CyberWire Daily - The continuing problem of Meris and its bot-driven DDoS. Mustang Panda visits Indonesia. DPRK’s social media battlespace prep. Al Qaeda marks 9/11’s anniversary. And REvil seems to be back.
Episode Date: September 13, 2021The Meris botnet continues to disrupt New Zealand banks, and has turned up elsewhere, too. Mustang Panda compromised Indonesian government networks. North Korean operators are using social media to so...ften up their prospective targets. Al Qaeda sympathizers marked the twentieth anniversary of 9/11 by calling for--what else?--more 9/11s. Malek Ben Salem from Accenture on deep unlearning, our own Rick Howard is in, talking about the latest episode of CSO Perspectives on adversary playbooks, and REvil seems to be back in business after taking what some of its hoods call “a break.” For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/176 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Marist botnet continues to disrupt New Zealand banks and has turned up elsewhere, too.
Mustang Panda compromised Indonesian government networks.
North Korean operators are using social media to soften up their prospective targets.
Al-Qaeda sympathizers marked the 20th anniversary of 9-11 by calling for, what else?
More 9-11s.
Malek Ben Salem from Accenture on deep unlearning. Thank you. From the CyberWire studios at DataTribe,
I'm Elliot Peltzman filling in for Dave Bittner
with your CyberWire summary from Monday, September 13th, 2021. The Marist botnet-driven distributed denial-of-service attacks organizations sustained over a week ago
have proven surprisingly difficult to remediate.
After a week full of fitful, apparent recovery, banks in New Zealand
continued to experience service disruptions through the weekend, the New Zealand Herald reports. Crebs on security, which was also affected for four days by the botnet,
has an account of how Maris exploited vulnerable microtik devices to jam networks in several countries.
The bad news is that inexpensive gear continues to ship with default insecure states.
Bad news is that inexpensive gear continues to ship with default insecure states.
The good news, Krebs argues, is that for all of the inconvenience this botnet has just caused,
in general this form of DDoS has grown less dangerous as security firms have learned to cope with it.
Recorded Future reports that the Chinese cyber espionage unit Mustang Panda has compromised, quote,
that the Chinese cyber-espionage unit Mustang Panda has compromised, quote, the internal networks of at least 10 Indonesian government ministries and agencies,
including computers from Indonesia's primary intelligence service, the BIN, end quote.
PlugX malware hosted inside Indonesian government networks
were still communicating with their command and control servers,
at least as recently
as this July. Recorded Future notified Indonesian authorities in June of their discovery, but the
authorities have been, perhaps understandably, tight-lipped in their response. The campaign
is believed to have been in progress since March of this year. North Korean cyber operators associated with Kumsong 121 threat group
are using a social media campaign as preparation for spear phishing and smishing attacks against
South Korean targets, the Daily NK reports. Social media are used to establish rapport
with the targets who are eventually asked to review a column on DPRK affairs the attackers claim to have written.
That document carries the malicious payload. The campaign seems noteworthy in the amount
of effort being expended in cultivating a degree of trust in the prospective victims.
In this respect, at least, Kumsan 121 seems to be taking a page of the kind of careful cultivation of agents long practiced by espionage services.
Gain their trust, habituate them to doing you small good offices, and accepting small good offices in return.
In this case, however, the good offices remain small.
No one's asking you for the secret war plans.
They're just wondering if you'd be so kind as to look over an op-ed they wrote and tell them what you think. Once they've opened the document or followed the link, they're pwned.
Over the weekend, site intelligence director Rita Katz, followed by al-Qaeda sympathizers
writing in the online publication Wolves of Manhattan. They call for more attacks like those
of 9-11 and are emboldened by the U.S. withdrawal from Afghanistan, which they see as a validation of al-Qaeda's original strategy.
Quote,
As soon as the U.S. announced withdrawal from Afghanistan, al-Qaeda began transforming its media structure, emulating ISIS, creating dozens of media groups, each with a different mission, all serving the overarching goal of strengthening al-Qaeda.
End quote.
Katz tweeted.
How effective such online influence and inspiration will prove to be
remains, of course, to be seen.
