CyberWire Daily - Saboteurs trying to look like crooks? CISA on the USAID phishing incident. US receives criticism for alleged surveillance of allies. Epsilon Red is out. No weed, just alt-coin.
Episode Date: June 1, 2021Iran’s wiper attacks may have been posing as criminal gang capers. CISA issues an alert on the USAID Constant Contact credential compromise. European governments express concern over reports of US s...urveillance (enabled, allegedly, by Danish organizations). Epsilon Red ransomware is out and active. Ben Yelin looks at Florida Governor DeSantis’ bill aimed at Social Media companies. Our guest is Giovanni Vigna from VMware with highlights from their 2020 Threat Landscape Report. And police come looking for cannabis farming and find coin-mining rigs instead. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/104 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Iran's wiper attacks may have been posing as criminal gang capers.
CISA issues an alert on the USAID constant contact credential compromise.
European governments express concern over reports of U.S. surveillance
enabled allegedly by Danish organizations.
Epsilon Red ransomware is out and active.
Ben Yellen looks at Florida Governor DeSantis' bill aimed at social media companies.
Our guest is Giovanni Vigna from VMware,
with highlights from their 2020 threat landscape report.
And police come looking for cannabis farming and find coin mining rigs instead.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 1st, 2021.
The Iranian wiper, described last week by Sentinel-1,
posed as ransomware in a campaign against Israeli targets.
It's recently acquired genuine ransomware capabilities.
Wired has an overview of the campaign, and CPO Magazine notes that one motivation for the imposture is false flagging.
Tehran's operators appear to have wished to be taken for
a Russian ransomware gang. On Friday, CISA issued an alert on the spear phishing incident in which
U.S. aid credentials for the email service Constant Contact were abused to send targeted
phishing emails to a range of victims. Microsoft last week attributed the campaign to the Russian threat actor Nobelium,
but CISA's alert is noteworthy
for specifically declining to offer attribution.
It was updated Saturday to read,
CISA and FBI acknowledge open source reporting
attributing the activity discussed in the report to APT29,
also known as Nobelium, the Dukes, and Cozy Bear.
However, CISA and FBI are investigating this activity
and have not attributed it to any threat actor at this time.
They'll provide updates as their investigation proceeds.
The incident is still to be taken seriously, and CISA has advice on defense,
but official attribution will
have to wait. The White House has said that for the most part, U.S. federal agencies successfully
avoided infestation by the phishing campaign, and U.S. President Biden says that his upcoming summit
with Russia's President Putin will take place as scheduled. That said, industry has been much quicker in attributing the activity to Russian intelligence services,
specifically to the SVR, and has shown little disposition to back off that attribution.
Foreign Policy writes that one lesson to draw is that deterrence hasn't so far worked in cyberspace.
The Journal writes, quote, the latest Nobelium attack, whether it
amounts to a significant breach of U.S. government cyber infrastructure or not, shows that Russia has
not been deterred by waves of retaliatory U.S. and European sanctions over previous attacks.
It also represents the latest example of authoritarian regimes turning to hacking
groups to target their rivals abroad,
whether foreign governments or human rights advocates, end quote. And the U.S. administration
has come under foreseeable pressure to ratchet up the pressure on Moscow, but it doesn't appear
that the campaign necessarily represents an escalation in cyber espionage. As an essay in
Wired puts it, it's not that the SolarWinds hackers are back,
it's that they never really left.
Over the weekend, European journalists published results
of an investigation linking U.S. intelligence services
to Danish organizations believed to have cooperated
in enabling U.S. surveillance of targets
in Germany, France, Sweden, and Norway
between 2012 and 2014. The Washington Post reports that France's President Macron says that that's no
way to treat an ally. The AP records similar reactions from other European governments
to the Obama-era snooping. Researchers at Sophos report finding a new ransomware strain in the wild.
They call it Epsilon Red. The malware is written in Go, and it was delivered as the final executable
payload in a hand-controlled attack against a target in the U.S. hospitality sector. Sophos
said, quote, it appears that an Enterprise Microsoft Exchange server was the initial point of entry by the attackers into the Enterprise network.
It isn't clear whether this was enabled by the proxy logon exploit or another vulnerability,
but it seems likely the root cause was an unpatched server.
