CyberWire Daily - REvil operators arrested and indicted. China says a foreign intelligence service accessed passenger travel records. Suspected Emissary Panda campaign.
Episode Date: November 8, 2021REvil operators arrested and indicted. China says a foreign intelligence service accessed passenger travel records. Suspected Emissary Panda campaign. Conti (sort of) apologizes. Caleb Barlow thinks i...t’s time to re-think your security documentation. Our guest is Jessica Hetrick of Optiv Security on cyber fraud running rampant. And the FBI warns of ransomware attacks targeting casinos. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/215 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Our evil operators are arrested and indicted.
China says a foreign intelligence service accessed passenger travel records.
Suspected emissary panda campaigns.
Conti apologizes. Sort of.
Caleb Barlow thinks it's time to rethink your security documentation.
Our guest is Jessica Hetrick of Optiv Security on cyber fraud running rampant.
And the FBI warns of ransomware attacks targeting casinos.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 8th, 2021.
The U.S. Justice Department this afternoon unsealed indictments against two operators of the Areval Ransomware.
U.S. Attorney General Merrick Garland said a Ukrainian developer and operator of Areval Ransomware, Yaroslav Vazinsky, was arrested in Poland in August and is expected to be extradited to the U.S. for prosecution.
The Justice Department says Vazinsky was involved in the July attack against IT
management software provider Kaseya. The Justice Department has also seized $6.1 million worth of
cryptocurrency belonging to another alleged Areval operator, a Russian national named Yegeni
Polyonin. The Justice Department said Polyionin has carried out 3,000 ransomware
attacks. Europol also announced today the arrest of two suspected areval operators in Romania.
Europol stated, quote, On 4 November, Romanian authorities arrested two individuals suspected
of cyberattacks deploying the Sodinokibi Areval ransomware.
They are allegedly responsible for 5,000 infections, which in total pocketed half a
million euros in ransom payments. Since February 2021, law enforcement authorities have arrested
three other affiliates of Sodinokibi Areval and two suspects connected to GandCrab. These are some of the results of Operation Gold
Dust, which involved 17 countries, Europol, Eurojust, and Interpol. All of these arrests
follow the joint international law enforcement efforts of identification, wiretapping, and seizure
of some of the infrastructure used by the Sodinokibi Areval ransomware family, which is seen as the successor
of GANDCRAB. Europe Poll added, In October, one affiliate was arrested in Europe. Additionally,
in February, April, and October 2021, authorities in South Korea arrested three affiliates
involved in the GANDCRAB and Sodinokibi Are evil ransomware families, which had more than 1,500 victims.
On 4 November, Kuwaiti authorities arrested another Gandcrab affiliate,
meaning a total of seven suspects linked to the two ransomware families have been arrested since February 2021.
They are suspected of attacking about 7,000 victims in total.
suspected of attacking about 7,000 victims in total.
China's Ministry of State Security, the MSS,
says that an unnamed foreign intelligence service has accessed passenger travel records in 2020, the record reports.
The MSS said in a press release,
After an in-depth investigation,
it was confirmed that the attacks were carefully planned
and secretly carried out by an overseas spy intelligence agency.
A public statement by the MSS about a cyber espionage incident is unusual.
Naming and shaming haven't been Chinese practice.
Naming and shaming represent, of course, a common Western practice,
Naming and shaming represent, of course, a common Western practice, and over campaign itself is distinct from the efforts cited in CISA's alert. In the case
Palo Alto describes, the payload installs a Godzilla web shell and in some cases an NG
light backdoor. They also detected deployment of an uncommon credential stealer, KDC Sponge.
Unit 42 stated, quote, As early as September 17th, the actor leveraged leased infrastructure
in the United States to scan hundreds of vulnerable organizations across the Internet.
Subsequently, exploitation attempts began on September 22nd and likely continued into early October. During that window,
the actor successfully compromised at least nine global entities across the technology,
defense, healthcare, energy, and education industries. Attribution remains preliminary
and circumstantial, but Palo Alto Networks thinks the tactics, techniques, and procedures look a lot like those used by the Chinese espionage group Threat Group 3390,
also known as APT27 or Emissary Panda.
The Conti gang who stole and dumped personal information from the upscale London jeweler Graf now says they're sorry.
Not sorry in general, just sorry for
stealing Arab royalty's personal data. They still intend to expose what they refer to as the
U.S.-U.K.-E.U. neoliberal plutocracy. But Conti says, according to Vice, that, quote,
our team apologizes to His Royal Highness Prince Mohammed bin Salman and
any other members of the royal families whose names were mentioned in the publication for any
inconvenience, end quote. Bleeping Computer reports that the FBI has issued a private
industry notification warning of an uptick in ransomware attacks against tribal-owned casinos in the U.S.