The Taliban are generally regarded as allies of al-Qaeda.
ISIS is thought to be a rival.
The Taliban is expected to present as moderate a face online
as is consistent with its program. Neither Al-Qaeda nor ISIS are likely to be so nuanced,
relatively speaking. According to Bleeping Computer, the R-Evil ransomware gang is back
in operation, emerging from its brief occultation without even a gesture in the direction of rebranding.
The gang's Tor payment and negotiation site, and its data leak sites,
came back online and became accessible last week on September 7th.
A day later, it was again possible to negotiate your ransom with them,
in the old familiar way,
and on Saturday, the gang had posted a fresh set of stolen data on the dump site,
in its now-familiar double-extortion move.
There had been a great deal of speculation concerning what was going on with our evil when they dropped off the cyber map.
Were they feeling the hot breath of the law down their neck?
Unlikely, given their Russian base of operations,
and the Russian organ's tradition of indulging criminals
who concentrated on targets in Russia's adversaries,
but certainly within the realm of possibility.
Was it one of the periodic exercises and rebranding that criminal gangs undergo for various reasons?
Was it a split, with remnants of the gang going off on their own?
The former persona that represented our evil to the world was known simply as Unknown. Unknown to hack and not a declaration of ignorance. Anywho, Unknown disappeared when
our evil went into occultation, and is not somewhere in the wind in parts unknown.
A successor representative popped up when the gang's servers came back online.
He or she simply goes by our evilEvil. R-Evil posted some information that indicated that
unknown had vanished, perhaps arrested. But others who appear to be in a position to know
are chatting to the effect that there was nothing so exotic going on. Everyone was just chilling,
for a while. An apparent spokesman for the gang was observed by Bleeping Computer,
chatting that they were simply on a break.
In full, the operator said, quote,
nothing happened, took a break, and continued to work.
Adding, I advise you to take breaks too.
So, come on.
It's not like the hoods have to make rate
at a pick-and-stow station in an Amazon warehouse or something.
You need a break.
You take a break.
Apparently.
And the heck of high traditions
of crime with a capital C. Did Mr. Capone chill whenever he felt like it? Not really. Although we
admit our knowledge of Big Al is based mostly on watching The Untouchables. What performance
metrics are they using in the underworld these days anyways? Kids nowadays.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time
checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And I am pleased to be joined once again by Rick Howard, the CyberWire's Chief Security Officer and Chief Analyst.
Rick, I noticed that there is a lot of activity over on the CSO Perspectives podcast this week.
What is going on?
Indeed, that's true, my friend. We have lots of plates spinning on tall, skinny sticks this week, right?
And so far, none of them have crashed to the floor.
The first is that we're publishing our last episode
of the season, season six,
for the CSO Perspectives podcast.
And if you recall, we published our last episode
the week before the Labor Day break,
talking about a concept called adversary playbooks.
And while they're essential to our first principle
intrusion
kill chain strategy. For this last episode, I invited Ryan Olson, the VP of Threat Intelligence
Unit 42 at Palo Alto Networks to the Cyber Wire hash table because he and I were partners in
developing that idea. So we talked about how it started, how it morphed over time, and the current direction that Palo Alto Networks is taking it.
All right.
Well, that is over on the pro side of things.
But on the public side, the ad-supported side,
there is an episode from Season 2 that's coming out.
What's that one about?
Yeah, this is a good one.
We invited three CISOs and one CIO to discuss how they run their internal security operation centers. We have
Don Welch, the Penn State University CIO, Helen Patton when she was still the CISO for Ohio State
University, Bob Turner when he was still the CISO for the University of Wisconsin at Madison,
and finally Kevin Ford, the current CISO for the state of North Dakota.
the current CISO for the state of North Dakota. One more thing. You know, this past weekend was the 20th anniversary of 9-11. You were at the Pentagon on that day, and you have prepared
something special for our listeners. What can you share about that? Yeah, two years before that
horrible, horrible day, the Army stationed me at the Pentagon to be what was essentially the network
manager for the Army Operations Center. It's a place that coordinated global operations for the
United States Army. So you might say I had a bird's eye view of when the entire war on terror began.
