CyberWire Daily - Some intelligence services understand the value of being underestimated.
Episode Date: October 26, 2023StripedFly gets reclassified. YoroTrooper is interested in the Commonwealth of Independent States. The current state of DDoS attacks. Ukrainian hacktivists deface Russian artists' Spotify pages. Troll...s amplify a Musky meme. In our Industry Voices segment, Matt Howard from Virtru explains securing data at the employee edge. Our guest is Seth Blank from Valimail, to discuss email security and DMARC. And while trolls might like Mr.Musk, the crooks heart Mr. Gosling. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/205 Selected reading. Sophisticated StripedFly Spy Platform Masqueraded for Years as Crypto Miner (Zeroday) Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan (Cisco Talos Blog) DDoS threat report for 2023 Q3 (The Cloudflare Blog) Russian artists’ Spotify accounts defaced by pro-Ukraine hackers (Record) Elon Musk Mocked Ukraine, and Russian Trolls Went Wild (WIRED) Ryan Gosling Tops McAfee’s 2023 Hacker Celebrity Hot List (Business Wire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Striped fly gets reclassified.
Euro trooper is interested in the Commonwealth of Independent States.
The current state of DDoS attacks.
Ukrainian hacktivists deface Russian artist Spotify pages.
Trolls amplify a musky meme.
In our Industry Voices segment, Matt Howard from Virtru explains securing data at the employee edge.
Our guest is Seth Blank from Valamail to discuss email security and DMARC.
And while trolls might like Mr. Musk,
the crooks heart Mr. Gosling.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, October 26th, 2023. Kim Zetter reports in her Zero Day newsletter that the striped fly crypto miner has turned out to be more maligned than previously believed.
When Kaspersky discovered it in 2017, they wrote it off as a simple piece of criminal malware designed for crypto mining.
They also wrote it off as uninteresting and unsuccessful, yielding its
proprietors nothing more than chump change. All they got from mining Monero altcoin came to just
$10 in 2017 and only $500 in 2018, not enough to interest even a spoiled script kitty.
Apparently, however, Striped Fly was actually interested in collecting information, not cryptocurrency.
Kaspersky discovered the miner was actually a cover for a sophisticated spy platform
that has infected more than one million victims around the world since 2017.
Striped Fly seems to be a carefully designed espionage toolset
that masked itself as an uninteresting,
stumble-bum criminal operation. Zetter explains,
The spy components include ones for harvesting credentials from infected machines,
for siphoning PDFs, videos, databases, and other valuable files, grabbing screenshots,
and recording conversations through an infected system's microphone.
The platform also has an updating function that lets the attackers push out new versions of it whenever Windows and Linux operating systems get updated.
The malware gets pushed out from encrypted archives stored on GitLab, GitHub, and Bitbucket.
Striped Fly gains initial access to its targets through a variant of Eternal Blue,
an exploit attributed to an actor Kaspersky tracks as the Equation Group. Kaspersky studiously
avoids attribution to nation-state services, but the Equation Group is widely believed to be
associated with the U.S. National Security Agency. EternalBlue was blown by the shadow brokers in April of 2017,
a month after Microsoft patched the vulnerability the malware was designed to support.
Since then, other services, notably China's Ministry of State Security,
have used variants of EternalBlue,
but it's not at all clear who's responsible for Striped Fly.
It does seem clear, however, that it's an espionage operation and not a low-grade criminal caper. In the espionage
world, it usually pays to be underestimated. In more cyber espionage news, researchers at
Cisco Talos yesterday published the conclusions of their investigation of Eurotrooper,
a cyber espionage operation that focuses on the Commonwealth of Independent States,
the organization of former Soviet republics who haven't yet been invaded
and who retain more or less voluntary ties to Russia.
Eurotrooper has been active since June of last year.
Cisco Talos thinks Eurotrooper has been active since June of last year. Cisco Talos thinks Eurotrooper is
based in Kazakhstan, but that it seeks to leave a false trail designed to misrepresent itself as an
operation run from Azerbaijan. It uses, for example, Kazakh VPN exit nodes. Eurotrooper
relies heavily on phishing to direct its victims to credential harvesting sites.
This is also consistent with what ESET has observed about the group it tracks as Sturgeon Fisher.
ESET regards Sturgeon Fisher as significantly overlapping Eurotrooper.
Talos researchers believe that Eurotrooper is working to wean itself from commodity malware
in favor of new custom malware
spanning across different platforms
such as Python, PowerShell, Golang, and Rust.
The threat actor isn't purely devoted
to offensive operations against its targets.
Eurotrooper also shows a repeated pattern
of defensive scanning,
checking Kazakhstan's state-owned email service
mail.kz for evidence of hostile activity.
