CyberWire Daily - Record GDPR fine. Movements in the cyber underworld. FBI found to have overstepped surveillance authorities.
Episode Date: May 22, 2023The EU fines Meta for transatlantic data transfers. FIN7 returns, bearing Cl0p ransomware. Python Package Index temporarily suspends new registrations due to a spike in malicious activity. Typosquatti...ng and TurkoRAT. UNC3944 uses SIM swapping to gain access to Azure admin accounts. A Turla retrospective. Rick Howard tackles workforce development. Our guest is Andrew Peterson of Fastly to discuss the intricate challenges of secure software development. And the FBI was found overstepping its surveillance authorities. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/98 Selected reading. Meta Fined $1.3 Billion Over Data Transfers to U.S. (Wall Street Journal) Meta fined record $1.3 billion and ordered to stop sending European user data to US (AP News) Notorious Cyber Gang FIN7 Returns With Cl0p Ransomware in New Wave of Attacks (The Hacker News) Researchers tie FIN7 cybercrime family to Clop ransomware (The Record) Cybercrime gang FIN7 returned and was spotted delivering Clop ransomware (Security Affairs) PyPI new user and new project registrations temporarily suspended. (Python) PyPI repository restored after temporarily suspending new activity (Computing) RATs found hiding in the NPM attic (ReversingLabs) Legitimate looking npm packages found hosting TurkoRat infostealer (CSO Online) SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack (Mandiant) Mozilla Explains: SIM swapping (Mozilla) The Underground History of Russia’s Most Ingenious Hacker Group (WIRED) Justice Department Announces Court-Authorized Disruption of Snake Malware Network Controlled by Russia’s Federal Security Service (US Department of Justice) Hunting Russian Intelligence “Snake” Malware (CISA) FBI misused intelligence database in 278,000 searches, court says (Reuters) FBI misused controversial surveillance tool to investigate Jan. 6 protesters (The Record) FBI broke rules in scouring foreign intelligence on Jan. 6 riot, racial justice protests, court says (AP News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The EU finds meta for transatlantic data transfers.
FIN7 returns bearing flop ransomware.
Python package index temporarily suspends new registrations due to a spike in malicious activity.
Typo squatting and Turco rat.
UNC 3944 uses SIM swapping to gain access to Azure admin accounts.
A Turla retrospective.
Rick Howard tackles workforce development,
our guest is Andrew Peterson from Fastly
to discuss the intricate challenges
of secure software development,
and the FBI was found overstepping
its surveillance authorities.
I'm Dave Bittner with your CyberWire Intel briefing for Monday, May 22, 2023. The EU has levied a €1.2 billion fine against Facebook's corporate parent Meta, the AP reports.
Ireland's Data Protection Commission, which oversees the activities of U.S. companies in Europe on behalf of the EU, handed down the fine.
The commission judged there to be data transfers to U.S.-based systems that violated the EU's
General Data Protection Regulation. Meta calls the decision unjustified and says it will appeal.
For now, Facebook services in Europe remain uninterrupted. The Wall Street Journal notes
that the decision is likely
to place pressure on Washington to arrive at some middle ground with the EU over data practices that
would replace the defunct Safe Harbor Agreement. Meta has until October to comply with the
directives of the Commission. FIN7 has emerged from hibernation after an almost two-year bearish snooze.
The cybercrime gang has been seen deploying CLOP ransomware, the Hacker News reports.
Microsoft observed the gang's activity in April of this year, tracking them under the moniker Sangria Tempest.
The hackers, active again for the first time since late 2021,
The hackers, active again for the first time since late 2021, were observed using a variety of tools to gain hold of victim systems before the deployment of the CLOP ransomware, the record reports.
The group had previously been seen in previous years targeting restaurants,
gambling, and the hospitality sector generally in the U.S., among a broad range of other victims.
Python Package Index, PyPy, temporarily disabled new user sign-up and new uploading on its platform
on Saturday due to a spike in malicious users and the malware they brought. PyPi writes
that these types of third-party supply chain attack vectors are becoming more common among
malware campaigns as they give threat actors access to more victims with less work. By attacking a
third-party site and embedding malicious software in seemingly legitimate code, the actors are able
to disseminate malware to would-be victims
with less need to launch a full-scale campaign. PyPi have not released any specific details
regarding this spike in malicious activity, but Computing reported this morning that the
organization had restored access to its platform. The cybersecurity community has noted an uptick in supply chain attacks.
