CyberWire Daily - The Russo-US summit ended in frank exchanges and the prospect of further discussions on cybersecurity. Ferocious Kitten tracked. Initial access brokers. Molerats return. Ransomware arrests.
Episode Date: June 17, 2021The US-Russian summit took up cyber conflict, cyber privateering, and cyber deterrence, ending with the prospect of further discussions. Ferocious Kitten’s domestic surveillance. Ransomware gangs ar...e using a lot of initial access brokers. The Molerats are back. Troubleshooting a wave of intermittent Internet interruptions. NSA offers advice on securing business communication tools. Ukrainian police arrest six alleged Clop gangsters. Andrea Little Limbago from Interos on bringing the private sector back into the defense equation. Our guest is Charles Herring of WitFoo, with the case for cybersecurity as an extension of law enforcement. Nine alleged ransomware hoods collared in Seoul. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/116 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S.-Russian summit took up cyber conflict,
cyber privateering, and cyber deterrence,
ending with the prospect of further discussions, ferocious kittens, domestic surveillance,
ransomware gangs are using a lot of initial access brokers, the mole rats are back,
troubleshooting a wave of intermittent internet interruptions,
NSA offers advice on securing business communications tools,
Ukrainian police arrest six alleged Klopp gangsters.
Andrea Little-Limbago from Interos on bringing the private sector back into the defense equation.
Our guest is Charles Herring of Witfu with the case for cybersecurity as an extension of law enforcement.
And nine alleged ransomware hoods are collared in Seoul.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 17th, 2021. The Russo-American summit between Presidents Putin and Biden concluded yesterday after three hours of face-to-face talks. Reuters calls them professional as opposed to friendly,
with some expressions of a willingness
to pursue matters of arms control and cybersecurity going forward. Recent ransomware attacks came up,
the New York Times writes, characterizing the two countries as remaining profoundly divided
on this and other matters, with President Biden requesting an explanation and President Putin denying any
Russian involvement. In a post-summit media availability, the two presidents did not hold
a joint press conference. Mr. Biden said the discussion went like this, quote, I looked at
him and said, how would you feel if ransomware took on the pipelines from your oil fields?
He said it would matter. I pointed out to him that we have significant cyber capability,
and he knows it.
End quote.
Forbes reads the U.S. position as a direct promise of retaliation in kind
to future Russian cyber attacks.
Presumably, the retaliation would be proportionate and symmetrical,
but it does seem to represent a move toward some
commonly understood deterrence regime, short of the Cold War's mutual assured destruction,
and with greater ambiguity, but an attempt at deterrence nonetheless.
Computing reports that President Biden not only made reference to U.S. retaliatory capabilities,
but also argued that critical infrastructure should be off-limits
to cyber attack. For his part, President Putin gave, according to TASS, a fairly ironic take
on the summit, quote, as for the assessment, I believe there was no hostility at all. On the
contrary, our meeting was certainly held in a principled manner. We differ in many respects in
our assessments. However, to my mind,
both sides showed willingness to understand each other and seek ways to bring the positions closer.
The conversation was quite constructive, end quote. The New York Times reports that Russian
government-aligned media have taken the line that President Biden is a man we can do business with
and that it's gratifying to see that he recognizes
Russia as a great power. A report by Kaspersky Labs details a six-year record of domestic
surveillance by an Iranian APT, Ferocious Kitten. As suggestive as the circumstantial evidence may be,
Kaspersky doesn't explicitly attribute the operations to
Iran's government, but CyberScoop reports FireEye sees a connection.
Security firm Proofpoint discerns a trend among ransomware gangs. They're relying less upon
phishing and more on the services of initial access brokers to obtain a foothold in victims' networks.
As their report puts it,
ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors
for a slice of the ill-gotten gains.
Cybercriminal threat groups already distributing banking malware or other Trojans
may also become part of a ransomware
affiliate network. The result is a robust and lucrative criminal ecosystem in which different
individuals and organizations increasingly specialize to the tune of greater profits for all,
except, of course, the victims. End quote.