Some of the ransomware gangs behind these attacks were R-Evil, Sudinokibi, BitPamer,
Raiak, Conti, Snatch, and Cuba.
The FBI also notes that ransomware attacks have targeted tribal governments,
health care, and emergency services providers and schools.
Leaping Computer says the FBI cites limited cyber investigative capabilities and law enforcement
resources as some of the reasons why these entities present attractive targets for ransomware
actors.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
We speak frequently of the cyber kill chain, originally developed by Lockheed Martin and
widely used across the
cybersecurity industry as an effective way to enhance visibility into an attack and enrich
an analyst's understanding of an adversary's tactics, techniques, and procedures. Now, a team
at Optiv have used the Cyber Kill Chain as inspiration to come up with their own Cyber Fraud
Kill Chain. Jessica Hetrick is Senior Manager of Cyber Strategy at Optiv,
and she joins us to explain what sets it apart.
So the cyber fraud kill chain is actually spawned out of the cyber kill chain.
And most organizations call it fraud.
And typically, most organizations will have a cyber team and a fraud team,
but not necessarily focused on cyber fraud together. Some of the more mature organizations
that we're seeing do associate the two things together. And actually, fraud is equally as
prevalent as ransomware. And the cyber fraud kill chain was originally developed by cyber
incident responders who had to support basically the testing of an environment to
understand the ways to potentially steal money from that organization. So think about it as in
pen testing, right? So the organization had asked us to test these different ways to determine
exactly what types of TTPs, tactics, techniques, and procedures a organization would have to defend
against. So when the incident responders started to work through the process, they realized that
there's not really a significant change necessarily in the TTPs leading up to execution on objectives,
but that within a three-week period, almost 50 different ways of stealing money were identified through different various factors, right?
So the cyber fraud kill chain was developed out of an understanding that adversaries use the same types of recon activities, you know, such as social engineering, phishing on the front end, and gaining access to the environment.
Then they will look to circumvent controls to actually bypass the security tooling to gain access to targeted accounts or victim networks. They will, you know, whether that's
brute force or using different default passwords, a dictionary attack, you can pretty much name it
from a circumventing controls to gain access to the environment where they will try to do account
takeover or account creation, third-party application, exploitation, those types of
activities before they execute and actually look to steal money.
And so the cyber fraud kill chain developed out of the identification and understanding
that while adversaries may still use similar tactics, techniques, and procedures to the
standard kill chain, there are also specific ones with specific motives.
And so our goal in developing the cyber fraud kill chain was to are also specific ones with specific motives. And so our goal in developing
the cyber fraud kill chain was to not only understand how adversaries are executing fraud,
but different ways that an organization could be at risk for fraud activities.
Can you share with us some of the things that are specific to the cyber fraud kill chain?
Sure. And some of those I have mentioned already, but I think some of the big ones, right, are going to be account takeovers, account creation or API connections. We've also
seen third-party applications as different access and objective type activities. But then also
there's going to be credit and debit approval. There could be home equity line loan grants
transfers. That's just examples, obviously, in one specific industry.
But the cyber fraud kill chain is meant to be a continuous evolving cycle where different
organizations in different industries will experience fraud in different ways. And so,
I mean, in today's threat landscape, when you're talking about why fraud is so prevalent, right,
we're seeing COVID rapidly shift the needle on
fraud and also the exposure that organizations can be exposed to. So in terms of the types of
fraud, it's going to continuously evolve. I mean, e-commerce alone is shifting the needle on this
drastically. And as different people think their banking is trustworthy, banks become more at risk to their environment. There's a whole new dichotomy. So this will be ever evolving. But our goal in the methodology that we set up is to span both proactive and reactive understandings of adversary activity against a specific client in a specific industry because they're going to see fraud in different ways to
other organizations. You know, it strikes me that this could be an opportunity to kind of help
bridge that gap between the security and fraud teams. Because the security team is going to be
familiar with terminology like cyber kill chain, so you've already made them comfortable there.
Yeah, and I think part of the reason why the cyber fraud kill chain is named that way is because it
is still a kill chain, right? It still does follow the process of the adversary within an environment,
the different steps that the adversary might take, whether that be traditional TTPs or new ones,
we still follow through what that kill chain might be from a cyber perspective, but with the intent of understanding the types of fraud that an environment might undertake.
So our goal is to not just follow the adversary, but also help clients position
themselves against that and reduce risk overall. That's Jessica Hetrick from Optiv. to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And I'm pleased to welcome back to the show our CyberWire contributor, Caleb Barlow.