The 3CX attack, in which threat actors corrupted updates to infiltrate various industries,
springs to mind. Another was reported last week by Reversing Labs, an attack in which threat
actors utilized typosquatting to convince developers to download their corrupted NodeCookie proxy agent,
which carried the TurcoRat Trojan malware.
TypoSquatting, as CSO Online explains,
works by publishing legitimate software embedded with malicious code
under a name that is only slightly varied from the original,
in hopes that it will be found when users are searching for the legitimate package.
The researchers explained that this package included a 100MB file in hopes that it will be found when users are searching for the legitimate package.
The researchers explained that this package included a 100MB file which contained TurcoRat, an info-stealer capable of credential harvesting with a built-in crypto wallet grabber.
This campaign seems to have affected a very small portion of the customer base,
as the malware was only downloaded 1,200 times, compared to the
legitimate version's 20 million downloads. A text-based phishing and SIM swapping campaign
has reeled in a victim. Researchers at Mandiant have tracked threat actor UNC3944 in its SIM
swapping campaign and infiltration of a Microsoft Azure administrator account.
SIM swapping, as explained by Mozilla, is a social engineering technique in which attackers pose as service providers
requesting identity verification for SIM card activation to gain PIN numbers,
the last four digits of a social security number or other sensitive information.
digits of a social security number or other sensitive information. The criminals use the compromised accounts to gain initial access and begin building persistence and gathering
information. The attackers use a reverse SSH tunnel and utilize commercial off-the-shelf tools
to avoid security measures and maintain persistence. The FSB's Terla group recently saw a setback when the FBI and its international
partners took down some of the threat group's infrastructure. The takedown prompted a
retrospective in Wired, which covers some of Turla's most notorious operations. The recent
FBI-led action against infrastructure devoted to the distribution of Terla's snake malware has been a blow to the FSB,
but as Wired points out, it would be unwise to count Terla out.
And finally, the search history of one U.S. federal agency
may be far more embarrassing than any of ours.
Reuters reports that a ruling Friday by the U.S. Foreign Intelligence Surveillance Court
finds that the Federal Bureau of Investigation improperly used a national database of foreign intelligence.
The outlet writes that the Bureau accessed the database 278,000 times over several years,
including on Americans suspected of crimes.
According to the record, the FBI was found to have improperly searched
the communications of those who participated
in the January 6, 2021 riot at the U.S. Capitol,
as well as the 2020 protests against police brutality
following the death of George Floyd.
The AP writes that the violations include
improper searches of donors to a congressional campaign
and predate a series of corrective measures that started in the summer of 2021 and continued last year.
The data was accessible via the Foreign Intelligence Surveillance Act, that's FISA.
Congress is currently divided on how to move forward with reauthorization of Section 702 of that act,
which allows for U.S. intelligence agencies to conduct warrantless surveillance of non-U.S. citizens abroad.
The law is set to expire at the end of the year unless Congress reauthorizes it.
This finding may complicate reauthorization.
Coming up after the break,
Rick Howard tackles workforce development.
Our guest is Andrew Peterson of Fastly to discuss the intricate challenges
of secure software development.
Stay with us. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Andrew Peterson is co-founder of Signal Sciences, recently acquired by Fastly.
He's author of the book Cracking Security Misconceptions, where he advocates for ways to encourage non-security professionals
to participate in organizational security.
If I was to be a CISO and start a security group from the ground up,
which a lot of my peers and friends have gone through,
the question is, where would I start?
And how would I actually go about building out a program?
And it's pretty daunting to think about all those things.
Most websites are comprised, or mobile applications are comprised, of many, many, right, to think about all those things. Most websites are
comprised or mobile applications are comprised of many, many, many, many, many lines of code.
And it only takes a couple of mistakes or bugs to potentially create some vulnerabilities in that
code, which essentially is just inevitable, right? Like if you're writing code, you have bugs in your
code. And so it's inevitable that some of those bugs might create and expose vulnerabilities into that code.
And so on the technical side of why this stuff is extremely hard is that you imagine you just try to do that to basically create perfect code.
Well, perfect code can't get created in the first place.
It's just not possible.
Second, most companies or organizations are trying to make more code,
as much as possible, in fact.
