CyberWire Daily - SVR was reading the US Attorneys’ emails. Deliveries still lag as South African ports reopen. EA hackers dump game source code. Another look at criminal markets. And Mr. Hushpuppi cops a plea.
Episode Date: August 2, 2021SVR may have compromised twenty-seven US Attorneys’ offices. Ransomware disruptions of a physical supply chain continue as South African ports reopen. EA hackers give up, and dump the source code th...ey stole. Double extortion may not be paying off. A look at initial access brokers. Operation Top Dog yields indictments in an international fraud case. Rick Howard tackles enterprise backup strategies. Kevin Magee from Microsoft with lessons learned hiring multiple team members during COVID. And a decryptor for Prometheus ransomware is released. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/147 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The SVR may have compromised 27 U.S. attorneys' offices.
Ransomware disruptions of a physical supply chain continue as South African ports reopen.
The EA hackers give up and dump the source code they stole.
Double extortion may not be paying off.
A look at initial access brokers.
Operation Top Dog yields indictments in an international fraud case.
Rick Howard tackles enterprise backup strategies.
Kevin McGee from Microsoft has lessons learned hiring multiple team members during COVID.
And a decryptor for Prometheus ransomware is released.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 2nd, 2021.
The SolarWinds campaign successfully hit accounts in 27 U.S. attorney's offices,
the U.S. Department of Justice said late Friday. Among the offices most affected were the eastern, northern, southern, and western districts of New York, where 80 percent of employees' Office 360
accounts were compromised. Why those districts were particularly affected
is unclear, and Justice didn't elaborate on the reasons. As is now well known, the U.S. has
attributed the SolarWinds campaign to Russia's SVR foreign intelligence service. The Justice
Department said, quote, the compromised data included all sent, received, and stored emails and attachments found within those accounts during that time.
Specifics of the damage done remain a matter of speculation, with several discussions of the possibility that, for example, information about confidential informants could have been compromised.
The Justice Department is acting on the basis of worst-case assumptions.
Their announcement said, quote, the department is responding to this incident as if the Advanced
Persistent Threat Group responsible for the SolarWinds breach had access to all email
communications and attachments found within the compromised O365 accounts. The APT is believed
to have access to compromised accounts from approximately May 7th
to December 27th, 2020. The compromised data included all sent, received, and stored emails
and attachments found within those accounts during that time. End quote. It was, of course,
email accounts that were compromised, and the BBC, citing conversations with former prosecutors,
said that U.S. attorneys' personnel commit a great deal of sensitive material to email.
USA Today quotes a former prosecutor as saying, quote, I don't remember ever having someone bring
me a document instead of emailing it to me because of security concerns, end quote,
with the exception of certain classified material.
Although Transnet's recovery from the ransomware attack it sustained is well underway,
and port services in South Africa have returned, the cyber attack effects continue to linger in
the supply chain. Asia Fruit reports that deliveries of fresh produce have been significantly disrupted,
Asia Fruit reports that deliveries of fresh produce have been significantly disrupted,
and Automotive Logistics finds similar stresses in auto parts shipments.
The Record reports that extortionists who hit Electronic Arts last month failed to either get the game maker to pay ransom
or to find third parties willing to buy the files they stole during their attack.
third parties willing to buy the files they stole during their attack.
Last week, they dumped some 751 gigabytes of compressed EA data onto an underground forum from where the data have been circulated to various torrent streams,
data which includes game source code mostly.
No customer data appeared to have been at risk.
The source code leaked includes the widely played and popular FIFA 21 soccer game.
The hackers seem to have misjudged their market. The attack came to light on June 10th,
when those who claimed responsibility for the incident posted a note in an underworld market
announcing that they were in possession of EA data, which a buyer could have for $28 million.
of EA data, which a buyer could have for $28 million. No one apparently bit. Giving up on finding a buyer, the criminals then contacted EA with an offer not to publish the stolen data.
EA wasn't interested either, so the thieves gave up and simply dumped the code online.