Cloudflare has published its DDoS threat report for the third quarter of 2023,
finding that gaming and gambling companies were bombarded with the latest volume of
HTTP DDoS attack traffic, overtaking the cryptocurrency industry from last quarter.
That's not surprising.
The gaming and gambling sector is particularly sensitive to anything that affects their services availability.
If you can't get on to fan fight, you're likely to bounce to sporting bookie.
It's a quick gratification clientele.
When an ordinary Joe or Jane is looking for some action, they probably want it now.
Cloud Flare offered some interesting details. 89 hyper-volumetric HTTP DDoS attacks in the
third quarter of 2023 surpassed 100 million requests per second, with the largest peaking
at 201 million, a figure three times higher than the previous largest attack on
record. These large attacks were part of a sophisticated and persistent DDoS attack campaign
that exploited the HTTP2 rapid reset vulnerability. The rapid reset campaign began in late August.
The record reports that Ukrainian hacktivists compromised the Spotify pages of Russian artists
who've been prominent supporters of President Putin's regime and its war against Ukraine.
In this case, they appear to be freelancers, not an organized auxiliary.
They replaced the artist's profile picture with a blue and yellow banner
and messages urging Russia to stop war in Ukraine.
The hacktivists did some bragging in Telegram channels and on Spotify, which suspended its news service into
the Russian market last year in protest of the war. Spotify said at the time, we are deeply
shocked and saddened by the unprovoked attack on Ukraine, but it still has some Russian users.
Ukraine. But it still has some Russian users. Spotify said it quickly restored the defaced pages.
Official Russian opinion seems accurately represented by singer-songwriter propagandist Grigory Leps, one of the artists whose page was hit. Leps said through a spokesman,
Spotify is not at all interesting to us. It is an enemy platform. We are on our own.
Therefore, it's not at all interesting what's happening there.
Mr. Leps has been under U.S. sanctions since October 2013 for his work as a money mule for the Brothers Circle criminal gang.
The EU sanctioned him last year over his involvement with the war effort.
year over his involvement with the war effort. Earlier this month, American tycoon Elon Musk began posting rude internet memes involving a flatulent teenager with Ukrainian President
Zelensky's face superimposed. Wired reports that Russian accounts on X, the platform formerly
known as Twitter, have flocked to Mr. Musk's posts, giving them the greatest
amplification they're capable of. Researchers at Cardiff University say the troll accounts have
the usual marks of inauthenticity, low or zero follower numbers, a lack of identifiable personal
details. They mostly just reply to other accounts posts and produce anti-Ukraine and anti-Zelensky messaging,
which mirror wider Russian narratives. Some of the trolls photoshopped Mr. Musk into a Russian
uniform as a token of esteem. We can't make out the rank. We hope it's at least Starshina.
And finally, McAfee Labs has updated its tally of celebrities whose names are misused by cybercriminals.
Ryan Gosling is the current top banana.
Mr. Musk comes in only at number six, behind Mr. Gosling, Emily Blunt, Jennifer Lopez, Zendaya, and Kevin Costner, and only just nosing out Al Roker.
We have no idea what this means.
Discuss amongst yourselves,
but don't be surprised if a certain maverick tycoon
builds his self a Barbie dream house.
Maybe it could be virtually constructed in Minecraft.
Talk amongst yourselves. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Global Pandemic and the Shift to Employees Working from Home accelerated the trend of organizations shifting their data security strategies
from perimeter-centric to data-centric.
Matt Howard is Senior Vice President and Chief Marketing Officer at Virtru.
And in this sponsored Industry Voices segment, he explains why modern information security must
protect both structured data in the cloud and unstructured data at the employee edge.
Every organization in the world has a data estate. 20% of it, give or take, is structured, rows and columns. Increasingly,
those are databases now in public cloud infrastructure, but 80% of it is in various
forms of unstructured data. And if you're just beginning a journey now, getting your arms around
how do you sort of get better security posture with respect to all of this data estate.
It seems like the current state of the industry right now is to focus first on governing structured
data in rows and columns in the public cloud and turning some attention, but inevitably more and
more over time, to getting a grasp, if you will, on all of the unstructured data that's sensitive
to the business and inevitably leaves the business through a variety of different workflows.
Do you understand the focus that most folks have on doing their structured data first?
And why does that come up short?
Yeah, no, I totally understand it.
I mean, listen, we all know how hard it is to be in the security risk management business in today's world.
If I'm putting myself in the shoes of the customer, I think I've got to start somewhere.
And getting a grip on structured data with regards to databases is familiar.
That's data you typically possess as part of some IT infrastructure, whether it's on-prem or in the cloud.
And it makes sense as a starting place.
I think the other thing that's, practically speaking, been true for the last decade plus is that everybody understands how much unstructured data is out there.