They're trying to add new features or new things or new ways to connect to their customers.
And most of the ways that they're trying to connect to their customers are over the internet.
The point is, there's tons and tons and tons of internet code
that's getting created.
And as a security professional, try to keep up with that
and just try to secure all of it.
Inherently, as a technical problem,
it's incredibly hard.
How do you recommend folks come at that?
I mean, is it a matter of prioritization?
Like you said,
I mean, the notion itself can be overwhelming,
and yet it needs to be done.
You're building a security program.
You're thinking about where you're investing your time.
I think people invest their time in the areas where they feel like they can make progress
easily, and or the areas where
they understand it, and they understand how to secure things.
I think most security teams and security
professionals have defaulted to those two things.
Where can I make progress easily?
And where are the areas of the security stack that I am familiar with and know?
And so therein lies some of the logistical problems, I think, that security professionals face when it comes to protecting code and protecting websites is that most security
professionals' background is not as a developer.
Most security professionals' background does not have
a deep, deep, deep depth in coding.
And then that covers the
what they're familiar with part.
And so they may just by default not be defaulting to working on those problems first or spending as much time in those areas.
And then the second thing that, you know, a lot of security folks talk about this, and it is not necessarily always front and center in the conversation.
But most of the time, development teams and security teams don't necessarily get along well. And so you have this aspect of that
job where, can I make progress quickly on solving a problem area of security? The answer to that,
if you're trying to think about protecting websites, is typically no. There's a bunch of
reasons for this, but the shorthand
version of this is that security people
tend to try to make development
teams and their lives
harder by creating
either
testing frameworks or let's just
call it hoops that they have to jump through
to be able to get their code
out live or they
file a bunch of bugs against the code that is
live that the developers then go need to fix. And that is really for potential problems and
not necessarily ones that the developers may believe are actual problems or actual threats
against the organization. So when you sort of put all those things together, I think that like protecting code and protecting, especially even production websites has, I wouldn't say it's gone to the wayside, but it just moves down in priority in terms of where security folks are spending their time.
And again, that's either for lack of familiarity, for hard to get things done, or just for the, you know, for the sheer
problems that they're up against. So Dave, getting back to your question of like, well,
okay, so that's all the bad parts. Like what are the, like, let's shed some light on some of the
good parts. When I started Signal Sciences, and then, you know, we've combined forces with Fastly a couple of years ago.
The vision of why we started it in the first place is because we were on the other side of this. We
were in-house and we were trying to build secure code at scale at a big online retail company
called Etsy. And we'd sort of realized that there were some real problems, both logistically and technically.
And we said, look, the only way that we're really going to make their lives harder and what's going to make
their lives easier to be able to integrate security into their day-to-day practices?
And so when I talk to security professionals today and ask them what are the tools that
they're looking to try to use and adopt and bring into their teams, I think usability is extremely high
on the list of attributes that they're looking for in tools,
way more so than efficacy.
Usability and then,
this is kind of a weird word,
I don't even know what the word,
but installability, right?
Like the ability to actually get something up and running
in their environment easily.
So this concept of ease of use something up and running in their environment easily.
So this concept of ease of use and ease of,
or sort of fast time to value, I think is probably the most important thing that,
and these are things that we certainly focus on.
And these are part of why I think we've been able to have success with our
customers and helping them protect their, their, you know,
their websites protect the internet is because we've tried able to have success with our customers and helping them protect their websites,
protect the internet,
is because we've tried to make using it
and adopting it and installing it easy.
Don't make them learn another tool.
Meet them where they're at with their own tool set.
So instead of literally,
this will be kind of a down in the weeds thing,
but a practical piece of this is to say, where are developers looking for data on the production systems that they're working on or on the code systems they're working on?
Great.
Security tools should be integrating into that thing that they're working into.
Instead of saying, you know, hey, developer, here's a new tool that you need to learn and go log into
and create a login for and add this to your process. Nope. You got to take it to them.
You can't expect them to come to you. That's Andrew Peterson. He's co-founder
of Signal Sciences, which was recently acquired by Fastly. And it is my pleasure to welcome back to the show Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst and the host of the CSO Perspectives podcast.
also our chief analyst and the host of the CSO Perspectives podcast.