Proofpoint also published a report this morning outlining recent activity by the Mole Rats,
which Proofpoint also calls TA402, an Arabic-speaking politically motivated threat group
closely associated with elements in Gaza and active principally against Middle Eastern targets.
The group is interested in espionage and its targets are generally governments,
or what Proofpoint calls government-adjacent organizations.
The group's latest campaigns use custom malware, LastCon, which appears to be an upgraded version of the previously observed SharpStage malware.
LastCon both gains access to the targets and collects information from them.
The malware sports distinctive features
that render both automated and manual analysis difficult. Those features include geofencing on
the basis of IP address, restricting target selection to computers with Arabic language
packs installed, and distributing malware in password-protected archive files. The mole rats'
typical approach to their targets in this campaign was
spear phishing. One interesting observation Proofpoint makes is that whereas the mole rats
had been making attacks on a weekly basis, they abruptly went on a two-month hiatus
between March and early May, which coincided with both fighting in Israel and Gaza and with
observance of Ramadan.
Whatever the reason for the time off, the mole rats seem to be back.
Akamai is working to resolve issues with its content delivery platform that have caused brief intermittent outages in airline and financial services sites, CNN reports.
The U.S. National Security Agency this morning released advice on securing unified
and voice communication. An essay describes the focus of the guidance as minimizing risk of
disclosing sensitive info or losing service while using V-VOIP. Risks include eavesdropping,
impersonating users, or perpetrating denial-of-service downtime. Unified communication systems and their closely allied voice-over IP systems
offer rich and easy collaboration tools.
But they also, and this is a familiar story,
offer a more expansive attack surface than do old-school voice telecommunications.
NSA advises network segmentation, Layer 2 protections, PSTN and internet perimeter
protection, staying up to date with patching, authentication and encryption of signaling and
media traffic, deploying standard fraud detection measures, using backups and monitoring to ensure
availability, managing the risk of distributed denial of service, controlling physical access, and verifying your systems in a testbed.
Ukrainian police have arrested six alleged members of the Klopp ransomware gang.
The record reports that law enforcement agencies from the Republic of Korea and the United States rendered assistance.
The police seized not only servers, but a lot of cash and some fancy luxury cars,
which suggests the alleged gangsters were living the gangsta lifestyle,
as seen even on Ukrainian TV.
And finally, a most unwelcome form of computer customer service has surfaced in South Korea,
where police in Seoul arrested nine employees of a local computer repair company.
They're charged with creating and installing ransomware on their customers' computers.
The authorities say the suspects got about $321,000 in ransom payments from the 40 or so
companies they serviced in 2020 and 2021. Not all the repair company's employees were involved, and the alleged
perpetrators were all in the sole office. Still, on balance, this can't be good for repeat business.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
People have varying opinions when it comes to choosing the best metaphor for approaching cybersecurity.
Some think it's most similar to public health, emphasizing things like basic hygiene and herd immunity.
Others see it as a public safety issue, making sure you have proper locks on your doors and windows,
and that you can summon law enforcement if need be.
Charles Herring is co-founder and CTO of Witfu, providers of a SecOps security platform.
He joins us to make the case that coming at cybersecurity using a law enforcement model
is the way to go. So about 20 years ago, after 9-11, I was on active duty in the U.S. Navy and
detailed to the Naval Postgraduate School to spin up what we would call today the Cybersecurity Group there.
And the first thing that we spent a lot of time debating was, should the Network Security Group be a security group that focuses on the Navy, on the network?
I'm on the network, so should the security group be a group that focuses on the network, or should it be a network group that has some security function?
And the way that played out is I ended up working for the director of security for the base instead of working for the CIO or chief information officer. And the meetings I would have in the department would be
with the base police and the intelligence officers. And we would talk about adversaries,
criminals, and crimes. And so that was the scope of my initial cybersecurity work.
