CyberWire Daily - SolarMarket malware carried in some WordPress sites. Russian privateers don’t much like REvil’s takedown. The SVR in the supply chain. Malicious Squid Games app. Scary social media.
Episode Date: October 25, 2021SolarMarket infestations are up, and circulating through WordPress sites. More indications that REvil was taken down by a US-led but thoroughly international public-private partnership, and the other ...Russian privateers have their noses seriously out of joint. Russia’s SVR is getting busy in software supply chains. Criminals take advantage of the popularity of Squid Games. Dinah Davis from Arctic Wolf on how even hackers have internal politics. Rick Howard checks in with the Hash Table on compliance. And Halloween is coming: do you know what your apps are up to? For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/205 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Solar market infestations are up and circulating through WordPress sites.
More indications that our evil was taken down by a U.S.-led but thoroughly international public-private partnership.
Russia's SVR is getting busy in software supply chains.
Criminals take advantage of the popularity of Squid Games.
Dinah Davis from Arctic Wolf on how even hackers have internal politics.
Rick Howard checks in with the hash table on compliance.
And Halloween is coming.
Do you know what your apps are up to?
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, October 25th, 2021.
Security firm eSentire reports a marked upswing in solar marker infestations. Whereas the information stealer had
hitherto relied upon Blogspot, Google Sites, and content delivery networks to host malicious files,
the campaigns using solar marker have begun making increased use of compromised WordPress sites.
The operators have also succeeded in making their attacks more evasive and more adept at bypassing defenses by using large payload sizes, obfuscated payload modules, and stolen certificates, which present challenges to antivirus solutions.
Centire says, to be a cross-industry threat, but with a focus on three sectors, manufacturing, legal, and financial.
They're also observing the same enhancements Cisco's Talos researchers took note of in July,
an improved staging module and effective keylogger.
More emerged over the weekend on the multinational public-private operation that seems to have put our evil down.
Security Week confirmed that a U.S. international partner, unnamed, was responsible for the final shutdown.
That our evil suffered significant reputational damage between its first occultation, shortly after its early July attack on Kaseya, and last week's takedown seems undeniable.
Other competing ransomware gangs have commented on their rivals' fortunes.
The Conti gang, for example, put an insufferably smug and self-congratulatory post out on Friday.
They wrote, quote,
As a team, we always look at the work of our colleagues in the art of pen testing,
corporate data security, information systems, and network security.
We rejoice at their successes and support them in their hardships.
Therefore, we would like to comment on yesterday's important announcement by the U.S. law enforcement about the attack on the REvil group.
They don't care much for the American government. First, an attack against some servers, which the U.S. security attributes to our evil, is another reminder of what we all know, the un to an extraterritorial attack against some infrastructure in some countries.
Is there a law, they ask rhetorically, even an American one, even a local one,
in any county of any of the 50 states that legitimize such indiscriminate offensive action?
Is server hacking suddenly legal in the United States or in any of the U.S. jurisdictions? If yes, please provide us with a link. End quote.
Okay, well, sure, so how about these? Section 1030A-2 or 1030A-4 of the Computer Fraud and
Abuse Act would seem to cover it. And U.S. law, whatever Russian privateers may think, does have, at least in U.S.
eyes, extraterritorial application in the case of cybercrimes in particular. A useful reference is
Prosecuting Computer Crimes, published by the Office of Legal Education, Executive Office for
United States Attorneys, Computer Crime and Intellectual Property Section, Criminal Division.
United States Attorneys, Computer Crime and Intellectual Property Section, Criminal Division.
Not a dull page in it, especially pages 113 and following. Put a copy in the gang washroom,
Conti. It'll stimulate the bowels better than a buckthorn infusion or the black coffee and bran muffin favored stateside. Enjoy. The ransomware gang Groove was also barking
after the R-Evil takedown, calling in a Russian-language criminal forum post-Bleeping Computer found, for a general effort by all ransomware gangs against American interests.
Since the big players in Russophone ransomware circles are effectively operating under letters of mark and reprisal, and that they're already fully engaged against American
interests, it's difficult to see how that would change much. Indeed, the Groove statement,
a kind of criminal halftime speech, as much as acknowledges the connection to the Kremlin.