From that machine, the attackers used WMI to install other software onto machines inside the network that they could reach
from the exchange server, end quote. Why Epsilon Red? Sophos shares the etymology, which may be
news for anyone not fully up to date with the Marvel universe. In this case, the name comes
from the threat actors themselves. Quote, the name Epsilon Red, like many coined by ransomware threat actors,
is a reference to pop culture. The character, Epsilon Red, was a relatively obscure adversary
of some of the X-Men in the Marvel Extended Universe, a super soldier alleged to be of
Russian origin, sporting four mechanical tentacles and a bad attitude. End quote.
for mechanical tentacles and a bad attitude, end quote.
While the campaign uses complex layers of deception,
the ransomware proper is, Sophos says, bare bones.
It's a 64-bit Windows executable, and all it does is encrypt the files in the target system.
Other functions like communication, deleting shadow copies,
killing processes, and so forth,
have been, according to the researchers, outsourced to PowerShell scripts.
And finally, a story that almost seems too good to be true,
a kind of harmonic convergence of the biggest trendoid industries out there,
cannabis and cryptocurrency, comes out of the English Midlands.
CNBC reports that the West Midlands Police,
investigating reports that there was a big illicit cannabis farm
in an industrial park in Sandwell,
found, surprise, a big coin mining operation instead.
No cannabis, alas,
but there were about a hundred rigs whirring away
like Alan Turing's bomb, busy mining coin.
What's wrong with that,
you'll ask, adding, dude, if you'd like to reinsert the stoner vibe that initially drew the constable's attention. Well, it's this. They weren't paying for their electricity,
so they were stealing, according to the evening standard, thousands of pounds worth of power.
The standard says, quote, the IT equipment was seized from the
building in the Great Bridge Industrial Estate and inquiries with Western Power revealed the
electric supply had been bypassed. What drew the police attention in the first place? You might be
asking for a friend. According to CNBC, suspicions were aroused by, quote, many people were visiting the unit at various points of the day, police said,
adding there were numerous wiring and ventilation ducts visible.
A police drone also detected a lot of heat coming from the building.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. Researchers at VMware recently released their 2020 Threat Landscape report,
outlining some of the things they see from their unique perspective on Internet and data center traffic.
Giovanni Vigna is Senior Director of Threat Intelligence at VMware, and he joins us with their findings.
We work with telemetry that we collect
from our customer. And since we have sort of a large number of sensors, we have a good view
on some of the trends that are happening in the wild in terms of detections, in terms of threats, in terms of how the threats try to avoid detection.
And this is true, especially if you look at the problem
of protecting a data center, where you can have sort of like problems
at scale, as we have seen from the colonial pipeline situation.
And so what prompted, we wanted to communicate outside
what we had seen in our sort of like slice of reality,
because there are some insights that are interesting.
Of course, some of the insights are not outstanding
in terms of statistics.
They're very understandable.
But it's interesting to see some little angles
that are sort of surprising, at least to me.
For example, we observed that there was still a lot of plain text passwords
floating in data centers, which was quite surprising.
But then when we looked into it, people actually do that for a variety of reasons.
We also looked at how, for example, malware tends to spread laterally once they get a
foothold on one of the machines in a particular network.
And we saw that a lot of activities based on RDP, which is not surprising per se, but it's interesting to see a lot of that east-west traffic because of how our sensors are deployed, that this is really a very relevant and useful information to understand the blueprint of a breach.
Yeah, there are some really interesting insights here in your report? I mean, we can start, I guess, with some of the basics, but that,
you know, email continues to be the top of the list of attack vectors. Yeah, I've been in this
field for a long time. And sincerely, this is still surprising me how toxic email is, how this has really become the first sort of like the first step in a kill chain
of an attack has almost always been an email. Because unfortunately, there is, you know,
the email is really where you try to break the weakest link in a chain. You just need somebody to click on a link, open an Excel spreadsheet with a malicious
Excel form macro.
And fundamentally, you have a first point of attack and you can collect everything from
credentials to information that will allow you to spread out and connect to other users
using social engineering.
allow you to spread out and connect to other users using social engineering. So finding out that 4% of the attachments that were received in general contained some form of maliciousness,
which is orders of magnitude with respect to any other vector, I think is pretty interesting.
That's Giovanni Vigna from VMware.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health
and Homeland Security and also my co-host over on the Caveat podcast. Hello, Ben.
Hi, Dave.
So we got a story here from the Washington Post, and it's titled, Florida Governor Signs Bill Barring Social Media Companies from Blocking Political Candidates.
This is an interesting online policy move here, Ben. What's going on?
This is an interesting online policy move here.
Ben, what's going on?
I'll start with a dad joke by just saying,
signs bill barring,
and this is not about the former attorney general.
Sorry, everybody.
