CyberWire Daily - TA505’s recent activity. Advice on defending organizations from BlackMatter. CISA RFI seeks EDR information. REvil’s halting attempts to return. Sinclair’s incident response.
Episode Date: October 19, 2021A look at TA505, familiar yet adaptable. A US joint cybersecurity advisory outlines the BlackMatter threat to critical infrastructure. CISA asks industry for technical information on endpoint detectio...n and response capabilities. Is REvil trying to run on reputation? The Sinclair Broadcasting ransomware incident seems to provide a case study in rapid disclosure. Carole Theriault considers the fight for online anonymity. Joe Carrigan shares steps to protect the C-Suite. And there’s a decryptor out for BlackByte. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/201 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A look at TA-505, familiar yet adaptable.
A U.S. joint cybersecurity advisory outlines the black matter threat to critical infrastructure.
CISA acts industry for technical information on endpoint detection and response capabilities.
Is our evil trying to run on reputation?
The Sinclair broadcasting ransomware incident seems to provide a case study in rapid disclosure.
Carol Terrio considers the fight for online anonymity.
Joe Kerrigan shares steps to protect the C-suite.
And there's a decryptor out for BlackBite.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, since last month, been showing signs of renewed activity.
And this morning, security firm Proofpoint released an assessment of the financially motivated group's operations and prospects.
The more recent waves of attacks have selected German-speaking targets disproportionately,
with obviously German and Austrian organizations receiving considerable attention.
But that shouldn't lead others to assume that they're likely to enjoy immunity from attack.
The researchers say, quote,
This threat actor does not limit its target set,
and is, in fact, an equal opportunist with the geographies and verticals it chooses to attack.
End quote. There's been
some continuity with TA-505's activity since 2020, notably the deployment of the flawed Grace
remote-access Trojan and its reliance on fishing to obtain a foothold in its victims' environments,
but Proofpoint notes that the gang has also shown considerable adaptability,
but Proofpoint notes that the gang has also shown considerable adaptability, avoiding readily stereotyped tactics.
As the researchers note, The group regularly changes their TTPs and are considered trendsetters in the world of cybercrime.
This, combined with TA-505's ability to be flexible, focused on what is the most lucrative and shifting its TTPs as necessary
make the actor a continued threat.
End quote.
With its partners in the FBI and NSA,
the U.S. Cybersecurity and Infrastructure Security Agency
yesterday released a joint cybersecurity advisory
that outlined the threat posed by Black Matter,
a criminal ransomware-as-a-service operation
that may represent a rebranding of DarkSide. Black Matter emerged in July of this year.
DarkSide appeared in russophone criminal circles in August or September of last year
and was active through May of 2021. It's best known for the attack on Colonial Pipeline,
which disrupted fuel deliveries in much of the eastern U.S. this past May
Like DarkSide, Black Matter has hit critical infrastructure, notably at least two targets in the food and agriculture sector
CISA and its partners recommend a series of protective measures against attack and advise organizations to prepare for response and recovery.
They strongly discourage victims from paying ransom.
CISA's caution against paying ransom may be familiar, but it isn't idle.
A survey released this morning by CISO's Connect, Aimpoint Group, and W2 Research
suggests 80% of CISOs would at least consider paying ransom should they be
attacked. CISA itself is looking for some assistance from industry with respect to
endpoint detection and response. The agency has published a request for information in which it
solicits technical feedback from industry on tools and services that would provide sophisticated
endpoint detection
and response capabilities for U.S.-based government organizations. It's part of a
general effort on CISA's part to get improved EDR capabilities into federal civilian agencies
generally. The outreach to industry complements a memo the Office of Management and Budget issued
last week in which it directed agencies to cooperate by providing CISA
with information on their current EDR status.
While CISA is clear that the RFI is neither a solicitation
nor the promise of a solicitation,
the information is being sought for, as the RFI puts it,
market research purposes.
Nonetheless, industry might find it
worthwhile to engage the agency as it works toward greater clarity with respect to endpoint
detection and response capabilities. Replies are due by 2 p.m. Eastern Time on November 8th.
