a significant increase in supply chain intrusions.
From an industry's perspective, which I thought was actually pretty interesting, that the consumer goods and services were targeted the most often.
And this really accounted for about 21% of all the cyber attacks that we saw.
And that was closely followed by industrial and manufacturing and banking, traveling and hospitality industries.
So that's kind of interesting.
I could speak a little bit more about the geographic piece and things like that, too,
if that's of interest.
Yeah, let's go through that.
What sort of things did you find there?
Yeah, not surprisingly, I think, is that the U.S. was actually made up about 70% of our
incident volume, and it was the most targeted country. But again, followed very
closely by both UK at 24% and Australia. And from really a category standpoint, as I mentioned
before, ransomware and extortion operations continue to really reign supreme here. But we
found that about 85% of the companies that were being targeted had an annual recurring revenue
of north of a billion dollars, which to me is really a strong indicator that this notion of
big game hunting is very much alive and well for the threat. Yeah, that's interesting. Now,
was there anything that stood out to you as being kind of an outlier? Was there anything in the data
that you all gathered that was surprising or unexpected? Well, you know, I think as the world, I guess, with quotes,
kind of begins to normalize from the pandemic, there were really three scenarios that kind of
jumped out at us. And really what we think is that as things start to ramp up, we really will start
to see an increased trend in upward
activity targeting against consumer goods and services, but especially travel and hospitality.
And this is tough because these are industries that are already really kind of reeling from
staff shortages, especially from an InfoSec standpoint. And the second one, probably no
surprise, but notice the heightened awareness
around government action and lots of industry collaboration. Ransomware is still going to be
a top threat to businesses globally. And what we've seen is that actors are actually really
adopting stronger pressure tactics and going right to much more aggressive extortion techniques as well, too.
And then I think finally, really what we'll finally see is that this notion of supply chain and product weaknesses
as the threat really looks to continue to enable persistence operation is also going to continue, I think, well into the next calendar year as well.
All right. Well, interesting insights as always.
Josh Ray, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.