CyberWire Daily - Ransomware pays, in California. Kashmir utility recovers from cyberattack. Update on hacktivism vs. Ethiopia. Another misconfigured AWS account. Guilt and sentencing in high-profile cybercrime.
Episode Date: June 29, 2020The University of California San Francisco pays Netwalker extortionists nearly a million and a half to recover its data. A Kashmir utility restores business systems after last week’s cyberattack. Th...e website defacements in Ethiopia continue to look more like hacktivism than state-sponsored activity. Our own Rick Howard talks about wrapping up his first season of CSO Perspectives. Our guest is Sanjay Gupta from Mitek discussing how online marketplaces can balance security with biometrics. Data are exposed at an e-learning platform. Three prominent cyber-hoods go down in US Federal courts. And Lion says the beer is flowing, post ransomware. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/125 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The University of California, San Francisco
pays NetWalker extortionists nearly a million and a half
to recover its data.
A Kashmir utility restores business systems after last week's cyber attack.
The website defacements in Ethiopia continue to look more like hacktivism than state-sponsored
activity.
Our very own Rick Howard talks about wrapping up his first season of CSO Perspectives.
Our guest is Sanjay Gupta from Mitek, discussing how online marketplaces can balance security with biometrics,
data are exposed at an e-learning platform, three prominent cyberhoods go down in U.S. federal courts,
and Lyon says the beer is flowing post-ransomware.
From the CyberWire studios at DataTribe, I'm Elliot Peltzman in for Dave Bittner with your CyberWire summary for Monday, June 29th, 2020.
The University of California has decided to pay a gang that infected, quote, a limited number of servers at its University of California San Francisco unit with NetWalker ransomware. Computer Business Review reports.
The university said the encrypted data were, quote,
important to some of the academic work we pursue as a university serving the public good.
We therefore made the difficult decision to pay
for a tool to unlock the encrypted data and the return of the data they obtained.
End quote.
lock the encrypted data and the return of the data they obtained. End quote. The public good claim appeared to suggest that COVID-19 research was impeded, but Bloomberg, which put the amount of
ransom paid at 1.4 million, says the university maintains its work on the virus was unimpeded.
The BBC has an account of the negotiations between UCSF and the gang, in which the extortionists explicitly
threatened to release stolen student information. There was an extended negotiation between the
criminals and the university. The initial demand was for $3 million, but UCSF succeeded in getting
the amount knocked down to $1.5 million, with the extortionists eventually settling for slightly
less than that. Payment, and even post-negotiation for the NetWalker operators was of course made in Bitcoin.
The university is working with the FBI and other law enforcement agencies on the case.
In India, business systems were affected by an unspecified cyber attack
against the Jammu and Kashmir Power Development Department,
but the Kashmir Observer says the utility is well on its way to recovery. The most prominent
of the affected systems had been the utility's bill-paying app, which was unavailable to
customers along with certain other online services. Power generation and distribution
were apparently unaffected in this incident.
In an update on last week's cyberattacks against Ethiopian targets,
prompted by an ongoing dispute between Cairo and Addis Ababa over Ethiopia's construction of a dam on the Blue Nile,
Quartz reports that there's still no sign of any connection
between the hacktivists and the Egyptian government.
The Grand Ethiopian Renaissance Dam, GERD, has been under construction since 2011.
Most of the attackers claim to be adherents of the Cyber Horus group.
Their activities have, for the most part, involved website defacements.
One of those affected the homepage of a regional police training center.
One of those affected the homepage of a regional police training center.
It threatened war for the Nile and uttered a pharaonic curse upon Ethiopians.
The hacker left messages on the homepage of an Ethiopian regional police force training center threatening war over the Nile and a pharaonic curse upon Ethiopians.
Most of the hacked websites included the pharaonic imprecation,
Most of the hacked websites included the pharaonic imprecation,
quote,
The pharaonic iconography is there in images the Cyber Horus group used to mark its victims' pages.
A skull wearing a pharaoh's headdress, two skeletal hands
clutching a knife and a sickle, crossed bones beneath it all. Imagine a Middle Kingdom version
of the talking skull on the Pirates of the Caribbean ride at Disneyland, the one that
chatters, dead men tell no tales, to distract you just before your boat drops down a flume,
and you'll get the effect. In any case, the UN is seeking to broker negotiations among the three involved countries,
Egypt, Ethiopia, and Sudan.
The hacktivism seems, in Quartz's view, to be having little effect, if any.