So as a bonus episode for both the CSO Perspective shows, the subscription-based pro side,
and the ad-supported side.
Listeners will be able to download that special edition where I talk about my personal story on that day
and some of the implications to the Army and to the country 20 years later.
Yeah, I have to say I've had the opportunity to listen to it, and it's absolutely riveting.
I can't recommend it enough. So please, listeners,
do check that out. It's really worth your time. That's very nice for you to say.
Well, Rick Howard, always a pleasure speaking with you. Take care, my friend.
Thank you, sir.
Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Malek Ben-Salem.
She is the Technology Research Director at Accenture.
Malek, it's always great to have you back.
I want to touch today on a topic that I know is of interest to you. We talk about deep learning, but today you wanted to bring us up to speed on deep unlearning. What's going on with that?
Yeah, thanks, Dave. And I'm always glad to be back. learning is a branch of machine learning, which is completely based on artificial neural networks.
Deep unlearning is a new research area. And the reason for its emergence is because
it turned out that these deep learning models that we create, or these deep neural networks have the capacity to leak some information
about the data that they learned from, or even to bias the outcomes or the decisions
that they make based on the data that they learned from.
So in order to make them, to improve their accuracy and to make them
more generalizable to data that they have not seen before, and more importantly, to reduce the risk
of them leaking private data, sensitive data, we need this process of unlearning,
having them forget what they learned or what the data that was used
for training them. Now, I have to admit, as a longtime Star Wars fan, this reminds me of what
Yoda said to Luke Skywalker, which is, you know, you must unlearn what you have learned. So I can't
get that out of my mind. So is this a matter of once these systems have used that data to develop the processes that they will then use, that that data is no longer of use to them?
The original data that they trained on?
Is that what we're talking about here?
To a certain extent, yes. Yes, I don't even want them to be generalizable so that they're not dependent on that data that was used to teach them or to train them because that has the effect of making them just perform well on data that is very similar to what they've seen before, but not perform as well on data that they
have not been exposed to. And also, you know, as I mentioned, there are some privacy attacks
against these deep learning models, one of them being what is known as the membership
inference attack, where the adversary does not even have to have any knowledge about the antipyramiders of the machine learning model or the deep learning model,
but they can extract some information about the data that was used to train that model.
And if that data is sensitive or contains some private information, some PII data, then, you know, there's that risk of PII leakage.
So it's important to have this in mind and build these models, you know, without understanding
there are, you know, generally two techniques to deal with this that fall under this deep
unlearning umbrella.
under this deep unlearning umbrella.
One of them is looking at methods or a method called CISA.
This was developed by researchers
from the University of Toronto
and Wisconsin-Madison,
where different versions of a model
are trained on non-overlapping subsets
of the same data set.
And then during inference, they can combine the
predictions from each model via majority vote. And this makes it possible to remove selected
training examples and retrain only the model associated with their subset. Another approach for dealing with this is removing the impact of a training model
on a model's weights after it's been trained if its loss function needs certain mathematical
conditions. So, you know, this is still an early research phase, but I think knowing the, in light of the new privacy regulations, right, such as GDPR, which requires or which has this right to be forgotten clause, there may be requirements for, or there may be cases where companies are forced to retroactively remove the influence of specific data from trained models.
And these techniques will be one way of achieving that outcome.
It's interesting.
Now, I mean, do you envision this becoming sort of a standard operating procedure
that when you go through the process of training a system, this will be part of it?
I think this will be after the fact, after training the model.
There's one technique that prepares the data set beforehand. There's this other technique that is
basically after the fact, once the model is trained, it removes the impact. But I definitely
think that one or the other would be part of the standard procedure if we want to ensure
that these models are privacy preserved.
All right. Well, fascinating stuff. Malik Ben-Salem, thanks for joining us.
Thank you, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
save you time, and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland,
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing CyberWire team is
Trey Hester,
Puru Prakash,
Justin Sabey,
Tim Nodar,
Joe Kerrigan,
Kirill Terrio,
Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, And I'm Elliot Peltzman.
Thanks for listening. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.