CyberWire Daily - The EU ask Russia to knock it off, and specifically to stop with the GhostWriter. Zoombombing in Cambodia. Conti is back; Colossus is a new entrant in the ransomware field. Meng returns to China.
Episode Date: September 27, 2021The EU publicly blames Russia for GhostWriter, and counsels Moscow to amend its ways. Finland’s security services warn of foreign cyberespionage and influence threats. Zoombombing at the highest lev...els in Cambodia. A ransomware operation, “Colossus,” is described. Conti is back, as predicted, and has hit a major European call center. Dinah Davis from Arctic Wolf on cybersecurity learning standards. Our guest is Otavio Freire from SafeGuard Cyber with insights on how to defend against nation-state actors and zero-day exploits. And Huawei’s CFO is back in China. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/186 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The EU publicly blames Russia for Ghostwriter and counsels Moscow to amend its ways.
Finland's security services warn of foreign cyber espionage and influence threats.
Zoom bombing at the highest levels in Cambodia.
Colossus is the latest ransomware kid on the block.
Conti is back as predicted and has hit a major European call center.
Dinah Davis from Arctic Wolf on cybersecurity learning standards. Our guest is Ottavio Frera from Safeguard Cyber,
with insights on how to defend against nation-state actors and zero-day exploits.
And Huawei's CFO is back in China.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, September 27th, 2021. The European Union on Friday publicly attributed the Ghostwriter's cyber espionage and disinformation operation to Russia.
The statement said, quote,
have observed malicious cyber activities collectively designated as Ghostwriter and associated these with the Russian state.
Such activities are unacceptable as they seek to threaten our integrity and security,
democratic values and principles, and the core functioning of our democracies.
These malicious cyber activities are targeting numerous members of parliaments,
government officials, politicians, and members of the press and civil society in the EU by accessing computer systems and personal accounts and
stealing data. These activities are contrary to the norms of responsible state behavior in
cyberspace, as endorsed by all UN member states, and attempt to undermine our democratic institutions
and processes, including by enabling disinformation and information manipulation.
The European Union and its member states strongly denounce these malicious cyber activities,
which all involved must put to an end immediately.
We urge the Russian Federation to adhere to the norms of responsible state behavior in cyberspace."
No immediate action was announced, but as the statement's final sentence warned, the European Union will revert to this issue in upcoming meetings and consider taking further steps.
The attribution and warning didn't say which nations had received the attention of Ghostwriter,
but as the Washington Post notes,
the timing of the communique suggests concern for Germany,
which held elections over the weekend.
The outcome of that election seems to be
that a center-left coalition led by Social Democrats
with the smaller Green and Free Democrat parties
will form the government
that will succeed retiring chancellor angela
merkels independently finland's security and intelligence service called out both russian
and chinese cyber espionage and influence operations as major continuing threats bloomberg
reports cyber espionage and ransomware are seen as especially acute threats, but the assessment also assigns a particularly high risk to Finnish information infrastructure
from potential legitimate investments by authoritarian states.
According to online tech publication Rest of World,
Cambodian Prime Minister Hun Sen Zoom-bombed an online conference held by the country's banned opposition party
to tell participants that their communications
were being monitored.
The leader said, quote,
I have been listening and have entered to listen
many times already, end quote,
taking an unusually hands-on approach
to warning the opposition.
He is said to have wagged his finger
and cautioned the opposition to behave themselves
and stop insulting him should they expect to be permitted back into public life.
Premier Hun Sen, a Khmer Rouge alumnus with all predispositions for social control
and political repression that affiliation suggests,
is believed to be working toward tighter control of Cambodia's internet.
The Prime Minister said on his preferred Facebook platform that he'd previously attended 20 of the
opposition's online meetings, explaining, quote, this entry was just to give a warning message to
the rebel group to be aware that Hun Sen's people are everywhere. Please be careful and don't do any
activities against the national interest.
End quote.
Cambodia's control over its domestic internet is regarded as likely to increase this coming February
when the country's national internet gateway comes online.