Digital Shadows joins other security firms in commenting on the reappearance and subsequent disappearance, again, of R-Evil.
They note that the gang's successive versions appear to have grown less profitable.
Why, then, the reboots?
Apparently, R-Evil thinks it retains some brand equity in the criminal-to-criminal markets.
criminal-to-criminal markets. That's open to debate, especially given the stick the gang has received from its underworld colleagues during its recent attempts to re-establish itself,
but it can be fatally easy to fall in love with your own brand. As far as the individual hoods
are considered, whatever the ultimate fate of the gang, they are all too likely to find further criminal employment.
As the proverb has it, bad news doesn't improve with age,
and the Sinclair Broadcast Group's response to a ransomware attack seems to have been organized with that in mind.
The media company discovered a possible incident Saturday,
identified it as a cyberattack Sunday,
and issued a public statement Monday,
which the Wall Street Journal calls relatively quick disclosure.
Sinclair says it worked to contain the attack as soon as it was detected.
Sinclair continues to respond to and remediate the incident.
There's no word yet on which gang or which strain of ransomware may be involved.
And finally, bravo Trustwave. The security firm's
Spider Labs has released a free decryptor for BlackBite ransomware. They also note that while
BlackBite is a dangerous and damaging strain of ransomware, at least one of the threats its
operators make, that of having stolen victims' data in a double extortion move, may be largely
empty. Trustwave hasn't found exfiltration capability in the BlackBite code it's analyzed.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
As long as there have been online message boards, there have been anonymous users,
people using handles or other ways to hide their real identity. There have been movements over the years to do
away with online anonymity, but it's an idea with loads of potential unintended consequences,
as our UK correspondent Carol Terrio considers in this report.
Some people say to me, why would you want to be anonymous online? Unless you want to go and troll someone or stalk someone or do something
vaguely or completely illegal, why would you need to hide your identity? Well, let me give you a few
reasons why. Maybe perhaps you find yourself newly single and you want to vet a new dating service.
and you want to vet a new dating service.
You may not want to put in all your details or say you're looking for a new insurance provider
for a car, a home, whatever.
Many of these sites aggregate all the information you put in.
You may not want to put in all your actual information
and provide it to a third party
without knowing what they're going to do with it.
You should be able to do research online privately. Here's another example. Say it is your anniversary and you want to buy
your better half something fantastic. You don't necessarily want them to see all the sites you
visited as you troll around looking for the perfect thing. Basically, I see a lot of online activities almost as diary entries,
and you want to vet who you give access to what information.
I think that gives you agency over your privacy or your anonymity,
which is a good thing.
The more we use an anonymous cloak to do not-so-good things like troll someone,
bully someone, make someone feel bad publicly and effectively shame them,
we chip away at our right for anonymity. In Deloitte's Changing Attitudes to Data Privacy,
a Digital Consumer Trends report from 2020, they said of the UK consumer
that they appear relaxed in general about data privacy and seem content to share online data
with a growing range of companies. And one of the reasons they cite is that perhaps this declining
concern about data privacy come from a lack of understanding of the mechanisms via which the
data is uploaded, processed, and shared online. The whole thing may be unfathomable to most users.
I mean, gosh, I've been studying this industry for 20 years and I don't get how it all works.
How does someone who specializes in a completely different industry get their head around it?
It's impossible.
I don't know.
Maybe I am a complete dinosaur for caring about online privacy and anonymity.
And I wish there were better regulations to protect it for those that don't contraffine the rules of engagement.
But hey, I'm open to arguments, pro or against. So let us know. This was Carol Terrio
for the Cyber Wire.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
You know, over on Hacking Humans, a topic that comes up pretty regularly is BEC, business email compromise.
It is indeed. And this article over from CSO caught my eye. This is written by Rosalind Page,
and it's titled, Four Steps to Protect the C-Suite from Business Email Compromise Attacks.
I think those of us who have an interest in cybersecurity would say that certainly the
C-Ssuite have some priority
here, right, Joe? Right, absolutely, because they're usually the targets for business email
compromise attacks. Yeah. So, what does this article outline here? So, it's talking about
some of the things you can do to protect the C-suite from business email compromise attacks.
