CyberWire Daily - The FBI and CISA take a look at the SVR, and offer advice for potential targets. Openness and information warfare. OPSEC and privacy. Babuk hits DC police. Social engineering notes.
Episode Date: April 27, 2021FBI, CISA, detail SVR cyber activities. Nine US Combatant Commands see declassification as an important tool in information warfare. A convergence of OPSEC and privacy? Apple fixes a significant Gatek...eeper bypass flaw. Babuk ransomware hits DC police. A new twist in credential harvesting. Ben Yelin considers the FTCs stance on racially biased algorithms. Our guest Tony Howlett from SecureLink tracks the evolution of threat hunting. And that was no hack; it was just a careless tweet. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/80 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FBI and CISA detail SVR cyber activities.
Nine U.S. combatant commands see declassification as an important tool in information warfare.
A convergence of OPSEC and privacy?
Apple fixes a significant gatekeeper bypass flaw.
Babic ransomware hits D.C. police.
A new twist in credential harvesting?
Ben Yellen considers the FTC's stance on racially biased algorithms.
Our guest Tony Howlett from SecureLink, tracks the evolution of threat hunting.
And that was no hack.
It was just a careless tweet.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 27th, 2021.
The U.S. FBI and CISA, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency,
have released a joint description of trends in SVR cyber activities,
summarizing the current state of the Russian Foreign Intelligence Service's operations against the U.S. and allied networks it targets.
In 2018, like everyone else, the SVR decided the future was in the cloud,
and it's been operating against targets there ever since.
The service makes heavy use of false identities and cryptocurrencies in putting its campaign infrastructure in place.
Quote, These false identities are usually supported by low-reputation infrastructure, including temporary email accounts and temporary voice-over IP telephone numbers.
The SVR also uses open-source or commercial tools, notably Mimikatz and Cobalt Strike, in its operations.
There are perhaps confusing elements to the report,
especially in its allusions to the threat actor's presumptive organization chart and its track record.
Not everything mentioned in the track record, for example,
flowed through into the SolarWinds supply chain compromise effort.
But the specific recommendations in the document are worth thinking about.
The problem with supply chain compromises is the way in which they can turn trusted resources
against targeted organizations.
The Bureau and CISA recommend auditing log files to identify attempts to access privileged
certificates and creation of fake identity providers, deploying software to identify
suspicious behavior on systems, including the execution of encoded PowerShell, deploying
endpoint protection systems with the ability to monitor for behavioral indicators of compromise,
using available public resources to identify credential abuse within cloud environments,
and finally, configuring authentication mechanisms to confirm certain user activities on systems, including registering new devices.
new devices. There's a sense communicated in a memo to the Office of the Director of National Intelligence from nine of the 11 U.S. Combatant Commanders, U.S. Central Command and U.S. Cyber
Command, didn't sign, that more declassification would render important assistance to U.S. efforts
to counter hostile information campaigns. These are often, though not exclusively, disinformation efforts,
and the memo is thought to express concern that the U.S. is losing an information war,
and that excessive secrecy and over-classification are an important reason why.
Politico, which says it's seen a copy of the memo, quotes it in part as saying,
We request this help to better enable the U.S. and by extension its allies and partners
to win without fighting, to fight now in so-called gray zones,
and to supply ammunition in the ongoing war of narrative.
Unfortunately, we continue to miss opportunities to clarify truth,
counter distortions, puncture false narratives,
and influence events in time to make a difference. End quote. And quote, The Wall Street Journal describes the way in which commercially collected and sold smartphone
geolocation data are coming to be recognized as a serious OPSEC problem.
It's a case in which the interests of operations security and privacy would appear to coincide.
The U.S. Department of Defense has sought to crack down on the ways in which its personnel
interact with the Internet,
but much personal data, especially geolocation information, is so pervasively collected that such measures have had, at best, debatable success.
Policymakers are looking at the problem, and it seems possible that such concerns may add impetus to congressional privacy legislation.
may add impetus to congressional privacy legislation.
Apple yesterday fixed a vulnerability in its gatekeeper notarization process,
The Record and others report.
The flaw, TechCrunch says, had been quietly exploited in the wild since January to distribute the Schleyer Trojan.
Researcher Cedric Owens, who discovered and reported the Gatekeeper bypass bug,
described the technique as one in which, quote,
a script is placed in the content's macOS directory instead of a macho.