Looking elsewhere in the criminal marketplace, security firm Recorded Future also thinks it sees a decline in double extortion from the highs it reached in December.
Double extortion, of course, is encryption to render data unavailable and threats to release the data if not paid.
It may be that this second threat isn't really paying off for them.
paying off for them. Recorded Futures' Alan Liska said, quote, ransomware actors came up with this whole system that they thought would encourage people to pay, and us researchers and journalists
lapped it up and said it made perfect sense. But we've seen over time that companies don't
really suffer consequences if their data winds up on extortion sites. Ransomware actors aren't
always the psychological geniuses we think they are.
End quote.
IT Pro speculated recently that there may be signs the ransomware operators were growing a conscience.
This seems wildly and unreasonably optimistic to us, but the criminal market has shifted.
With Black Matter apparently picking up where Darkseide and R-Evil left off,
and Doppelpamer rebranded as Grief, the criminal-to-criminal market remains lively.
Security firm Kela has been tracking the recent fortunes of initial access brokers
in this hot subsector of crime. Their report on initial access brokers, released this morning,
crime. Their report on initial access brokers released this morning discerns five trends in this criminal-to-criminal market. First, the pricing of initial access is based on the size
of the company compromised and the level of privilege the broker has achieved within the
network. Quote, the average price for network access during July 2020 through June 2021 was $5,400, while the median price was $1,000.
25% of the listings posted for sale were confirmed to be sold by initial access brokers.
Second, there's a growing diversification in the kinds of access being hawked.
Kayla says, MeTooism, in which criminals follow the trail blazed by intelligence services
in such compromises as those that afflicted SolarWinds and Kaseya.
And third, it appears that some of the more successful initial access brokers are becoming
quiet. But this doesn't mean they're fading away or going to ground.
It doesn't necessarily mean that initial access brokers suspended their activity.
It doesn't necessarily mean that initial access brokers suspended their activity.
Rather, Kayla concluded that the decrease is due to the fact that IABs simply moved part of the deals to private correspondence with middlemen or ransomware affiliates in an effort to avoid detection from researchers and law enforcement agencies. The fourth trend Kayla calls a growth in professional ethics.
That is, there seems to be a tendency for some of the brokers to avoid selling access to, for example, healthcare organizations.
Kayla says,
As some ransomware gangs, such as DarkSide, promised not to target certain sectors, new ethics seemed to be established among actors participating in the ransomware-as-a-service economy.
Depending on the gangs, they were seen forbidding their affiliates to attack health care,
government, education, and non-profit sectors
to not cause damage to patients, students, citizens, and other categories of people.
The ransomware gangs seem to pass a message they hunt only companies
and aim only for financial gain, end quote.
We would hesitate to call this ethics, especially since we've seen how readily such resolutions of
good behavior were abandoned by the cited ransomware gangs, where altruism and respect
for the common good took a distinct backseat to the the main chance. As Kayla qualifies their conclusion,
quote, however, there are still no rules on this matter. Most of the brokers still sell all the
accesses they were able to gain, end quote. One rule seems firm, however. Russian-speaking gangs
don't hit Russian targets. We'll leave it as an exercise for the listener to speculate as to whether this represents patriotic compunction or simple self-preservation.
And finally, some of the initial access brokers are seeking to monetize their wares in other ways,
usually by engaging in some data theft or extortion on their own.
The double extortion approach may be showing signs of being played out,
but the brokers are new enough to the game, perhaps, to figure, well, why not?
The U.S. Justice Department late last week announced the indictment of six people for
attempting to disfraud a businessman interested in establishing schools in Qatar. The amount the
alleged crooks were allegedly after
came to more than $1.1 million,
a sum they subsequently intended to launder.
That's interesting enough,
but more interesting are the confession and guilty plea
of Ramon Oluwana Abbas,
better known by his hacker name Ray Hushpuppi.
