CyberWire Daily - Ransomware is rising, and governments try to evolve an effective response. A look at the cyber underworld. Snooping smartphones. An advance fee scam is criminal business as usual.
Episode Date: September 22, 2021BlackMatter continues to make a nuisance of itself on a large scale. The US is woofing about taking action against ransomware, and Treasury has sanctioned a rogue cryptocurrency exchange, but some adv...ocate stronger measures. Where did all those Ukrainian cybercriminal chat platforms go? A warning of the “censor mode” in some Chinese manufactured smartphones. Caleb Barlow shares thoughts on CMMC certification. Our guest is Kevin Jones of Virsec with reactions to the White House Cybersecurity Summit. And, hey, no, really, Apple is not celebrating the iPhone 13 by giving away a stash of Bitcoin. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/183 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
Black matter continues to make a nuisance of itself on a large scale.
The U.S. is woofing about taking action against ransomware,
and Treasury has sanctioned a rogue cryptocurrency exchange,
but some advocate stronger measures.
Where did all those Ukrainian cybercriminal chat platforms go?
A warning of the sensor mode in some Chinese-manufactured smartphones.
Caleb Barlow shares thoughts on CMMC certification.
Our guest is Kevin Jones of Versec with reactions to the White House Cybersecurity Summit.
And hey, no, really, Apple is not celebrating the iPhone 13 by giving away a stash of Bitcoin.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, September 22nd, 2021. The Black Matter ransomware privateers are currently active against several targets worldwide, computing says. The gang's activities aren't confined to the high-profile attack against the New Cooperative Agricultural Organization in Iowa,
which, according to the Washington Post, continues its efforts to recover.
One prominent infestation is affecting media marketing organization Markatron,
Bleeping Computer reports.
Markatron, which provides revenue and traffic monitoring tools
for broadcasters and other media organizations,
was still having availability issues this morning, the company's website said.
Quote,
In addition to the new cooperative and Marketron,
Black Matter, which emerged in what appears to have been a
rebranding of the Dark Side Gang after this May's crippling attack on Colonial Pipeline,
has also hit, according to Bleeping Computer, a wine and spirits company, an investment banking
services provider in the U.S., a vendor of citrus juicing equipment in Austria, a maker of drilling
and foundation equipment in Italy, Japanese technology
giant Olympus, a U.S.-based construction company, and a unified communications company in the U.K.
In the case of the new cooperative, Black Matter is threatening publication of a terabyte of the
co-op's data, things such as invoices, R&D files, and the source code to news soil mapping technology.
The deadline to pay the $5.9 million in ransom demands falls on this Saturday, September 25th,
at which point the gang says it will increase the ransom and begin releasing stolen files.
New cooperative has clearly been affected by the incident,
but it's not entirely clear how compromise of the sorts of data listed in reports on the attack
would cripple food production and distribution,
especially since the co-op doesn't dominate Midwestern U.S. agriculture.
Central Iowa, yes, but while important, it's not a major player in other regions.
The U.S. response to continued privateering by russophone ransomware gangs is still under preparation.
U.S. President Biden's address to the United Nations General Assembly yesterday touched on cybersecurity and, by implication, on ransomware.
The president expressed a commitment to building international norms in cyberspace, while also asserting that, quote,
we reserve the right to respond decisively to cyberattacks that threaten our people, our allies, or our interests, end quote.
C-SPAN has the president's remarks.
We're hardening our critical infrastructure against cyberattacks, disrupting ransomware networks,
cyberattacks disrupting ransomware networks and working to establish clear rules of the road for all nations as it relates to cyberspace. We reserve the right to respond decisively
to cyberattacks that threaten our people, our allies, or our interests.
That's President Biden at the United Nations as recorded by C-SPAN.
Biden at the United Nations as recorded by C-SPAN. Diplomacy and better security cooperation only go so far, and presumably naming and shaming the organizations and individuals behind the keyboards
in such attacks will only go so far. The Treasury Department's sanctions against the Russian
cryptocurrency exchange Suex for its role in laundering ransom payments, suggest the direction sanctions
are likely to take, and Treasury's action has met with generally positive notices from the
cybersecurity sector. But there's a school of thought that these measures are, effectively,
at this point, half-measures at best. Along these lines, a New York Times op-ed this week by Silverado Policy Accelerator Chairman Dmitry Alperovitch
argued that response to ransomware needs to become a lot more vigorous and assertive than it has been.