The first thing is training them to recognize what a business email compromise attack looks like.
is training them to recognize what a business email compromise attack looks like. The very first step in business email compromise is to compromise someone's email address, right? And
that usually starts with a phishing or spear phishing email to try to get the person's
credentials. Because if I can get access to the CEO's email account, his actual account, there's
all kinds of havoc I can cause. So the first step is training them to recognize when a business email compromise,
what it looks like, what the email looks like, the idea that you're going to have to log in again
through a credential harvesting page that should set off a red flag. But they're very subtle.
And a lot of times these are spear phishing emails that are very well crafted and highly
effective. They have a really high rate of effect.
The second thing they say is put technical controls in place.
Yeah, makes sense.
Education is good, but if you don't have multi-factor authentication on CEO's email,
you probably should.
Yeah.
Something that can absolutely just stop this in its tracks.
Next, they say emphasize the C-suite needs to be an example to the rest of the organization.
Yeah.
Which is true.
They do.
They really do.
Yeah.
Yeah.
And, you know, it's funny.
Karel Terrio recently had a story here.
She brought us a story about how C-suite executives, the bosses can often be trouble.
Right.
Because they're, and understandably, they're so
busy with lots of things that they don't want to slow down to do a lot of these security things,
but they do so at their own peril. Right. Absolutely. Finally, they say, this article
says, communicate business email compromise risk to the CEO or to the rest of the C-suite in
business language. You know, a lot of times you'll have
a chief information officer who actually isn't from a technical background. They're from a
management background. Right. Right. So to explain this, you can't go, hey, we're seeing hundreds of
phishing emails coming in every day with these credential harvesting pages out there trying to
get credentials. They're, you know, somebody's going to fall victim to this at some point in
time. Right. And that's going to be bad. Port scans, web traffic.
Yeah, port scans and web traffic.
What you need to say is, there's a risk that somebody is going to gain unauthorized access to your email account, impersonate you, and cause the loss of millions of dollars to this
company fraudulently.
So put it in terms they understand, which is the terms of business risk.
That's where they live.
And then they'll say, well, how do we mitigate that?
What do we do with this risk?
Because there are three things you can do with the risk.
You can accept it, you can mitigate it, or you can transfer it.
And this is actually something that's pretty easy to mitigate very well with multi-factor authentication.
And you tell somebody that there's a risk to lose millions of dollars,
and you can mitigate it by spending $45 on a YubiKey or by spending no money on something like Microsoft or Google Authenticator.
Right.
Right?
And setting up a multi-factor authentication system that uses one-time passwords.
Right.
Yeah.
I mean, I think this is a really important point that it's up to you to be the translation layer.
Right. it's up to you to be the translation layer. As the person who has the technical knowledge,
you need to come and speak to these folks in their language and not expect them to speak yours.
Yeah. Very early in my career, when I first started doing software development,
I think I've talked about this before. I was terrible at this. I would start telling people
how we were going to go about something or what we were going to do for them,
people how we were going to go about something or what we were going to do for them. And they would glaze over, right? And their eyes, you'd see it and you'd see their faces just kind of just go
slack, you know, and their eyes would glaze over. And the guy who was my boss at the time,
who's still a very good friend of mine, he would say, what Joe is saying is.
Ah, yes. He was your Rosetta Stone.
Right, exactly. And he was, he was my supervisor at the time. One of the things that we talked
about in my reviews was the progress I was making towards not doing that, to communicating better
with non-technical people. And I've gotten better at it over the years. Of course, you can,
I used to know a guy who said the biggest room in the world is room for improvement. So there's
always room to get better. That's good. It's good. Yeah. I just think you can't underestimate these communication skills.
Even as a technical professional, you have all this vast realm of knowledge for all this technical
stuff, but it does you little good if you're not able to explain it in terms that other folks can
understand. You're going to get the tools you need. You're going to get what you want.
You're going to have greater success
if you can provide that translation
for the folks who you're working for.
Agreed, 100%.
Yeah.
All right, well, Joe Kerrigan, thanks for joining us.
My pleasure. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karf, Paru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Volecky, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.