Since scripts aren't checked by Gatekeeper,
this is a way in which malware can falsely present itself to the system as notarized,
that is, checked and verified as trusted.
Researcher Patrick Wardle confirmed Owen's conclusions.
Apple, as we said, fixed the problem Monday.
The Babock ransomware gang has hit the Washington, D.C. Metropolitan Police,
StateScoop reports, and it's threatened to release 250 gigabytes of sensitive files.
The record has screenshots of the dump site.
The attack represents a bit of a departure
for the Babuk gang, which hitherto hasn't shown signs of making it a practice to hit local
government organizations. But, of course, that's a matter of taste, a little bit, habit, a little
more, and above all, a judgment about potential return on investment. Babuk, like other criminal
groups, will go where its cost-benefit
analysis takes it. In this case, they were drawn to the D.C. police. Security firm Avanon has
noticed an interesting twist on a familiar social engineering gambit. The crooks ask the victims
why they, the crooks, paid them, that is, the victims. Are you trying to scam us, victims?
The crooks paid them, that is, the victims.
Are you trying to scam us, victims?
Of course, they ask you to log into your PayPal account to help them track down the error,
and then, of course, they'll harvest your credentials.
So it's a bit different, but the grammar and usage in the come-on are pretty bad.
Following conventional usage is important. If the message can't get it right with a relatively convincing appearance of native speaking proficiency, it's best ignored. And finally, hey everybody, here's a tip.
Twitter is not a search engine. Somebody at U.S. Special Operations Command apparently mistook it
for one, or maybe just had a confusing number of windows open, or was in a coffee-deprived
performative state, or something like that.
That somebody, whoever it may have been, tweeted out a baffling,
Afghanistan, Islamic State, on Saturday.
In truth, we all make mistakes, even U.S. Special Operations Command,
which Task and Purpose points out, didn't have its social media accounts hacked,
as it initially believed and said they had been.
It was just
operator headspace that induced the Twitter mishap. Quote, after review, it was determined
our Twitter account was not hacked and a social media administrator inadvertently tweeted the
words while conducting a search for current topical events. We are reviewing our internal
processes to refine our social media practices. No security breach took place and we apologize So, as you were, everybody. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
When it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Clear your schedule for you time
with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The SolarWinds supply chain attack has resulted in many organizations taking a closer look at their efforts when it comes to threat hunting,
with many advocating it become a standard ingredient in the security cocktail.
Tony Howlett is CISO at SecureLink, and I checked in with him for his thoughts on threat hunting.
So yeah, threat hunting is a pretty new discipline. It hasn't really been even considered a discipline until recently, and someone gave it a name. Honestly, I wish I'd gotten to name it,
because I don't think threat hunting accurately describes it. It sounds more like you're searching
for something out there in the wild, really what ThreatHunding describes is searching for threats within your network and your systems, either that have happened in the past or maybe
ongoing where you have an intruder. And in the past, again, this was done informally by
the system administrators or maybe a security person combing through logs, often kind of in
the name of forensics after something bad happened. But what we're
trying to do with threat hunting is let's do this before something bad happens. So maybe the
intruder has just gotten in and not really escalated privileges yet, not stolen anything
or accessed anything sensitive. Or, you know, in the case of one that's in the past, we can
hopefully find out what they did and take actions before your name appears in the press, you know, like it did with SolarWinds and some of those victims where they found out from either the FBI or news.
That's never a good thing.
So the idea there is to catch the threat while it's happening after your defenses have been breached or maybe perhaps deal with the threat in the past before it becomes public or before it can really damage you.
If you had the opportunity to rename it, what name would you choose?
Oh, you know, I should have thought of that before I put that forth.
It's okay. I didn't mean to put you on the spot.
No, it's a good thing to think about. Gosh, you know, perhaps indications of breach hunting,
which is not a very, it doesn't roll off the tongue, but that's really what we're looking for is indications of compromise or IOCs.
Can we find certain things that sort of the breadcrumbs or the trails that the thief left behind?
Oh, he left the bottle of milk on the counter would be the obvious one.
Or more accurately, oh, there's some footprints in my carpet that don't look like my shoes and things like this.
Almost all attackers,
even the best ones, might leave some trails behind. And that's what we look for when we're
doing threat hunting. Right. Where do you think we're heading with threat hunting in terms of,
do you think it's going to be more integrated into the standard suite of tools? What's on the horizon?
into the standard suite of tools?
What's on the horizon?
Yeah, I think so.