Diplomatic leverage seems to have had little effect on Russian policy,
where the gangs that operate at the sufferance of the authorities have continued to operate at an accelerated pace
since the U.S. talked tough to Russia earlier this year. And the gangs that operate from Iran
and North Korea, while smaller than the Russian privateers, are even less susceptible to influence
by U.S. diplomatic pressure than are the Russian groups. Both countries are already heavily
sanctioned, and further measures of this kind only amount to making
the metaphorical rubble jump. Alperovitch sees the successful cyber-offensive task force Ares
prosecuted against ISIS as a model for how to dismantle a hostile cyber infrastructure.
The United States should build off the model used by Task Force Ares, targeting ransomware criminals'
technical and financial infrastructure. Such a campaign could reveal personal details about
the perpetrators, take down the ransom payment servers they are using to conduct operations,
seize their cryptocurrency wallets, and perhaps even introduce subtle bugs into their code
that enable victims to unlock their data without paying a ransom.
bugs into their code that enable victims to unlock their data without paying a ransom.
Whatever might be done against them, the ransomware gangs have been very active recently.
Security firm Positive Technologies wrote in their Threatscape report for the second quarter of 2021 out this morning that, quote, the number of ransomware attacks reached stratospheric levels,
accounting for 69% of all attacks involving malware.
End quote.
Industrial and governmental targets were especially favored,
and the retail sector saw a shift away from carting attacks to ransomware,
which Positive Technologies interprets as a sign
that the criminals are after a faster payout.
While the Russian underworld draws the most attention,
other criminal subcultures are, of course, to be found.
We heard yesterday about the Camorra-linked gangsters
Europol rounded up in Spain and Italy this week.
Today, Digital Shadows released a look at the Ukrainian cyber underworld.
A lot of the Ukrainian-language fora,
once well-known in the carding criminal
subsector, have gone out of business. So what are those hoods up to nowadays in Ukraine?
Apparently, they're concentrating on bulletproof hosting, where Ukraine-based is said to be a mark
of quality and security. There's also a lot of participation by Ukrainian speakers in Russophone chat rooms
Digital Shadows describes the two languages as related but not mutually intelligible
Others might dispute this claim about mutual intelligibility
Our linguistics desk says that maybe mutually intelligible but easily distinguishable would be nearer the mark
In any case, the Russians don't generally give their Ukrainian neighbors
a good welcome in their chats,
and they commonly ridicule the Ukrainian language,
dismissing it as not up to dealing with the nuances of coding and hacking.
It's like Heidegger pronouncing that philosophy could only be done in German or Greek,
French and especially English being not all the thing.
Still,
ethno-linguistic friction aside, Ukrainian hoods can bucket along in Russian criminal fora.
One advantage of working on the Russian side is that the Ukrainian government,
unlike the Russian security organs, isn't really in bed with the cybercriminals and cooperates with international partners in cyber law enforcement.
An audit by Lithuania's Defense Ministry of three Chinese-manufactured smartphones found security issues with two of them,
the Huawei P40 5G and the Xiaomi Mi 10T 5G.
The ministry recommended that users avoid the devices.
The ministry recommended that users avoid the devices.
Quote,
Automated sending of messages and its concealment by means of software pose potential threats to the security of the devices and personal data.
In this way, without the user's knowledge,
device data can be collected and transmitted to remote servers.
End quote.
The Xiaomi phone had a particularly intrusive censorship mode,
the record reports, which could detect and censor content based on keywords it found there.
Censorship mode could be enabled remotely without the user's knowledge or consent.
The audit found no security issues with the third device tested, the OnePlus 8T 5G.
OnePlus 8T 5G.
And finally, Zscaler has observed a surge in scams surrounding the iPhone 13 launch.
As is so often the case, the grifter's come-on is a bogus cryptocurrency giveaway.
Apple have allocated a total of 1,000 Bitcoin to be given away.
Learn how to participate, and don't miss out on your chance to get some.
It's always an advance fee scam. Deposit an amount in the proper wallet and you'll be repaid a big stack of altcoin. Of course, that never happens. And no, Apple isn't celebrating
the cryptocurrency markets and its new iPhone with an advance fee scam worthy of the widow
of a Nigerian prince.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000
off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The Biden administration recently convened a White House Cybersecurity Summit with participation from some of the big names in the online security world,
folks like Microsoft, Google, IBM, and NIST.