The gateway will route all internet traffic through a single point
where a state operator will exert national policy by blocking undesirable websites
and collecting user metadata. On Friday, ZeroFox discovered and described a new ransomware strain
they're calling Colossus. Its one known victim is a U.S.-based automotive dealership group,
and the attack is the now-familiar double extortion that both encrypts
data and then threatens the public release. Colossus hasn't shown much disposition to chatter
on the dark web, but its operation suggests familiarity with the ransomware-as-a-service
criminal market. In particular, their communications with their victims have a familiar look,
resembling, as they do, similar messages issued by Epsilon Red,
also known as Black Cocaine, and Are Evil, also, of course, known as Sodinokibi.
This suggests, ZeroFox suspects, that Colossus may be using a similar builder.
A dump page for doxing uncooperative victims has yet to appear, but Xerofox expects one to surface shortly.
The Record reports that the major European call center operator GSS has sustained an attack with Conti ransomware.
The attack hit on September 18th.
GSS has taken down affected systems and is working toward a full restoration of normal services.
systems and is working toward a full restoration of normal services.
Rusophone security researcher Haber, disappointed with his treatment by Apple's bug bounty program and Apple's failure to respond, has published, according to Forbes, three zero-day vulnerabilities
affecting iOS 14 and iOS 15. Haber says he disclosed the bugs to Apple's bounty program back in March.
And finally, the BBC reports
that Huawei CFO Meng Wanzhou is back in China
after reaching a deferred prosecution agreement
with the U.S. Department of Justice.
Justice agreed to defer prosecution
in exchange for Ms. Meng's admission
of having misled its partner,
financial services firm HSBC, about Huawei's extensive and sanctions-violating involvement
with Iran. The New York Times reports that Canadian citizens whom China had detained
shortly after Ms. Meng's arrest were also released and have returned to Canada.
Recall that Ms. Meng had been detained in Vancouver
pursuant to a U.S. warrant
and had been fighting her extradition to the States.
Their arrests were widely regarded
as intended simply to give China leverage in the Meng case.
The Guardian quotes critics as calling China's actions
hostage diplomacy,
which probably isn't a bad characterization.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
zero days are notoriously difficult to defend against since these types of exploits are developed to target vulnerabilities that are unknown to software developers one of the ways
to mitigate these types of attacks is to continuously look for potential vulnerabilities within the software that's being
used. Otavio Frera is president, CTO, and co-founder of Safeguard Cyber, and he offers these insights.
You've built a great piece of software or technology or infrastructure,
and the bad guys, either it's organized hackers or up to nation states, have figured out a way, a hole in that infrastructure that you did not know about and use it to exploit for espionage, for financial gain, for take a pick of malicious means.
Is it fair to say that not all zero days are created equal?
Oh, absolutely. Absolutely.
I mean, take solar winds, right?
I would almost put that in one extreme.
Very sophisticated operation carried out.
We now know by a nation state that took advantage of supply chain,
figure out massive scale,
create it easier today, if you will.
On the other extreme,
you have some web kit in a browser
that you go to a website
and it's exploiting some vulnerability,
JavaScript or a browser
that does something to a target group of users.
So absolutely. I think there's a continuum
both of complexity, investment, and outcome from zero days.
There's effectively a market for it.
There was a working financial market that buys these zero days.
Governments buy these zero days, and the prices vary, right? Depending on
their sophistication and complexity and operating system,
the price that they can be purchased at is a proxy almost
for the level of sophistication or the spectrum
of sophistication out there. And how does an organization prepare against this?
I mean, how do you dial in appropriate resources
for this particular type of threat?
Yeah, well, it's important to point out
the disparity between the sophistication attackers
in any organization, right?
No matter how sophisticated.
So it always is a, no matter the situation,
it's a David and Goliath situation.
I think we all need to understand that.
That being said, organizations can always do better
in terms of preparing for these attackers.
in terms of preparing for these attackers.
I think the very first step is understand what your risk is, right?
It is a hard thing to accomplish, actually, it's a thing to say,
but it's an important step because there are just basics that need to be done. You know, A good backup process, a good threat intelligence process built around
your organization, a QMS system
that takes into account the best practices
of a cybersecurity program. There are things that you can
just do to make sure in case of a cyber attack that you
are well prepared.
And this all leads to some risk assessment that you can do to prepare for the case of
a nation state attack.
I mean, of course, after the attack, a breach has occurred.
Well, it's just too late.
So the hard work is creating that resilience, understanding your risk level, and then addressing it.
So how do you prevent malware and ransomware from propagating in the business?