Rick, we have the madness of the RSA conference behind us, and I'm assuming since you trotted into the studio here and sat down at the table right across from me that this can only mean
one thing, which is the next season of CSO Perspectives is on the launch pad.
It is indeed, my friend. We have successfully moved the interns from our alternate Sanctum Sanctorum studios,
underwater, by the way, below the San Francisco Bay Bridge,
and back to their home in Baltimore Harbor, right,
where they have been busy putting the last bits of varnish and paint for season 13 of the podcast.
Well, before we get to our podcast today,
first, I want to congratulate you
on publishing your new book
while we were at the conference.
For our listeners,
can you share the title with us again?
It's called Cybersecurity First Principles,
a Reboot of Strategy and Tactics.
I'm hoping that you can share the story
about your wife and daughter
and their adventures in the RSA bookstore.
week and I did the RSA conference and they did the tourist thing. And they are not cyber people at all and have never attended a conference before. But when they heard that I debuted my book at the
conference bookstore, without telling me beforehand, they social engineered their way past the security
guards, found their way to the bookstore and made fools of themselves telling customers to buy my
book. And I couldn't be more proud. I love this story. I absolutely love this story.
Worth mentioning, too, that your book sold out.
But before your book signing, the book sold out.
It so did. Yeah, it was a little disappointing.
People came by and, I don't have a book for you.
So we'll try to make up for that on the back end, I guess.
All right. Well, today you are telling us about the first episode
of the new CSO Perspective season over on the CyberWire Pro side of the house.
What do you have in store for us this season?
So on this first episode, we're talking about workforce development and trying to close that 3.2 million and growing gap that exists today of open cybersecurity jobs that we can't seem to fill.
we can't seem to fill. And I realized that if you run the idea of training and hiring your staff through the lens of first principles, you discover that we as an InfoSec community haven't found the
essence of the problem yet. What do you mean by that? Well, the community has known about this
growing gap for over a decade now, and we've continued to see the gap grow. And yet we haven't
changed how we hire and train as if, you know, we expect that somehow we'll solve this problem by doing the same things over and over again that caused the problems in the first place.
Well, what is the first principle here that'll help us close this gap?
Well, from my perspective, the InfoSec community is enamored with hiring those superstars.
You know the ones, Dave.
Somebody with 25 years of experience, a technician with 17 certifications, and an employee willing to work for $1.50 an hour.
You know, no wonder we can't find anybody.
Right, right.
So, when the organization trains its own people, leadership is usually all for it, but we send the individual.
You know, we pay upwards of, say, $3,000 or so for an employee to attend a class or a conference to get up to speed
on some new thing, most times we ask the individual what he or she wants to learn, not as a training
task, but as a perk for being part of the organization. And it occurred to me, we don't
really have a team training strategy at all. We focus on the individual, and that's kind of
counterproductive when you think about it. We shouldn't be thinking about hiring superstars.
We should be thinking instead about buying down risk
by building an InfoSec team in the aggregate
that can pursue our first principle strategies.
So in other words, not one person that knows it all,
but a team that can do it together.
Hmm.
You know what this reminds me of?
It reminds me of one of my favorite movies, which is Moneyball.
Oh, yeah.
Brad Pitt and Jonah Hill came out, oh gosh, 2011, something like that. But based on the same, the book written by Michael Lewis, I mean, is that the kind of thing that we're talking about here?
It is so Moneyball, Dave. I completely think that's what it is.
Well, Dave, I completely think that's what it is.
So if you're not familiar with the story, you should go watch the movie.
It is fantastic.
The Oakland A's decided they couldn't afford to buy superstars anymore.
And they did a first principle analysis of how to win Major League Baseball games and decided that the most important stat to base a team on was on-base percentage.
You get on base and you earn runs and then you win games.
And what I'm talking about in
this CSO Perspectives episode is how do you deploy the money ball idea to the cybersecurity workforce
development plan. All right. Well, that, ladies and gentlemen, is what we in the business call a tease.
So I know I'm looking forward to checking out the episode. Rick Howard, thanks so much for joining us. Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you. Thank you. Thank you. Thank you. Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you. Thank you. Thank you. Thank you. Thank you. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The
Cyber Wire are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector, as well as the critical security teams supporting
the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by Rachel Gelfand. Our executive is Trey Hester, with original music by Elliot Peltzman. The show was written
by Rachel Gelfand. Our executive editor is Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.