Kevin Jones is VP of Public Sector for VerSec,
developers of software runtime security products.
I checked in with him for reactions to the event.
Honestly, I was encouraged.
And the reason for that is because this public-private cooperation to solve this cyber problem is desperately needed.
And even if it didn't include the little guys like us, included some of the big names in tech that candidly have an opportunity to right the ship.
So I think that this dialogue is imperative.
We can't turn the Queen Mary on a dime.
Neither can we solve this cyber crisis.
And that's exactly what it is, is a crisis overnight.
And so I think that's a really good step in the right direction.
overnight. And so I think that's a really good step in the right direction.
There's been some criticism out there that perhaps this event was more symbolic than anything. Do you think that's a fair criticism? I think the criticism comes from the fact that
big companies were invited. And I wouldn't view it as being, let's just say for a moment that it was symbolic. The reality is that it churned a conversation that once again is desperately needed. So irrespective of whether or not we're critics or fans, we're talking. And that's candidly a big step.
So what do you suppose has to happen now? What would you like to see in terms of next steps?
happen now? What would you like to see in terms of next steps? I would like to see an approach towards just developing an entirely new mindset. I think that the security industry has just
overgrown itself and made things extraordinarily complex. We don't believe that that's necessary.
Versa is taking a first principle approach to the problem, dissecting it down to
its most basic attributes and trying to readdress it from there. The challenge is that it's become
such a huge issue that there's even a language attached to cybersecurity. If you're, quote,
not in the business, you don't really understand all of these TLAs, the three-letter acronyms.
And we're doing ourselves a disservice by taking the conversation
to that point. I think this is a business problem that's desperate in terms of the need to solve it.
And we've overgrown the way that we solve this challenge. And so a new mindset, a reset,
if you will, a moonshot is really what needs to be injected into the conversation.
Well, let's touch on investment in regulation then. I mean, what's the degree to which you
think those dials should be turned? Regulation is certainly something that's being looked at,
very seriously by the government, because there's an awful lot of very big players out there
who've been lax in their approach to
cyber. And they would, of course, take issue with that statement. But it's difficult for us to deny
reality when it hits us in the face every day on the headlines. So I think the regulatory component
is important. I think the investment is important, but the investment also goes both ways. So one of
the outputs of this meeting, this summit, was, of course, that two very large companies stepped up and gave a combined total of
$30 billion into their protection of their own software. And they're also investing in smart
ways into universities so that we can develop and train a next generation of cyber professionals.
There's another that stepped in and is offering quite a bit of support towards
training younger folks and getting cyber workers into the workforce. I think these are great
measures, but I think so long as we take the same approach to cyber, and I view these as being
incremental, I don't believe that we'll solve the problem quickly unless we take a new paradigm, a new approach, if you will, again, a moonshot toward the problem.
So I think there's a lot of work to be done, and it's going to take a heck of a lot more than the federal government and big tech to do it.
How do you get folks past that transitional period. You know, it strikes me that changing to a first principles approach is,
I don't know, not unlike changing the oil while the engine is running.
Yeah, I don't think we can land this ship, this airplane in the ocean right now. That's where we
are. You know, we're kind of building the wings over the Atlantic. So I think you're right. You
can't, you know, you can't exactly just stop it. So how do you integrate this, not only philosophy, but this capability into existing workloads without disruption?
That's a key question. It's something that from our perspective, we've solved.
The way that we've done it is we've done enormous amount of testing.
So we did a lot of testing with certain areas within the Department of Defense and some civilian agencies as well,
with certain areas within the Department of Defense and some civilian agencies as well,
just to solidify the efficacy of the approach and the capability as it relates to specifically software runtime protection.
That's Kevin Jones from VRSEC.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Caleb Barlow. He is the CEO at Synergistech. Caleb,
it's always great to have you back. You know. You and I were recently talking about CMMC and some of the things when it comes to documentation that goes with that.
One of the things that we mentioned was how this sort of ties into the NIST cybersecurity framework.
And I wanted to use that as a launching point for our conversation today.
How does NIST play into this and how does CMMC sort of take it to the next level?