How do you, in case you are attacked through ransomware, now you're thinking down the chessboard, well, how do I avoid a data loss attached to a ransomware?
well how to avoid a data loss attached to a ransomware and then how do I also
protect the human attack factor from these nation states
attack and if you watch the DBIR reports over the years
it just social engineering and the human factor just kept
rising as more of the means
that you deliver things such as ransomware.
So looking at your organization, understanding that the human is a potential attack factor,
humans are using communication channels, everything from email to something like we're on today here or a video based collaboration tool
these are all means that
these incredibly destructive tools
of these nascent states such as ransomware
can be delivered so it's important
to have an automated software
that allows you to detect
when these attacks are taking place and respond.
But even more importantly, you've got to think up the value chain and start with the risk, right?
To avoid you getting to that point.
But it's a complicated matter to defend against nation states for sure.
That's Ottavio Frera from Safeguard Cyber.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Dinah Davis.
She is the VP of R&D Operations at Arctic Wolf.
Dinah, it's always great to have you back.
I wanted to touch today on something that I know you've been following,
and this is learning standards when it comes to cybersecurity. What do you have to share with us today?
Yeah, I was really excited that recently cyber.org came out with an entire curriculum for teaching cybersecurity to kids from K all the way to 12.
Really impressed with it. It splits up how they teach it into three main categories, which is like computing systems where they talk about like networking and, you know, software updates and that kind of stuff.
Digital citizenship.
And for that one, it's all about like cyberbullying, digital footprint, like getting, you know, making sure they know and are aware of what it is to be
online. And then information security is the last column. I was very excited about this. I've maybe
posted a couple times to the Canadian government that they should get on this. I've also been a
big believer in kids learning tech and computing really early. I feel like we teach our kids about physics,
about biology and math so that they know when the doctors are talking or they go see a specialist
or something, it's not magic. It's science. It's based in reality. And with their worlds being so digital, I really think they should know it's not magic.
That's interesting. So it's in a way demystifying some of the things that are going on behind the scenes.
Exactly. They should understand that it's just algorithms that are working on their iPad.
That it's not, you know, it can't do everything because a human had to program it to do that.
It strikes me, along with what you're saying there, that, you know, we teach kids things like basic health and hygiene.
And I wonder with computers and certainly their online networks and these being a primary way in which they interact with their friends.
Does this go along with that?
Is this a basic skill that needs to be just a part of growing up
that all kids really should have?
I think so.
And it's not just the technology.
It is the security part.
And I was really excited to see that they put the digital citizenship with it
as well, because that's also your privacy and what you do online matters and it will be recorded.
And also just that you can have all of your stuff stolen, right? So, you know, we don't go out in
the world and tell our kids to just walk across the street without looking both ways, right?
Because they could get hit by a bus. Well, the internet's not both ways, right? Because they could get hit by a bus.
Well, the internet's not that different, right? There's some pretty crappy things that can happen
to them online if we don't teach them what's safe. Do you think there's a component to this as well
of bringing the parents up to speed and having them understand what part they play?
up to speed and having them understand what part they play.
Yeah, 100%. And I mean, I don't know what the cyber org has in their settings,
but I know that as part of their curriculum,
it's teaching teachers how to teach this.
So at the very least, it's pulling teachers in
to get engaged and educated about it.
Because if they're not educated about it,
like, I mean, they're going to do things
in front of the students
that potentially are risky behaviors,
like not bad, but like, you know,
they could be using the same password
and giving that password out to everyone.
And then that's an okay thing to do,
but it's not, right?
Right, right.
Wash your hands, right?
Brush your teeth.
Exactly.
Don't reuse your passwords. Yes. Right. Wash your hands. Right. Brush your teeth. Exactly.
Don't reuse your passwords.
Yes.
Yeah.
In my household, those are some hardcore things.
Yeah.
Boy, I'll bet all the kids love to visit the Davis family, right?
Now, kids, before we eat dinner, I'm going to need you to show me your Yubikeys.
I think my teenager daughter would kill me if I did that.
I'll bet she would. All right. Well, Dinah Davis, thanks for joining us. You're welcome. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, Ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed
and check out the Recorded Future podcast,
which I also host.
The subject there is threat intelligence,
and every week we talk to interesting people
about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Thanks for listening.
We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.