Here's what they said, bowdlerized because we're a family show, quote,
In our difficult and troubling time
when the U.S. government is trying to fight us,
I call on all partner programs to stop competing,
unite, and start effing up the U.S. public sector.
Show this old man who is the boss here,
who is the boss,
and who will be on the internet
while our boys were dying in honeypots.
The nets from rude IEB squeeze their own,
but he was rewarded with hire and now he will go to jail for treason. So let's help our state fight against such ghouls as
cybersecurity firms that are sold to AMERs, like U.S. government agencies. I urge not to attack
Chinese companies, because where do we pinch if our homeland suddenly turns away from us,
only to our good neighbors, the Chinese.
I believe that all zones in the USA will be opened.
All, nether orifices, will come out and F this F-ing Biden in all the cracks.
I myself will personally make efforts to do this.
End quote.
So there.
We observe the poor taste involved in saying,
our boys were dying in honeypots.
Nobody actually dies in a honeypot.
It's the kind of overheated metaphor you'd find in a campus newspaper.
Well, phooey.
What's happened to crime?
IT Wire thinks that this and other whistling in the dark,
blustering gasconade from elsewhere in gangland are aimed far less at frightening law enforcement than it is intended to reassure criminal stooges in the
C2C markets that Conti and those like them are still in the game and still a reliable partner
in the sleazy ransomware enterprise. In any case, FBI, Cyber Command, Interpol, Europol, and your colleagues, good hunting.
Russian intelligence services, like the privateers, are showing small disposition to trim their activities in response to diplomacy, sanctions, or deterrence.
Microsoft has identified extensive new activities by Russia's SVR Foreign Intelligence Service,
which Microsoft tracks as Nobelium and which will be familiar as the cozy bear behind the early
2016 election season compromise of the U.S. Democratic National Committee and last year's
SolarWinds compromise. The current operations, which Microsoft describes as very large and ongoing, show no signs of abating.
Microsoft said, quote,
This recent activity is another indicator that Russia is trying to gain long-term systematic access to a variety of points in the technology supply chain.
End quote.
Redmond has warned 140 resellers and technology service providers that they were being targeted by Nobelium.
The company believes that 14 of them may have already been compromised.
The SVR's recent approach doesn't involve any exotic zero days or clever exploitation of software vulnerabilities.
Instead, they've used, quote, well-known techniques like password spray and phishing
to steal legitimate credentials and gain privileged access, end quote.
While Microsoft says it's under no illusions that nation-states, including Russia,
are going to suddenly revert to good behavior in cyberspace,
it does think prospective targets aren't as helpless as they once may have been.
Quote, We have learned enough about these new attacks, which began as helpless as they once may have been. Quote,
We have learned enough about these new attacks, which began as early as May this year, that we can now provide actionable information which can be used to defend against this new approach.
We've also been coordinating with others in the security community
to improve our knowledge of and protections against Nobelium's activity.
And we've been working closely with
government agencies in the U.S. and Europe. We believe steps like the cybersecurity executive
order in the U.S. and the greater coordination and information sharing we've seen between industry
and government in the past two years have put us all in a much better position to defend against
them, end quote. Microsoft, we note in disclosure,
is a CyberWire sponsor. Crime continues to find its targets of opportunity in popular culture.
An unauthorized app for Netflix's big, big hit Squid Games, formerly available in Google Play,
has been yanked by Mountain View with a warning that Android users
should uninstall it. Researchers at security firm ESET, The Independent reports, found that
Squid Game wallpaper 4K HD was in fact serving up Joker malware. And finally, now this.
Finally, now this.
Halloween is this Sunday, kids,
and we'll observe the run-up to the spooky holiday this week with some scary stats contributed by industry researchers.
Are you on social media? Sure you are.
And so, be scared.
That's the import of the true campfire story
Arcos Labs sent our way for Halloween.
Arcos' Q3 fraud and abuse report found that 53% of the logins, that's more than half of all logins,
on social media sites are fraudulent, and fully one quarter of applications for new accounts
are also fraudulent right from the get-go.
But wait, there are scary robots too.
Over 75% of social media attacks are, say Arcos, now automated by… by… bots.
And a lot of those are account takeover attacks.
They're after your login data.
Gordon.
Batuu.
Varada.
Nikto.
Well, that's probably not going to do it.
Different kind of bot.