Okay, so I'm not going to get into government speak. You know, a lot of the audience here isn't coming from kind of the defense industrial base. But Dibs suppliers for years have needed
to comply with various regulations that, you know, if you really look at the DNA,
are effectively extensions on top of the NIST cybersecurity framework, which
is pervasively used across the industry. And I think everybody really loves the NIST CFFs because
it was developed by industry. Well, what the US government has done is they're stretching their
muscles using their procurement power to drive their suppliers, the touch-controlled, unclassified
information, to take it to the next level.
And I think there's something that everybody ought to pay attention to in this. So first of all,
if the U.S. government, which has 300,000 suppliers, is going to require their folks to kind of step it up, all those suppliers are going to look at their suppliers and go, hey,
we're doing this. Why aren't you doing
this? And it's highly likely that this or some future variant of it probably gets passed on
down the road. And guess what? That's exactly what the U.S. government is trying to do.
Power to them, right? It's a great way to drive better cybersecurity defenses is to use their
purchasing power. Well, the cool part about this
is because its DNA is very much linked to those underpinnings coming from NIST, you know, if you're
using, let's say, the NIST CSF, ignore the fact that maybe you don't touch controlled unclassified
information. But let's start to dig into, can you up your game on documentation? Can you up your game
on some of these capabilities? Can you up your game on some of these capabilities?
Can you up your game on how you assess it? And all of those things are things that the
CMMC starts to cover. So for example, you know, in the past, you might have asked questions like,
do you have multi-factor authentication, right? Well, you might have pen tested it to see if it
really works. You know, now you say,, show me the policy that says I need to have multi-factor authentication.
And then show me what systems it's on by showing me the logs and attempting to log in.
So it's not only saying, okay, you know, hey, we have multi-factor authentication,
and a traditional assessment would say, oh, okay, check and move on.
You're saying, oh, prove it to me, okay?
Show me the exception list. Show me the onboarding policy for a new application that
shows how you add multi-factor authentication. Show me the budgeting process where you carve
out the budget for this and how you're maybe ramping that budget up over time.
Show me who's responsible. Show me who their backup is. So all of these policies
and procedures start to get more robust with CMMC. And here's the other cool thing.
Anything you inherit with CMMC, so let's say you've outsourced your IT to a cloud provider.
Well, you need to then inherit their policies and practices for what they run for you.
So think about how hard it is today with vendor security management.
You're using an outsourced security provider. What are your policies
and procedures? Oh, well, we talk about our SLAs. We don't share that.
Well, with CMMC, you have to. So it's a great
tool to not only up your own game, but to start thinking of your downstream suppliers and how you learn more about what they're doing and your expectations from them.
Let's say I am one of those downstream suppliers.
Is it in my best interest? Chris, dare I say, is it a competitive advantage for me to come back to my customers and say,
listen, we are doing this voluntarily.
We're being proactive about this.
We are adopting the things that go into CMMC, even though technically we might not have to,
but we feel this is going to make life easier for everybody by being on board,
and we're way ahead of our competition on this.
Is that a good way of thinking about it? Well, interestingly enough, that's the bet I'm making
with my own business, right? So, you know, we have two business units. We have Redspin and then we
have Synergistic, which is more on the healthcare side. We only needed to do this for a Redspin
business because that's the part of our business that does government work. And when I started looking at it, our team said to me, we should be doing all this
anyway. Again, there's nothing in here that we didn't think
we weren't already doing. So we finally made a decision and said, you know what?
We're just going all in. We're going to do it across the entire business. Now, only one
portion of that needs to actually get assessed by the government.
But why not do it across the board? And it has already shown benefit
because all of our customers ask us,
hey, how do you handle this? How do you handle that? And rather than giving them some flimsy document
that's a little checklist of the things we do, like, here's the binder. Here's
how we do this. And we can pretty much guarantee you we follow
every step in the binder.
That has completely changed the conversation with our clients
because, oh, okay, you guys clearly have your act together.
By the way, can you help us do this kind of documentation
of what we're doing?
So yeah, I think it has a huge benefit.
And again, if you really think of the motivation
for the federal government in this,
they not only need to secure the defense industrial base, but this is a great way to change behavior across the private sector in a way that's a little more positive than driving down a required regulation over private companies.
Yeah.
All right.
Well, Caleb Barlow, thanks for joining us. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of
the startup studios of DataTribe, where they're co-building the next generation of cybersecurity
teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Bilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.