CyberWire Daily - Ransomware, third-party risk, cyberespionage, social engineering, and a software supply-chain threat..
Episode Date: December 7, 2022Rackspace reacts to ransomware. Third-party incidents in New Zealand and the Netherlands. Russian intelligence goes phishing. Mustang Panda uses Russia's war as phishbait. A Malicious package is found... in PyPi. Kevin Magee from Microsoft Canada shares thoughts on cybersecurity startups in an economic downturn. Our guest is IDology's Christina Luttrell to discuss how consumers feel about digital identity, fraud, security and data privacy. And a French-speaking investment scam. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/233 Selected reading. Rackspace Technology Hosted Exchange Environment Update (Rackspace Technology) Multiple government departments in New Zealand affected by ransomware attack on IT provider (The Record by Recorded Future) Antwerp's city services down after hackers attack digital partner (BleepingComputer) Russian hacking group spoofed Microsoft login page of US military supplier: report (The Record by Recorded Future) Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets (BlackBerry) Inside the Face-Off Between Russia and a Small Internet Access Firm (New York Times) Apiiro’s AI engine detected a software supply chain attack in PyPI (Apiiro | Cloud-Native Application Security) Anatomizing CryptosLabs: a scam syndicate targeting French-speaking Europe for years (Group-IB) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Rackspace reacts to ransomware,
third-party incidents in New Zealand and the Netherlands, Rackspace reacts to ransomware.
Third-party incidents in New Zealand and the Netherlands.
Russian intelligence goes fishing.
Mustang Panda uses Russia's war as fish bait.
A malicious package is found in PiPi.
Kevin McGee from Microsoft Canada shares thoughts on cybersecurity startups in an economic downturn. Our guest is Ideology's Christina Luttrell to discuss how
consumers feel about digital identity, fraud, security, and data privacy, and a French-speaking
investment scam. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 7th, 2022.
Rackspace yesterday disclosed that the incident it sustained late last week was in fact a ransomware attack. The attack disrupted the company's hosted exchange environment.
Rackspace continues to investigate what, if any, data may have been compromised.
Arti Raman, CEO and founder of Titanium, emailed us about the incident.
She wrote,
This latest targeted ransomware attack on a managed cloud computing company
demonstrates the immense impact these incidents can have on business success and uptime.
It's also a critical reminder that even the most technical organizations can eventually fall victim.
It can truly happen to anyone and any company.
can eventually fall victim.
It can truly happen to anyone and any company.
Which ransomware strain was found or which gang was involved in the attack,
Rackspace isn't saying.
Its investigation is still in progress
and on its website it reassures customers
that it will notify them at once
if any customer data is found to have been compromised.
Other third-party risks are being reported.
RNZ reports that New Zealand's Ministry of Justice and Privacy Commissioner are investigating an
attack against Mercury IT, a third-party IT services provider. The incident, thought to be
a ransomware attack, has affected access to data collected and used by a range of healthcare
organizations in that country. Te Wachiu Ora, the Maori name taken by the Health New Zealand
government agency, has disclosed that a cybersecurity incident affecting an IT service
provider has impacted access to some Te Waiota Ora data relating to bereavement and cardiac services. The data doesn't
appear, the agency says, to have been compromised, but they have been rendered at least temporarily
inaccessible. The Privacy Commissioner became aware of the incident on November 30th,
and authorities continue to work on determining the scope of the problem. Some in New Zealand,
however, are comparing the
incident to the cyber attack against Australia's MetaBank. The bereavement services mentioned in
the disclosure refer to data from coroner's reports and autopsies having become unavailable,
which somehow strikes us as a particularly petty and loathsome act on the criminals' parts.
strikes us as a particularly petty and loathsome act on the criminals' parts.
It's a further reminder, should any more be needed,
that the cyber underworld is pretty short on Robin Hoods.
Bleeping Computer, citing sources in the Dutch press,
reports that the Netherlands city of Antwerp is grappling with IT service outages that began Monday with a cyber attack believed to be ransomware against Digipolis,
an IT provider that serves the city. There's no publicly available timeline for restoration of
normal operations. In the meantime, many services, especially healthcare, have reverted to manual
backups. It's also not publicly known what ransomware group is behind this attack.