You know, pretty scary kid.
So, happy Halloween.
Stay safe out there. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And it is always great to welcome back on the show our own Rick Howard, the CyberWire's Chief Security Officer and Chief Analyst.
Rick, you know, last week on the CSO Perspectives podcast, you did a deep dive on the current state of cybersecurity compliance law.
Don't fall asleep when you say that, Dave. Don't fall asleep. Compliance law.
I know. There are people who are standing by their
podcast apps and they're saying, oh, I hope they talk compliance law today. I can hardly wait.
Yeah. So one thing that caught my eye that I really wasn't expecting was that organizational
compliance strategy was so important. And it was so important that you included it as one of your
first principal strategies. Now, as I recall, you were still on the fence about that.
Have you come to any resolutions since we aired that episode?
Well, I think so, but my answer is not what I thought it was going to be when we started down this path.
I mean, the potential fines that may result from the 50-plus compliance laws on the books right now. They could be material to your business.
You know, for example, in 2018, Anthem paid $16 million, that's small m,
to the U.S. Office for Civil Rights as a settlement for HIPAA noncompliance.
Now, I have no idea if Anthem considered $16 million material to their business.
After all, their annual revenue, it's north of $33
billion, the big B there. Wow. So when I finished last week's episode, I was unsure if compliance
should be a bedrock first principle. So this week I invited Tom Quinn, the T. Rowe Price CISO to the
CyberWire hash table to see if he could help me decide. Oh, Tom's a great guest. I've had him on our shows several times.
Super smart.
And of course, he's been doing cyber
in the financial industry for decades now, right?
Yeah, he's worked at State Street,
BYN Mellon, JPMorgan Chase,
and now he's going on six years at T. Rowe Price.
And he said that the way he thinks about compliance
is that it's an essential component
to his resilience first principle strategy.
But here's the interesting thing.
He says that if you think about the four first principles, zero trust, intrusion kill chain prevention, resilience, and risk forecasting, they all have equal weight.
But immediately following those principles is DevOps as a layer that cuts across all four.
And immediately following the DevOps layer is a compliance layer because you can't do compliance without automation.
And all of the compliance data will come from the DevOps infrastructure.
And that, by the way, is why Tom is one of the smartest CISOs in our community.
Okay, well, there's plenty more where that came from, right? On this week's
episode of CSO Perspectives, you can find that as part of CyberWire Pro, which is on our website,
thecyberwire.com. Rick Howard, thanks for joining us. Thank you, sir.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Dinah Davis. She's the VP of R&D Operations at Arctic Wolf. Dinah, it is always great to have you back. Some of these bad actors out there,
some of these hacking groups that are up to no good. It's funny that every now and then something
bubbles to the surface where perhaps they're not all getting along with each other. And I know
that's something that you've had your eye on. What can you share with us today? Yeah, so a lot of
these ransomware groups, these hacker groups, are actually quite large organizations.
They've got the people who are doing the hacking.
They've got the customer support people.
There's customer support lines.
And a lot of them have what you call affiliates, which is like there's McDonald's and then there's like the franchisee and the
franchisee is then running the place and they get paid a certain percentage of everything that comes
in. Right. Right. And so that's how a lot of these ransomware teams work. Well, apparently they also
have internal politics, just like every other company. And recently there was a disgruntled hacker at the ransomware gang Conti, and they were apparently very unhappy about how much they were getting paid to do Conti's bidding.
And so they decided to leak the technical guides that Conti gang uses to train its affiliate members. So it was things like how to access and move laterally
and escalate across a hacked company. And they just like published the whole thing to GitHub
and, you know, just like threw it out there for them. Right. Yeah. No, no honor among thieves.
Right. No, no. And really though, did that person do that much damage? If you take a look at what the guide said, it's like a lot of pretty basic offensive tactics and techniques block because you know that they use them.
Right.
But I just found it interesting that, you know, even hackers have internal politics.
Well, but isn't it interesting that I would say overall it's fair to say that there is a good amount of discipline among these groups.
That the fact that this doesn't happen more often is interesting in
itself yep yep absolutely it absolutely is yeah all right well dinah davis thanks for joining us
you're welcome And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, huh?
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
at future.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Puru Prakash,
Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Bilecki,
Gina Johnson, Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll
see you back here tomorrow. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.