VPN Mentor has discovered an exposed AWS database belonging to OneClass,
a Toronto-based e-learning platform widely used in Canada and the U.S.
VPN Mentor says the database held 27 gigabytes of data totaling 8.9 million records and exposed over 1 million individual OneClass users.
OneClass, which secured the database upon notification, says the data were
on a test server and bore no relation to actual individuals. VPN Mentor believes to the contrary
that the database did indeed hold information on students and lecturers. In the world of crime and
punishment, some fairly high-profile criminals received their sentences last week.
Sergei Medvedev, a Russian national and one of the leading figures of the in-fraud organization Carding Gang, known for their swaggering slogan, In Fraud We Trust, copped a guilty plea Friday in
the U.S. District Court for the District of Nevada to charge a RICO conspiracy. Infraud did a lot of damage, the U.S. Justice Department says.
The gang inflicted actual losses of $568 million.
Crab Zone Security reported Saturday that Alexei Borkov, formerly of St. Petersburg, Russia,
and one of the admitted bosses of Card Planet, got nine years from the U.S. District Court for the Eastern
District of Virginia. It's a stiff sentence for a guilty plea, which led some observers to speculate
that Mr. Burkov didn't give the prosecutors much. And one of the hoods who faced the music was an
American, Kenneth Curran Shookman, who received 13 months in club fed from the U.S. District Court of the District of Alaska.
Mr. Shookman was sentenced to his role in creating the Satori botanet,
one of the more troublesome successors of Mirai. And finally, the beer is flowing again from the
Lion Brewery to thirsty customers in Australia and New Zealand. Gizmodo says the beverage firm,
they also do juice and milk in addition to beer,
has restored operations to the ransomware attack it sustained earlier this month.
Some of the better-known brands the company produces include XXXX, Tuhi's, Little Creatures,
and James Squire. Lion is a subsidiary of Japan's well-known Kirin. The attack Lion suffered was from the R-Evil gang,
which usually steals information as well as rendering it unavailable.
Lion said, in an update on the incident it issued late last week,
that it didn't think it had lost any data, but it was properly cautious.
To date, we still do not have any evidence of any data being removed.
As we indicated last week, it remains a real possibility that data held on our systems may be disclosed in the future.
Unfortunately, this is consistent with these types of ransomware attacks.
Our evil has threatened, according to Security Affairs, to release stolen data.
Pay up, they told Lyon.
Affairs to release stolen data. Pay up, they told Lyon. Quote, otherwise all your financial and personal information, your clients and other important confidential documents will
be published or put up for auction. End quote.
Our guest today is Sanjay Gupta, who is VP and Global Head of Product and Corporate Development at METEC.
He sat down with Dave to discuss how online marketplaces can balance security with biometrics,
and also the unnerving practice of creating synthetic IDs.
Here's Sanjay.
I think people know there's been a lot of data breaches over the last few years.
There's probably hundreds of millions of records that exist out there.
But additionally, as people, you know, they die and their data is still available,
these fraudsters, they've kind of gotten onto this.
So in the previous days, the idea was called ghosting,
where you would just steal information from a recently deceased person
and maybe look at their bank account, et cetera.
But recently what's been happening is that they've been using
these individual social security numbers
and then tying it to the data that's been stolen to create synthetic IDs.
So they would basically take the social security number,
come up with a name, an address, use a date of birth.
And then with the recent technologies around deep fakes, you can also attach a photo to it.
And so all of that would be used to create, let's say, an ID.
And that ID would be used for very nefarious purposes.
And so what are your recommendations for folks to protect themselves against this?
And so what are your recommendations for folks to protect themselves against this?
So first of all, like if you, the second area where these fraudsters get social security numbers are from recently born kids. So, you know, you have a kid who's just got born.
They have a social security attached to it.
What I would recommend there is actually set up a bank account for these kids up front.
So as soon as they have a bank account, then they become part of the system. Whereas for recently deceased, you should really look at just filing all the
paperwork that are relevant and making sure that, you know, notifying all of the different
companies that may be utilizing that particular individual's assets. And for companies that are
trying to onboard individuals that look like fraudsters,
you typically want to ask for their ID to kind of look at. So at MyTech, what we do is,
you know, we have the capability of reading an identity card or driver's license and tell you
to a certain extent if it's fake or not, but then also asking for their selfie. And the selfie
brings two pieces of the puzzle.
The first one is we can actually check to see if the person is live at the time when they're enrolling for a new account.