But then I would go to other meetings with the IT department and we would talk about firewall rules
and patching and antivirus and those types of
things. And so it was two different, completely different worlds that I got to experience
virtually every day, each with different outcomes and different goals. And that really led to
a lot of the research that followed over the next 20 years was, should it be IT or should
it be security? And where does each one play a role?
I suspect for a lot of folks, we think that, certainly the perception is that a lot of these
bad actors are getting away with what they're doing with little consequence.
That's true. So the analogy I like to build is if you built a home and you put a large wall around it and barbed wire fence and put bars on the door and moats around the walls, the reason you do that is to increase the amount of time it would take for a criminal to get inside the home and execute a crime.
But if the police are never called, if you're not able to shoot at or create pain for the criminal,
those things don't mean anything. They can blow up the wall. They can dig under it.
And that's the role that we're supposed to do in security, increasing risk until law enforcement
shows up. The major deficiency we have right now is we're not in the habit of collecting evidence
in a way that's going to allow us to communicate with law enforcement. And there's also risk associated with con law enforcement
that we're afraid of what they will discover as part of their investigation, whether it's
someone in our organization or something being disclosed. And so what's happening is sort of
this code of silence that occurs. We never inform law enforcement. Law enforcement is the only group that can go
and translate an IP address to a human being and put handcuffs
on the person because the IP addresses don't care about being blacklisted.
It's like putting handcuffs on the getaway car.
It's a component of the crime. And until we're able to take
what we consider logs in IT, turn it into evidence, turn that evidence into affidavits, get those affidavits to law enforcement,
we can't close the loop on what does it take to move away from just always being terrified and trying to be the last person criminalized.
Or as a friend of mine said this last week, I don't need to outrun the bear.
I just need to outrun the slowest person that the bear is chasing.
That mentality is bad citizenry.
And eventually the bear figures out that you're tastier than the slow guy,
which is starting to occur now.
And that doesn't even work anymore.
That's Charles Herring from WitFu.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
And I am pleased to be joined once again by Andrea Little-Limbago. She is the Vice President of Research and Analysis at Interos.
Andrea, it's always great to have you back.
I know lately you have been doing some writing with some of the work you do with NWC
about this notion of bringing the private sector into the defense equation.
What can you share with us about that work?
Yeah, so the project largely stems on, you know,
focusing on lessons unlearned in cyber over the last decade or so.
And, you know, one of the ones that I've seen is just really,
the lesson unlearned is really how to integrate the role of the private sector
in some regards, even just acknowledging just the,
how much the private sector is on the front line of attacks.
And so we really, you know, we're still
very much so stuck in Cold War mentalities when thinking about what the private sector can and
cannot do, what the role of it is, how even the private sector and the government can interact.
And so it's really gotten to the point where, one, we haven't evolved our thinking on that at all,
despite, you know, the enormous attacks that continue to hit the
private sector. What's also leading to the divide, we hear about the Silicon Valley-DC divide that's
been going on for quite some time. And even to the point, in a very recent testimony, Senator King
said that basically smaller companies in Silicon Valley especially have given up on the Pentagon.
So that's not something that is very sustainable for our national security.
And, you know, fortunately, there have been, you know, that's a known problem.
And so that's starting to get addressed.
But the challenge is that, you know, it's not changing enough.
And so in some regards, the Pentagon-Silicon Valley gap, that is how it's generally framed,
is starting to be addressed by things such as the Defense Innovation Unit and Defense Works, those kind of new governmental programs that are aimed at expediting the acquisition process.
And then conversely, there are plenty of efforts out there, not plenty, but there are some efforts out there that are trying to get technologists into policy, like the Aspen Tech Policy Hub, Tech Congress, NSI is a technologist fellowship.
and Tech Policy Hub, Tech Congress, NSI is a technologist fellowship.