Bleeping Computer, however, notes that Ragnar Locker last week dumped a large amount of data
taken from a local police unit located in the province of Antwerp. It's unclear whether that
earlier incident is related to the widespread outages now being reported in Antwerp itself.
The Record reports that a threat actor
with links to Russia is running phishing campaigns impersonating U.S. defense, aerospace, and
logistics companies. Recorded Futures' Insikt Group tracks the activity as TAG-53 and sees its
operation as overlapping. A threat actor other researchers follow as the Callisto Group, Cold River, and, by Microsoft, Seaborgium.
One of the threat actors' principal goals appears to be credential harvesting.
Recorded Future isn't sure if the impersonated entities are the specific targets of the operation,
operation, but the researchers note that most of these organizations share a focus around industrial verticals that would likely be of interest to Russia nexus threat groups,
especially in light of the war in Ukraine. The companies being impersonated include U.S. firm
Global Ordnance, Polish defense company UMO Poland, the not-for-profit Commission for International Justice and
Accountability, U.S.-based satellite communications company Blue Sky Network, logistics company DT
Gruel, and Russia's Ministry of Internal Affairs. Microsoft's research into and disruption of
cyborgium back in August concluded that the group's principal targets were NATO governments,
military organizations, and think tanks, with Ukrainian organizations representing
secondary targets. C-Borgium has been associated with Russia's SVR foreign intelligence service
and particularly with SVR disinformation efforts. In full disclosure, by the way, we note that Microsoft is a CyberWire partner.
Chinese government cyber espionage actor Mustang Panda
has been using documents with a Ukrainian war theme as lures
in a phishing campaign actively prospecting targets
in Europe, the Middle East, Africa, South and East Asia,
and Latin America, BlackBerry reports.
The sectors the threat group seems most interested in include mining, education, telecoms,
financial, CDN companies, internet service providers, internet security firms, and web hosting companies.
BlackBerry characterizes the fish bait as well thought out. The payload is usually a version of PlugX, sometimes with minor changes intended to help the malware evade detection.
Proton, best known for its secure email service, also offers a range of privacy-enhancing access solutions, including VPNs, and the company has drawn unusually close attention from Russian
censors who regard it as a threat to their ability to control the Russian population's
access to unfiltered information. The measures taken against Proton by Moscow's security organs
run from blocking to the troll posting of negative reviews of Proton's services.
The New York Times has an account of
the back and forth between Proton and the Kremlin, as the Swiss company works to keep its service
accessible to Russian users. It's interesting both as a specific case of the familiar offensive-
defensive seesaw that marks conflict generally, and as a study in how a particular and not very large company can come
to be perceived as a direct enemy of a state. The cloud-native application security firm Apiro
this morning reported finding a malicious package in the PyPy package manager. It's appeared in
several GitHub repositories and represents a software supply chain threat.
Apiros said in their report, the adversary targets mainly Windows users.
It intended to grab registry's secret keys and passwords in order to leak them to the adversarial entity.
Full details on the incident, clearly malicious contamination of the supply chain, are available
on Apiros' website.
contamination of the supply chain are available on Apiro's website.
Finally, security shop Group IB reported today on a long-running fraud afflicting victims in most of Europe's francophone countries, Belgium, Luxembourg, and of course, France itself.
The criminal group, called Cryptos Labs, has been running an investment scam since 2018 at least. Group IB summarizes the
gang's operation as follows. Crypto Labs is a well-organized illicit business that has a hierarchy
of kingpins, sales agents, developers, and call center operations that collectively could have
earned as much as 480 million euros since its launch, according to Group IB's rough
estimates. Group IB was able to trace down a complex network infrastructure of over 300 scam
domains hosted on 70 servers and the gang's major weapon, Cryptoslab's scam kit. To lure the victim
onto fake investment portals, the scammers have been impersonating 40 popular European brands from the banking, fintech, crypto, and asset management industries.
It's a standard but unusually well put together social engineering operation, and Group IB offers some sound advice that applies in this case and elsewhere.
Stay vigilant, verify the source, think twice before you pay, and elsewhere. Stay vigilant. Verify the source. Think twice before you pay.
Particularly important.
And finally, for heaven's sake,
if you become a victim,
tell law enforcement
and don't be shy about warning others.