Everybody understands how sensitive it is and how it's a good idea to govern it. But if we're honest, there hasn't been a really easy,
scalable way to address the unstructured data challenge historically. I think that's beginning
to change. And as a result, I think we're beginning to see kind of a rising tide.
And inevitably, in the next year, two, three, four, you're going to see more and more budget,
more and more attention shift from governing just structured data to absolutely
prioritizing governance and control and risk management with respect to the unstructured
data estate. And how does this intersect with folks who have to think about things like compliance
and regulatory regimes? Well, it's one of the key drivers of that rising tide I just mentioned, if not the key driver, is absolutely regulatory regimes and the need to comply.
But any number of data security, data privacy, regulatory regimes in any number of different vertical or industries require that organizations do a better job of governing the sensitive unstructured data that they possess and that they inevitably share with third-party customers, partners outside the organization.
And it's a key driver.
So to the extent that the tide is rising now, compliance is a key driver. I think over time, in addition to compliance, you're going
to basically see organizations just kind of continue to mature with respect to just security,
hygiene in general, organizations that are on a journey to mature with respect to zero trust
security controls. As we know, it's a journey,
not a destination. And on that journey, you'll eventually turn your attention to unstructured
data as well. And at that point, you'll see drivers being both compliance and security.
How about folks who want to have more control over the actual usage of the data itself? I mean,
we think about data that's within an organization, but even talking about data that's usage of the data itself. I mean, we think about data that's within an organization,
but even talking about data that's outside of the organization as well.
Are we in a place now where that's becoming more and more practical?
I mean, listen, so yes, absolutely.
It's one thing to imagine you sharing sensitive file
with a partner externally via an email workflow
and wanting to have governance and
control over that email and that file so that you can do something like revocation or expiry,
take it back two weeks from now after you've decided you no longer want that person to have
access to it. Very, very important. But also, I think really interesting is this idea of how much
of our data as an organization today are we just sort of
storing in public clouds like, I don't know, Google, Azure, Amazon. We store it there. We trust these
large public cloud hyperscalers to essentially act as security by proxy. We hope that they do
their job well. In some cases, as we saw this past summer with
the State Department situation and Microsoft, it doesn't always work out that way. But nonetheless,
if you are running an organization and you're storing sensitive data in a public cloud,
you have to ask yourself, is it encrypted? And if it is, who holds the key? And increasingly,
what we're seeing is customers say, I'm willing to store
data in a public cloud, but I want to be the one to hold the encryption key because I don't want
the public cloud provider, Google, Amazon, or Microsoft, to potentially be in a situation where
they have to, I don't know, answer to some law enforcement subpoena to decrypt the data.
I want to be the one to ultimately hold the key because it's my data. And so more and more, this idea of sharing data externally and being in control of your own destiny because it's your data.
It belongs to you.
You should be the one that's able to determine who has access to it and who doesn't.
Someone who's interested in taking this journey and is shopping around for providers.
Any words of wisdom on the types of questions they should be asking?
Yeah, I mean, listen, at the end of the day, I think open standards matter.
I think if you're not careful, you can kind of find yourself in a situation
where you're subject to vendor lock-in almost accidentally.
If you're really sort of thinking about your longer-term
strategy as it relates to a zero trust security transformation and you're looking at your entire
data estate and you're wanting to kind of view it holistically you'll obviously have a collection
of strategies and vendors and technologies that you can employ to govern your structured data
discovery classification tagging and protection by proxy,
you'll have another path to kind of explore with regard to really granular controls that can be applied to these unstructured data workflows like the type that we just spoke about.
Obviously, for my two cents, I mean, my company, Virtru, certainly plays very strongly
in the unstructured data portion of that journey. And we just encourage
folks to kind of keep an open mind with an emphasis on open standards. And then probably
most importantly, I think it'd be important to kind of really pressure test vendors with respect
to who's been there and done it and can vouch for their competencies, not by virtue of anything
they say, but more importantly, what customers have to say.
That's Matt Howard from Virtru.
Both Google and Yahoo recently announced that they're upping their game when it comes to email security.
That by February of 2024, they're essentially going all in on DMARC.
For an explanation of what that means, I spoke with Seth Blank,
Chief Technology Officer at Zero Trust Email Authentication Provider, Valamail.
DMARC stands for Domain-Based Message Authentication Reporting and Conformance,
which is a mouthful. There will not be a test at the end of this podcast.
But DMARC overlays SPF, which is Sender Policy Framework, and DKIM, which is Domain Keys
Identified Mail, and makes it, it takes them from sort of machine-to-machine anti-spoofing
technologies to actual machine-to-human anti-fraud technologies.