Caleb, always great to have you back.
Let's talk about documentation today.
Security documentation is necessary, but is it fair to say it comes in various degrees of quality and completeness?
Okay, Dave, you just said let's talk about security documentation.
Most of the listeners just hit pause and said, all right, I'm done with this. Okay, Dave, you just said, let's talk about security documentation.
Most of the listeners just hit pause and said, all right, I'm done with this. Okay, no. Skip,
skip, skip. Before you hit the skip button, let's have an honest conversation here and just call it the way it is. Your security documentation probably sucks. So let's just acknowledge it.
Okay. Go on, go on.
So what are we going to do about it?
Well, the first thing we've got to do
is recognize what I call the volcano test.
If one of your critical people falls in a volcano,
is your security documentation good enough
that other people can recreate the environment?
And my guess is that it's probably not.
So start there, look at your documentation later today.
If you can find it, and let's kind of start that. Now, one of the first things we really want to recognize
in security documentation is the difference between a policy and a procedure. A policy
is in simple terms, a high level statement of management intent. So that might be something
like, we are going to use multi-factor authentication on everything.
A procedure is how you do that, how you implement and configure, let's say, Okta or whatever tool you're using to manage multi-factor.
Separate your processes and procedures because the two things are very different.
For one policy, you're going to have lots of procedures.
For one policy, you're going to have lots of procedures.
I guess I'm imagining that security professional who is overworked and underbudgeted.
And so this documentation is one of those things that is easy to put off.
How do you raise its priority?
Oh, is it ever easy to put off?
And the best way to raise its priority is to put ownership on it, right?
So all of these procedures and policies need an owner.
You know, an interesting thing happens when you give somebody ownership and the document is blank, right?
In that, hey, you better get something written down. And the good news here is there's lots of templates.
There's, you know, there's consultants that can help you with this.
But the reality is this isn't hard.
What's hard is keeping it up to date, Dave.
Mm-hmm.
Yeah, it just strikes me as that old notion about you're trying to change the oil while
the engine is running.
You know, things are in a fast-paced environment here, Caleb.
How can I possibly keep up with this?
Well, and here's what's going to happen when you don't have good documentation.
The first thing that's going to happen, and I've been brought into these cases where, you know,
maybe it's a lawsuit or it's a regulatory instance. The first thing that's going to happen is, Dave,
show me your documentation. And, you know, when you go dust it off from the bottom drawer on your
desk and you show me the documentation, the first thing I'm going to look at before I read anything
is I'm going to go look at what is the update schedule on it. And when I see it hasn't been
updated in two years, I'm going to go back and go, yeah, you don't really use this, do you?
And you're going to kind of go, yeah, no, I probably don't. Right? So one of the big things
you want to do is keep it up to date, log every change you ever make. Anytime you change anything,
keep that log because the difference is now when a regulator or in a lawsuit comes back and looks at it and goes, holy cow, they're updating this stuff.
Oh, well, they changed the system.
They updated it.
Somebody changed, you know, there was a turnover of an employee.
I see they've updated the new owner of the document.
I see they had a breach.
They learned something in the breach.
They updated the new owner of the document. I see they had a breach. They learned something in the breach. They updated the document.
Any regulator is going to look at that and go,
oh, these guys have got their act together.
This stuff is constantly kept fresh and updated.
And I have confidence that this is actually what they're doing.
Is this a situation where it's beneficial to have somebody
to serve as that translation layer who can take those,
you know, the technical changes and be able to put them into
words that mere mortals can understand? I think that's a part of it, but I also think there are
some really good kind of frameworks and templates out there that can help people with this. One of
my favorites, and people on this on the cyber world have heard me say this a million times,
I really like what people are doing with CMMC. Even if you're not a government supplier,
the documentation requirements there are just super crisp.
And look, my engineering brain just loves that
because it breaks it down into very logical chunks
that anybody can understand
and you can start putting a template to it.
Hmm, all right.
Well, how do you get started here?
What's your recommendation for folks
to really get on top of this? and then just start the process of updating it. And just keep turning a crank. The best way to do this, in my mind, is a daily Agile scrum,
where you just scrum as a team, you work through your documentation,
you pick one up, you get all the right people on the call.
Tomorrow, you go and review the updates,
and you just keep working that documentation.
And the next thing you know, it's a year later, and you're through it all.
You've got nice, crisp crisp documentation and then guess what?
It's time to start updating.
And you just keep, it has got to be a nearly daily part of what you do.
Yeah, make it a habit.
That's right.
All right.
Well, Caleb Barlow, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, Ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week. Thank you. topics. That's at RecordedFuture.com slash podcast. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.