Mr. Hushpuppi, a Nigerian national 37 years young, is alleged to
have connived with a senior and much-decorated Nigerian police official in his crimes. The U.S.
would very much like to see supercop Aba Alhare Kayari, deputy commissioner for the Nigeria Police
Force, answer for his alleged role in supporting a fraud ring that
has operated globally. Nigerian authorities are looking into the conclusions the U.S. FBI has
drawn in their Operation Top Dog, as the investigation is called, but the Washington
Post reports those authorities aren't saying whether they've suspended Mr. Chiari. Mr. Chiari has denied any wrongdoing.
And finally, bravo, Psycraft.
The record reports that the Taiwan-based security firm
has released a decryptor for Prometheus ransomware.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know
the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And it is always a pleasure, dare I say a thrill, to welcome Rick Howard back to the show. He is the CyberWire's chief security officer and also our chief analyst.
Rick, welcome back.
A thrill, you say? Man, oh man, I love it.
Maybe I shouldn't say that until we're done recording, right?
Exactly.
Shouldn't preload it.
So on this week's CSO Perspectives podcast, you are continuing your discussion about resiliency,
which is a first
principle InfoSec strategy. Now, last week you talked about encryption, but this week you were
talking about backup and restore operations, which is a key and essential piece to business
continuity and disaster recovery planning. What can we expect this week, Rick? Well, you're right,
Dave. And it's funny, if you talk to any IT or security pro about disaster recovery, without fail,
they all seem to have their own personal catastrophic recovery story, you know, where they had to
wrestle with the gods of epic failure to reclaim some important piece of lost data.
So my question to you is, what's your disaster recovery story?
Oh, man, I have a recent one. I recently was updating my Mac to Big Sur, you know, the recent OS. And I had a time machine
backup that was attached to the machine. And I also had a secondary backup. Yes, you did, of course. Right, belt and suspenders, right?
So I run my system upgrade,
and this is the first time I'm upgrading to the new OS.
It takes its time
as these things can happen,
and it runs and it runs
and it runs and it runs.
At the end, when it's done,
I get things up and running.
I go to look to my backups,
and they're gone.
Everything's gone.
My time machine's gone.
My secondary backup is gone.
It's just gone.
It's just gone, Rick.
It's all gone.
It's all gone. I remember when this was happening, and there was this black cloud hovering over the headquarters there.
It's like, oh, no.
It's the worst feeling in the world.
It really is.
over the headquarters there, right?
It's like, oh no.
It's the worst feeling in the world.
It really is.
And, you know, shame on me for doing a system update and leaving those backups attached to the system, right?
That is 100% on me and I did that wrong.
Yeah.
So, I mean, that's the story in a nutshell.
Is this Ring a Bell?
Is this a familiar tale with you and your buddies?
It totally is.
And I feel you, Dave, all right?
Because we've all been there, right?
And in this episode, I relayed my own personal story where I just about lost 20 years
of family data, right? So, I understand where you're coming from. And all I can say is,
thank goodness for the Best Buy Geek Squad and their hard drive recovery services, right?
But for this episode, I wanted to talk about enterprise backup and restore operations,
all right, in connection with our first principle strategies. You know, with ransomware having a
moment right now, pursuing all of our first principle strategies, intrusion kill chain
prevention, zero trust, risk assessment, and resiliency will greatly reduce the probability
that a ransomware gang will have success against your organization.
And you can't do resiliency without encryption and backups.
All right.
Well, fair enough.
I will say I will be listening with great interest.
As we all do.
With renewed interest.
Yeah.
So it's CSO Perspectives.
It is part of CyberWire Pro.
You can find out all about that on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Kevin McGee.
He's the Chief Security Officer at Microsoft Canada.
Kevin, it is always great to have you back.
You know, you and I were talking offline, and you mentioned that you have been going through a bit of a sprint when it comes to hiring.
And I wanted to check in with you on that.
Just sort of lessons and insights that you have learned from going through that process.
Hi, Dave.
Thanks for having me back.