But also after the selfie is taken, match the photo to the actual selfie that was just recently taken before you set up the account.
So those are kind of the things that I would recommend.
before you set up the account.
So those are kind of the things that I would recommend.
Now, what happens to the families of these deceased people who get their identities taken over?
Can the spending sprees of these crooks come back to haunt them?
So typically in the synthetic world,
now we're dealing strictly in the synthetic identities,
it's really a victimless crime because they've
taken stolen information from various disparate parties and even made some stuff up. So really,
the victims are going to be, first of all, you know, if you are a, let's say, just a recent grad
or an immigrant, then potentially you may be asked to provide extra documentation and or you may be
given a loan, but at a higher interest rate amount. Typically, these cases last, you know,
they're not done overnight. You're ticking 12 to 15 to two years. So they're very craftily done
by, you know, very, very hardened criminals. And they're going to wait the long game
to kind of take advantage of this.
That's Sanjay Gupta from MeTech.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, We'll see you next time. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm joined once again by Rick Howard. He is the CyberWire's chief analyst and chief security
officer, but more important than either of those things, he is the host of the CSO Perspectives podcast. Rick,
great to have you back. Thank you, sir. So you've had quite a season with CSO Perspectives and
you're wrapping up your first season of the show. How are you wrapping things up in a bow for your
listeners this week? Well, you know, it's been quite a ride. We really didn't know what this
thing was going to turn out to be. You know, we had some vague idea.
And most of the shows, or at least some of the first shows, started out as, you know, things that Rick was interested in.
Right. So it finally kind of focused down into trying to figure out what do I think is kind of a unified theory of information security using first principles.
And we've gone through a number of shows that talked about that.
We talked about zero trust.
We talked about intrusion kill chains, resilience,
DevSecOps, risk, and cyber threat intelligence.
This last episode, to summarize the season,
is going to hit those points at a high level
and talk about why we need a unified theory
as opposed to like maybe one of
the famous frameworks like the NIST cybersecurity framework, which by the way, I love, but it's not
really a unified theory. Well, it's an ambitious goal. Can you give us a little preview of what
you're aiming at here? Yeah, because, you know, the NIST framework is fantastic, by the way. Let
me just say that, okay? It's probably one of the best examples of a public-private research program.
NIST ran it, and then they brought in everybody from the academic community and from the commercial sector to figure out what everybody was doing in cybersecurity and to identify what the best practices were.
And it is a fantastic research document.
But the thing I'm going to point out in this show is, yes, it is a great example of what everybody is doing. But the question is, are those the things we should be doing?
Right. And I'm challenging that in this episode. All right. Can you give us a little sneak peek?
What sort of things are you going to recommend? Well, when we think about what's important, we try to get down to the essence of, you know, what we're trying to do for our program.
That's why we bring in first principles.
This idea of first principles has been around for, you know, a long, long time.
But even famous people like Elon Musk kind of use it to design their programs, right?
Elon Musk kind of used it to design their programs, right?
And the idea is, in order to build some big framework,
the thing you have to identify first is what are you trying to do? You need to find the atomic element of the thing you're trying to accomplish
and then build up from there.
And until you find that first principle,
it's very difficult to come up with a framework.
Now, don't get me wrong.
The NIST cybersecurity framework has all the elements
of a great InfoSec program.
If you try to manage that,
I think you will have a great program.
But what I'm trying to make sure
is that we don't have any inconsistencies, right?
There was a famous story back in the early 1900s.
The math community had a problem, okay?
You could get a different answer using the accepted best practices,
the accepted rules in the math community.
You can get a different answer.
They called it the Russell Paradox.
And these two British mathematicians wrote a huge book
to rebuild the math community from the ground up using first principles again.
So I'm trying to get at that in this last
episode. Yeah, it reminds me, wasn't there a thing back, I want to say back in the Pentium days,
the computers were like, depending on which processor you asked a particular math question
to, you might get a slightly different answer. Yeah, that's right. Because they were trying to
preload it. Yeah, I do remember that. It's like, oh, wait, maybe that's not precise enough.
Right. It's like the one thing we thought computers were good at, right?
Like a one thing.
Yeah.
Getting the same answer over and over again.
Oh, maybe that's, well, that's kind of what we're talking about here, right?
So how do you make sure the results you get in your InfoSec program is consistent?
Yeah.
All right.
Well, the show is CSO Perspectives.
Head on over to thecyberwire.com.
You can find out how to subscribe.
Rick Howard, as always, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris
Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.