Coming up after the break,
Kevin McGee from Microsoft
shares thoughts on cybersecurity startups
in an economic downturn.
Our guest is Ideology's Christina Luttrell
to discuss how consumers feel
about digital identity, fraud, security,
and data privacy.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Thank you. Americas, and their identity verification company, Ideology, recently released their fifth annual Consumer Digital Identity Study. Christina Luttrell joins us with insights from
the report. Consumers are becoming more educated around the issues of fraud. I think there still
needs to be a lot more education put out there, just given by the number of phishing schemes that are still going
on and the rise of account takeover. But I do think that consumers are becoming much more educated
around what it means to protect their identity and their data and how not to fall prey to some
of these fraud schemes that are out there that are preying on individuals
today. What do you suppose is driving that trend of awareness? Is it just that we're seeing it show
up in the news cycle more? What do you think is going on there? I do. I think that, you know,
looking back over the past couple of years with the beginning of the pandemic and so many people
having basically forced so, you basically forced so many more people
to go online to transact in a digital manner where they weren't really doing that in the past. And so
that really pushed consumers into the digital world, accelerated that. And so with that came
more fraud, higher levels of fraud. And then, of course, like you mentioned, there was
more attention brought to that. You know, it seems to me that for a long time,
organizations, retailers, the companies that people interact with every day online,
they were reticent to put in a lot of security techniques because they were afraid of increasing
friction and taking away convenience and seeing
that consumers really prioritized convenience. Have we seen a shift there? Are people starting
to adjust that balance of security versus convenience? They are. They really are. I mean,
it is still a bit of a delicate balance, but when we look at the data from our report,
a bit of a delicate balance, but when we look at the data from our report, 68% of consumers that responded to our survey say that they now prioritize security over ease of onboarding.
So that, you know, that is a stark contrast to what we've seen in the past where it was,
you know, if it's not easy, I'm not going to do it. Now, consumers are placing a
higher level of responsibility on businesses to make sure that they are using some sort of strong
verification in a very secure onboarding process when they want to provide that company with their
data. You know, it is, but like I said, it is a balancing act because they want it to be seamless,
kind of easy to get through, but they're still expecting that businesses are going to put them
through a secure process as well. Based on the information that you all have gathered here,
what are your recommendations for the folks who are providing these services,
who have to interact with these consumers and provide them with a satisfactory experience?
Yeah, so I think, you know, at the end of the day, we're all consumers, right? So,
I kind of think about what I would want to go through when I'm signing up for a new service,
a bank account or, you know, P2P or anything where I'm
having to provide some information. First off, how is my information being used? So I think
businesses can do, businesses that do really well are businesses that are very transparent with
why they're collecting information from you, your personal data and what they're going to do with
that data and then how they're going to store that data if they're going to store that data. So being very transparent up front, hi, we need this
information. It's for regulatory purposes or KYC. We need to make sure that you are who you claim
to be, right? So being very transparent about why you're asking for this data. And then what are you
going to do with that data, right? We're going to use it for sanctions checks, or we're going to use it for identity verification,
or we're going to use it for step-up verification, right?
Helping the consumer really understand how their data is going to be used.
And then if you're going to store that data, how are you protecting that data?
If you're going to keep that on that consumer.
And really being transparent with the consumer, hey, we're encrypting this data at rest,
and here's our encryption policy.
Just things that let the consumer know
that their information is going to be protected.
I think that's really important.
That's important for me
when I provide my information to any company.
I want to know what are you doing with it
and how are you going to protect this information?
I think also in terms of having an easy onboarding process, you really want to make sure that it's as friction-free as possible, right?
So having consumers come in and provide you that information and only applying friction when it's absolutely needed, right?
So having some layers of verification to where, you know, maybe there's something a little bit suspicious about this consumer's data or where they might be coming from their device. And so we're going to apply
a little friction through some step of authentication, maybe ask them to present
a picture of their driver's license on their mobile device or on the web, right? So there's
some things that can be done there in having a really customizable solution that allows the business to say,
okay, you're good, come on in, the door is open, or you need to go into a waiting period because we need to verify some additional information.
Applying those layers of verification, I think, really provide for a much better and more user-friendly process for consumers.