I think what we're seeing right now is an evolution away from this sort of geeky practitioner
in a dark room who's pouring through the logs,
almost like a beautiful mind kind of person
who can put all these things together.
That's really beyond all but maybe Rain Man at this point,
being able to look through these gigabytes of logs.
So we're leveraging AI and ML machine learning
to correlate things that the human mind can't see.
We're working together more across organizations,
the ISACs, the information sharing groups,
because we're real stronger together than we are apart.
And you are seeing some vendors offer mostly right now standalone
because it's a slightly different operation than running a firewall
and things like this, and any one device isn't going to have the data,
all the data you need.
It's the idea of aggregating log sources and connecting the dots.
But I think you will see, especially some of the larger vendors who have a whole suite of products,
maybe a Cisco or folks like that who can bring an integrated suite.
What's the value of that? It's going to be a marketing term for a while maybe. So
people might want to put that on their product brochure and charge money for it. What's the value?
You still want a person involved.
Even with the AI, ML, and all those things,
you've got to have someone sort of coordinating the whole process, I think.
That's Tony Howlett from SecureLink.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security,
but also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
I was drawn, my attention was drawn to a publication that the FTC put out,
and it was brought to my attention via a tweet by a gentleman named Ryan Calo,
who is a law professor.
He's at R. Calo on Twitter.
And his tweet said, whoa, whoa, whoa, all caps, an official FTC blog by a staff attorney noting that the FTC Act prohibits unfair or deceptive practices that would include the sale or use of, for example,
racially biased algorithms. Is this an interesting publication from the FTC, Ben? And I wanted to
check in with you on what do you think this means in terms of the FTC signaling how they're going to approach people's use of AI?
I think, as you said on our caveat podcast, this is a shot across the bow to an industry to warn them that enforcement is coming on this question.
So, you know, this is certainly not something I think we would have seen from the previous presidential administration. I think it reflects a change in policy and change in
enforcement practices from the FTC. So basically what they're saying here is we have enough
evidence now based on recent studies to know that many seemingly benign algorithms are leading to
discriminatory outcomes where certain people are being denied access or, you know, are suffering other benefits on the basis of their race, nationality, etc.
Because of these inherently biased algorithms.
What the FTC is saying is not only could you suffer a reputational loss or, you know, potentially make your customer base angry,
you might face enforcement actions. So you might face civil or criminal fines or some other civil
or criminal sanctions. And they have the authority to issue those sanctions. They cite the FTC Act
itself, which prohibits unfair or deceptive practices. And according to this blog post
they posted on their website, that includes
the sale or use of racially biased algorithms. And then things like the Fair Credit Reporting
Act and Equal Credit Opportunity Act, where if your algorithm leads to some sort of discriminatory
outcome where people of our particular race are less likely to qualify for credit, then you are going to be eligible for sanctions from the FTC
for unfair trade practices.
So I think this is really a groundbreaking post
that we saw from the FTC and a real warning to the industry
that they are intending to take racially biased algorithms seriously.
Yeah, it's interesting.
I mean, you look at some of the titles of these paragraphs in this publication. It says, don't exaggerate what your algorithm can do or whether it can deliver fair or unbiased results. Tell the truth about how you use data. Do more good than harm.
forward, but they point out that you could end up with basically the equivalent of digital redlining, which was the old thing back in the, I suppose, the 60s was when it was really
a thing where neighborhoods would kind of carve out based on race who could live there or not.
They're saying that that could be an unintentional consequence of the way some of these algorithms
work. And if your algorithm is doing that, the FTC could come after you.
Yeah. And one thing that's important to note here is it does not require discriminatory intent.
One of the things they're saying here is that it's up to companies to watch out for discriminatory
outcomes. So even if you have the most benign intent possible, and many companies do,
they talked about research presented at a conference back in 2020 showing that algorithms developed for purposes like healthcare resource allocation and advertising actually ended up being racially biased.
So it is your responsibility as a company to evaluate whether your algorithm leads to discriminatory outcomes, even if you obviously had no intention of being discriminatory.
Well, it'll be interesting to see where this goes.
Again, this is over on the FTC's website.
It's titled, Aiming for Truth, Fairness, and Equity in Your Company's Use of AI.
It's written by Elisa Gilson, who is, I believe, an attorney at the FTC.
Interesting stuff.
Ben Yellen, thanks for joining us and helping make this clear.
Absolutely. Thank you, Dave.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer
Ivan, Rick Howard, Peter Kilby,
and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.