And the way that works, to give you a really simple overview at 50,000 feet, is SPF's
effectively a whitelist.
Hey, I send mail from these systems that emit from these IPs.
And that works great if you run your own network,
have your own mail servers,
but are awful in a shared services world.
If you're sending through MailChimp or Marketo or Microsoft,
everyone and their mom sends through those IPs too.
And so SPF isn't as helpful or is not helpful at all.
DKIM uses PKI.
We sign a message.
And so when you receive the message,
you can actually use the DNS to find the public key
and you can go, great,
this message was actually sent by this domain,
and the message has not been tampered with in transit. The problem with both of these is that
what they authenticate is not necessarily what is shown to the user. And so DMARC introduces,
there are those three letters toward the end, the concept of alignment. And alignment means what is authenticated is what is shown to the user.
So with SPF or DKIM, I can say, I am Fisher.com.
I authenticate as Fisher.com.
And then I tell the recipient, I'm Dave Bittner.
With DMARC, you cannot do that.
That message would fail alignment.
It's not authenticating what's shown to the user.
And we're explicitly talking about the domain name in use, not the actual text shown to the user.
DMARC also gives you a report so you can see what is happening in your name, under the name of that domain, globally.
So that you have this unparalleled visibility.
This has never existed in email before.
You can see globally what's happening in your name.
And we talk to CISOs all the time.
And the first DMARC report they see almost invariably, the words out of their mouth are,
I can't unsee this.
see almost invariably the words out of their mouth are, I can't unsee this. Because you just have no idea the amount of just garbage being sent as everyone to everyone. And then DMARC lets you,
the third thing, conformance, lets you set policy and you get to say, for mail, sent as me.
If I haven't authenticated, I want you to straight up reject it or send it
to spam. And so you finally with DMARC get control. And what this has done is DMARC has
proven its mettle as being the truly powerful anti-fraud tool. And it's become increasingly mandated. And it's becoming
this, you know, it is frankly like having a TLS cert for your website. You just need it. It's
sort of that bare minimum bar. And it's been a best practice for a decade, but it's never been
truly required outside of government mandates until now.
So what is the shift that's happening now? We've got some big players here who are
taking a fresh approach to DMARC? Exactly. So we have Google and then Yahoo and several other
people in the industry who will be coming out over the next few weeks and months who will be subscribing to the same set of policies. And effectively, what they're saying is the core
concepts of DMARC, that authentication must be aligned with the from domain, right? What is
being displayed to the user is paramount. And if you do not have aligned authentication,
it doesn't count. And then they're requiring people have a DMARC policy of at least
P equals none, which is effectively you can get reports, but you're not saying yet what to do
with unauthenticated mail. And what this does is it means that we can now tell as an email ecosystem
who is sending the mail, or more accurately, that when a user is looking at their inbox,
the mail is from who it says it's from.
And that's foundationally different.
And it's taking, again, a decade of best practice
and making it a requirement that businesses do the hard work
to authenticate their mail so that users cannot be
deceived. If I'm a security professional, you're responsible for defending my organization,
how is this going to affect me? So I think this is powerfully effective. My hope is this is really
meaningful to the security professional. DMARC has become increasingly a tool that security professionals have tried to implement,
but there's been a resistance.
And the question has been, why now?
Why this over other approaches, right?
Security professionals are inundated with the stats, the FBI damages of last year, there
was $43 billion due to BEC. This year,
the FBI reported $50 billion in damages. That's $7 billion in damages due to BEC over the last
year alone. DMARC's part of that, not all of it. There has been the Verizon data breach report
since 2016 going 91% of all cyber attacks start from email year after year after year, but the problem
is getting bigger. And the effectiveness of IT teams to even take on DMARC as a project
has been really low. The market stats we look at show only a 13.5% effectiveness of people
actually getting protection from DMARC.
And so the hope is this has changed the conversation from a pure project that IT would like to take on,
that security would like to take on, to a necessity for the business
that creates a significant security win for the business in the process.
that creates a significant security win for the business in the process.
And that opens up other doors, especially if you're in a business-to-consumer and a B2C setting,
where you can get a lot more ROI from marketing on top of it as well.
That's Seth Blank from Valamail. Thank you. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. Great. That's 1% closer to being part of the 1%. Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025. Visit td.com slash dioffer to learn more.
and that's the cyber wire for links to all of today's stories check out our daily briefing at the cyberwire.com we'd love to know what you think of this podcast you can email us at
cyberwire at n2k.com your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cyber security
we're privileged that n2k and podcasts like the cyber wire are part of the daily intelligence
routine of many of the most influential leaders and operators in the public and private sector
as well as the critical security teams supporting the Fortune 500 and many of the world's
preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people. We make you smarter about your team
while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by
our editorial staff. Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.