That's Christina Luttrell from GBG Americas.
And I'm pleased to be joined once again by Kevin McGee.
He is the Chief Security Officer at Microsoft Canada.
Kevin, it's always great to welcome you back.
You know, we're seeing some volatility in the economy here
and seeing reports of even cybersecurity companies having layoffs and things like that.
I'm curious on your take on this.
I mean, if I'm a startup trying to take my place
in the industry here, how am I doing timing-wise?
Thanks for having me back, Dave.
I am having sort of flashbacks of the dot-com bubble burst.
Now, having been an entrepreneur during that stage of my life
and having been running a startup
when that happened at the time.
So years of reflection have given me, I think, some wisdom in this area, at least I hope.
But in my spare time, I also work with the Toronto Metropolitan University as an entrepreneur in residence and work with a lot of startups.
So they're looking for some advice to some of us that have survived and were veterans of the dot-com crash.
So I will say I'm not an economist. I'm not a financial expert.
I've just took a lot of hard knocks on the dot-com when. So I will say I'm not an economist. I'm not a financial expert. I've just
took a lot of hard knocks on the dot-com when it burst the bubble, and I'm hoping to share some of
my thoughts and ideas with the startup founders of today. What are some of the things that you're
sharing with them? Well, I think the root of the problem is that global inflation has spiked,
and that's really making it difficult for future valuations.
Growth companies are based on future sales or future valuations.
And as inflation erodes those future valuations, it becomes more difficult to hit that unicorn status.
So to make a $1 billion U.S. unicorn status, you might be needing to demonstrate now $200 million in revenue.
The days of 35 times earnings valuations are probably gone.
It might be more like eight now. Again, I'm not a financial expert, but this is the sort of thing
that I'm seeing. So venture markets are taking their cues from the public markets and they're
waiting clarity, which means they're slowing down, which means that it may be more difficult for
startups to raise funds and they might have to pivot how they're building their business right now to be successful.
But it also represents a number of huge opportunities,
these downturns or these slowdowns in the market for startups to capitalize if they do things right.
And how can they take advantage of those opportunities?
I mean, how do they best position themselves?
Well, one thing, fundraising is much harder. So they need to be open to lower valuations.
But it's also a chance to look at expanding your runway,
building that cash reserve or whatnot,
maybe focusing on 2x growth instead of 10x growth,
tempering the growth to build a stronger revenue-based business.
Freezing your cost structure may allow you to avoid layoffs
and slowing down hiring may do something similar. But if you think
about it, some of the greatest tech companies in the world were founded during recessions or
downturns. Bill and Dave founded Hewlett Packard and arguably Silicon Valley during the Great
Recession. As everything becomes harder in raising cash, some things become easier. There's more
talent available. You can refocus on the fundamentals
to build a stronger business
instead of chasing valuations.
And let's face it, in cybersecurity,
we have a unique perspective.
We're not building pets.com, the startups of today.
They're building real businesses
that solve real business problems
that aren't going away.
So I think there's a different feel this time
than the dot-com bubble,
which was more sort of creativity
unleashed on the internet. The startups today are solving real business problems. And if they can
weather the storm, we'll likely come out much stronger. What's your advice for that startup
who's looking to set themselves apart from the other folks who are hoping to catch the attention of some of those venture capitalists?
I think it's really, and I've always focused on fundamentals. Are you building a real product,
not looking for an exit? Are you building a revenue stream? Are you proving value? Are you
making money? Are you asking for money for your proof of concepts and your pilots? Are you getting
value in exchange for value?
If people won't pay for your product, it's probably not quite ready or whatnot.
So moving to revenue as a way to fund your growth as opposed to large raises can be a much greater approach.
Also, just really focusing on problems that are unique to the market, that are innovative, not the Me Too type problems, that can really make a difference in how segments of the market that are untouched.
I think the small business market is a huge opportunity.
Most startups seem to focus on enterprise, where there's a lot of noise and competition as well, too. So I think that there are tons of opportunities out there. Slowing down, addressing your product, addressing your structure, and addressing where
you're targeting the market is a great opportunity that this downturn or recession is going to
provide. All right. Well, interesting insights. Kevin McGee, thanks for joining us. Thanks, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White, Thank you. Jim Hochheit, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.