The actual story here is about a piece of legislation signed into law by Florida Governor Ron DeSantis
that takes aim at big tech platforms,
specifically social media platforms.
So the law does basically two things.
The first is give Florida residents a cause of action
if they think that tech platforms are applying their content moderation standards
in a discriminatory way based on one's political viewpoint.
It allows them to sue these tech companies for a pretty inordinate sum of money,
and they would be allowed to sue those tech platforms
in Florida state court.
So that's one provision.
The other relates to tech platforms' ability
to censor the accounts or to suspend permanently
or temporarily the accounts of active political candidates.
So the purpose of this provision is to prohibit tech platforms, the Facebooks and Twitters of the world,
from suspending a political candidate for more than, I think it's 14 days in the piece of legislation,
during a political campaign.
And if they don't abide by that regulation, they would be subject to a $250,000 fine every single
day that they allowed that ban to continue. I'll note for posterity that there is a very famous
resident of the state of Florida who was banned from multiple social media platforms in a very high profile way earlier
in 2021. And I think it's no coincidence that this piece of legislation has this provision.
So it was signed into law. I think a lot of neutral observers have noted that this law is
almost certainly blatantly unconstitutional and is likely to get struck down in federal court.
And it's basically unconstitutional for two reasons.
The first concerns the First Amendment rights
of the tech platforms themselves.
According to court precedent and a lot of the legal scholars
and trade organizations, there's this long-standing doctrine
that these tech company platforms have First Amendment rights
to regulate their platforms as they see fit.
As we've learned from a bunch of cases, corporations are
people. They do have constitutional rights. And one of those rights
is to regulate the content on their platforms.
The second major constitutional issue is this issue of preemption.
So the federal government has passed a law, the Communications Decency Act, which shields companies from liability, these tech companies, for content moderation decisions on their platforms.
And this is Section 230 of the Communications Decency Act.
Florida's law that they're passing here would run afoul of that provision
And because, according to our constitution, the federal government is the supreme governing body of the land
The federal law would preempt the state law
So for those two reasons, it's very likely that this law will be thrown out in court
So I don't think we're ever going to see this law actually come into effect. It's scheduled
to come into effect on July 1st of this year. I suspect we'll see a preliminary injunction before
we get to that point. So why bother? What was Florida Governor DeSantis up to here in going
through this whole exercise? So I think this is rather performative on the part of Governor DeSantis.
You know, for one, the big boogeyman among his political allies on the right, at least currently,
is these big tech platforms and the fact that they are allegedly biased against conservative voices.
And this is a high profile way to make that political point, saying, you know, we're not
going to stand for this anymore. We're going to hold these tech platforms accountable. There's also, he's sort of hedging his bets. I mean, very clearly, Ron DeSantis
wants to run for president. He's probably secretly hoping that his co-Florida resident, former
President Donald Trump, does not run in 2024, and that he would be kind of the natural heir to the
Trump legacy. And this is something obviously former president Trump cares deeply about
because he was deplatformed.
After the January 6th insurrection,
basically every social media platform permanently suspended Trump's accounts.
And I think DeSantis knows that this might endear himself politically
to some of former presidents, Trump's most diehard supporters.
So we think that the governor is sort of signaling to his supporters that if you bring me to a federal level office, this is the sort of thing I will push for at a national level. Yeah, I think, you know, there is certainly
something politically effective about figuring out ways to punish your enemy through the force
of law. And right now, the enemy among a lot of conservatives is, are these big tech platforms.
And there are federal politicians who want to do the same thing. I mean, most notably,
Senator Josh Hawley of Missouri has been adamant that he wants to institute these types of regulations on big tech platforms.
So I think by enacting this law, this is a way for Governor DeSantis to distinguish himself among that field.
You know, people like Senator Hawley in 2024 could say, well, I propose this legislation.
And Governor DeSantis can say, well, I actually signed it into law, even though I suspect it will be struck down in our court system.
But yeah, I do think this is largely performative.
It is pretty clearly a constitutional violation.
But I also don't think it's an unwise move politically for Governor DeSantis, who, you know, despite some buzz, is still kind of an unknown on
the political map. And this is a way to endear himself to the conservative movement.
Yeah. All right. Well, interesting policy move here from the folks in Florida.
Ben Yellen, thanks for joining us.
Thank you. check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast
where I contribute to a regular segment called Security, huh?
I join Jason and Brian on their show
for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed
and check out the Recorded Future podcast,
which I also host.
The subject there is threat intelligence
and every week we talk to interesting people
about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Haru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.