It's a topic that's really near and dear to my heart.
I think as cybersecurity leaders, the most important thing we can do is make sure that we hire the right folks,
we onboard the right folks, and we develop them as security professionals.
And that means really thinking differently.
As we move into the pandemic, it became much more challenging to really connect with people
and to find the right folks.
But it also created a lot of opportunities to expand our thinking about where we could draw from talent pools,
not just in geographic locations, because location didn't matter anymore when we all
started to move to a lockdown perspective, but also just different backgrounds and different
perspectives.
And I think what's come out of this expansion during a time of a pandemic is I've really been able to grow a very diverse and
strong team because of really the constraints that the overall pandemic imposed.
When you say diverse, what do you mean? What was your approach to that and what are the
successes and challenges you've experienced? Well, we finally hit gender parity, for instance,
on our team. We have an
equal number of men and women on the team. And it was a big challenge to make sure that we did the
right things and we brought the right talent into the process. So no one was ever given a role on
our team because they represented a certain background or whatnot. Everyone competed. But
making sure that everyone that we wanted to have a chance at the job really had that same equal playing field. And that meant
making sure that we looked for not a fit for the team, but who could add to the team. We didn't
look to screen out candidates. We looked to screen in candidates. What could they bring to the
organization? What could they bring to the team that we didn't have? And that meant different backgrounds in terms of education, gender, stage of career,
and whatnot as well. So taking a very inclusive and open mindset approach to hiring as opposed to
screening people out, finding reasons why they shouldn't join the team, was made all the
difference. It's much more time-cons consuming. It takes a lot more effort by the
hiring manager. And it's ultimately though, you know, the best thing you can do to really
strengthen your team and make it much more effective. And I'm already beginning to see
the results of all of this new talent, all this new perspective and all this new diversity we've
brought to the team. What sort of results are you seeing? What does that lead to in terms
of outcomes? Well, it can be everything from just having different people at different stages of
career. So a great example, when someone brings up a new social media service or whatnot, I'm in my
late 40s. I don't use a lot of these platforms or services. So having someone that's more familiar
with those solutions and uses those solutions,
great opportunity to really tap that knowledge.
The other thing I find,
I now started to notice a lot of my biases.
I came up the security chain in the network security world.
So I always follow the packet.
That's how I think about security.
But in a cloud world with service applications,
containers and whatnot,
I find a lot of what I learned, all that 30 years of experience I have sometimes holds me back in really seeing the greater picture.
And those biases need to be challenged.
And we do that by adding people at a different stage of their career who grew up in the container age, who really don't know anything different.
They don't know anything different. They have a different perspective. And allowing them to speak truth to power, to really feel empowered, to offer their opinions and their ideas really makes a difference. And I'm quite surprised, really, at often how my 30 years of experience, which should be a reason to hire a security professional, can sometimes hold me back in terms of how I approach solving a problem.
What about sort of geographic diversity?
Did the pandemic open up the possibility for a broader range of candidates just being able to work remotely?
Absolutely. I think we have, as an industry,
this idea that you need to be part of a major city or or you know accessible to an office and
what the pandemic really showed is that you know we can work from anywhere and using all the tools
we have available to us as long as you have a high-speed internet connection and you have the
right skill sets you are a viable candidate now and we've really doubled down on making sure that we are exploring folks outside of the major geographical areas.
We now have people in cities and towns in areas of the country we would have probably not necessarily thought of.
And it's not that we wouldn't want those people.
It's maybe we didn't think to go there to find talent.
So we have new team members in Prince Edward Island from Canada,
in Nova Scotia, in Saskatchewan, some areas of untapped talent where we maybe not have looked
before in the past. And we're uncovering incredible talent skills and team members in these places.
And they're now having the opportunity to live where they want, to raise their family in the
communities maybe that they grew up in and whatnot without having to sacrifice a chance to have a great career at Microsoft.
All right.
Well, Kevin McGee, thanks for joining us.
Thanks, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team team is Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.