And so all those programs are really great,
and they're very useful at addressing specifically the Silicon Valley-DC divide.
But the private sector is much bigger than that.
And so we really need to think about what will the role of the private sector be,
potentially in warfare.
I mean, so it's one of those things that sometimes it takes a shock to really think these kinds of thought, these new thinking about how to address it.
But like in the pandemic, we saw many in the private sector switch their manufacturing model to help support manufacturing of health equipment.
And so the question is, what would happen if there was some sort of conflict?
What would be the role of the cybersecurity community?
What would be the role of others in the financial sector,
in the energy sector,
really the broader manufacturing sector?
And so we really don't have good answers for that
because we still think about it much more so
in a Cold War mentality.
And so we're at a point, though,
where the private sector is really rethinking their role
as far as the role with national security
and even as far as the role of national security,
and even as far as, you know, their own footprint. And so we're at actually a very opportune window right now where, because the private sector has had so much disruption from COVID, from
the reshoring and the very supply chain disruptions, they're rethinking their global
footprint right now and their role in building technology and what's in their technology stack.
And so it's a really good time for the government to rethink, you know, how could those, you know,
how could the private sector and public sector work together? You have more in the private sector
now that are much more willing to address some of the national security concerns. It's not all of
them, but there are some much more so now than in the past. And so what can we do to bring the
private sector back into the defense equation
and do things that are,
you know,
as it makes sense,
you know,
collaboration in the areas
of where the bottom line
and national security overlap.
And I'd argue that
that overlap is bigger
than it has been
in quite some time.
When you say that
we're still approaching this
from a Cold War mentality,
what does that mean?
Yeah, you know,
it's basically,
and it's on both sides, by the way.
It's both, several times we hear it's coming from the government side and also very much so
on the private sector.
For a while, it was, you're really thinking
the government is the ones that is in charge
of entirely national security.
The private sector is in charge of business.
And for a lot, the two don't cross.
Early in the Cold War, especially much even more so
during World War II, the private sector played a much more outsized role in national security.
And that really has just kind of ebbed since that time.
And so we need to get back to thinking about how the private sector can be an asset towards national security.
And it can be in a variety of ways.
And it doesn't necessarily have to be actually even being involved in warfare.
could be actually even being involved in warfare.
But when you think about the restructuring going on as far as the various technologies
and what technologies and companies are allowed
and not allowed within businesses these days,
that there's been over 300 Chinese companies
that have been named by commerce
that are no longer allowed to have partnerships
with companies in the U.S.
And so the U.S. corporations are being hit
both by the various disruptions from the trade war and the tech war, as well as all these regulation shifts.
And so they're really rethinking the footprint of where they're going to be and what technologies are going to be in their tech stack going forward.
And so that's a good time for the government to both help out as far as providing various kinds of incentives.
Like Japan, for instance, has paid over $4 billion to its private, or is in process of paying that
to their private sector to help them reshore.
And so there's a lot on what the U.S. could do
on the incentive side to help with the compliance
to build towards those kind of trusted networks
that the U.S. government wants to build
for greater national security.
And so there's just a lot that could be done
in that area from that to even more of a holistic
and actually moving toward a federal data protection law would be very, very helpful.
Just to have some greater consistency across, it makes compliance a whole lot easier.
And really thinking about those different areas and just what could be the broad range of incentives that the government could help with to help move towards those trusted tech stacks, to move, you know, when they're thinking about reshoring,
you know, helping out and facilitating where they may want to go
and providing, you know, additional kinds of, you know,
carrots for like-minded countries that might be good places
both for the business, for the bottom line,
but also might make sense on the national security side.
And so there's a lot of, you know, transformations that are going on,
and if the government and private sector can work a little bit better on that,
I think we'll be just a lot more prepared going forward into the future
to handle all the transformations that are going on. All right. Well, Andrea Little-Dombago,
thanks for joining us. Great. Thanks.
Thank you. of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.