CyberWire Daily - The Russo-US summit is expected to take up tension over Ukraine and tensions in cyberspace. Microsoft disrupts APT15. Google disrupts Glupteba. Satoshi Nakamoto is...out there still?
Episode Date: December 7, 2021Notes on today’s Russo-America summit. Microsoft seizes websites used by the Chinese threat actor Nickel. Google takes technical and legal action against a Russian botnet. Ben Yelin unpacks Australi...a’s aim to uncover online trolls. Our guest is Ed Amorosa from TAG Cyber. And the real Satoshi Nakamoto has yet to stand up--just ask a Florida jury. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/233 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Notes on today's Russo-America summit.
Microsoft seizes websites used by the Chinese threat actor, Nickel.
Google takes technical and legal action against a Russian botnet.
Ben Yellen unpacks Australia's aim to uncover online trolls.
Our guest is Ed Amorosa from Tag Cyber.
And the real Satoshi Nakamoto has yet to stand up.
Just ask a Florida jury.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, December 7th, 2021. First, some quick developing news. The AP reports that Amazon Web Services users
are reporting outages in the service. There's no word yet on causes or remediation. The disruption began
around noon. We'll be monitoring developments. Now on to the rest of the day's news. The Russo-
American virtual summit is in progress with the threat of Russian military action against Ukraine,
the principal topic under discussion. The principal U.S. leverage appears to be economic as opposed to military.
Bloomberg reviews the range of sanctions available. The New York Times is running
live updates on the meetings as details become available. The Guardian reports that Latvia's
foreign minister Edgars Rinkiewicz has warned NATO to prepare a swift response should Russia invade Ukraine,
forward deployment of troops, cancellation of the Nord Stream 2 natural gas pipeline to Europe,
and the stiffest available economic sanctions.
Latvia, as another former Soviet republic,
is concerned that Russian action against Ukraine would constitute a sharp assertion
that the near abroad is firmly within
Moscow's sphere of influence, indeed, under Moscow's effective control. The foreign minister
sees NATO's credibility as on the line as well. Quote, Russia has to know that if you do something
bad in Ukraine, then the NATO and US presence in the eastern flank of the alliance will increase.
then the NATO and U.S. presence in the eastern flank of the alliance will increase.
If you do this, you will provoke a bigger presence than now.
These decisions had to be made now through bilateral channels and the alliance. So, if Russia acts, there can be a swift and broad response that does not take months or years.
End quote.
The troop movement NATO is urged to undertake would be forward deployment of combat units, including specifically air defense batteries, not a combat mission into Ukraine itself.
It would amount to forward deployed deterrence, analogous to that practiced by the Atlantic Alliance in Germany during the Cold War.
Foreign Minister Rinkiewicz also urges early and thorough preparation of a range of
economic sanctions. Quote, work is already underway for a tough economic sanctions package,
including the disconnection of Russia from the swift banking system, sanctions on the Russian
gas pipeline Nord Stream 2 and other economic sanctions. That package needs to be prepared so
it can be applied reasonably
quickly. We need to be able to target those who are helping Russia to get more revenues.
The U.S. is believed to be thinking along the same lines. While direct U.S. military action
in Ukraine is very unlikely, sanctions are to be expected. Bloomberg runs through the U.S. options.
sanctions are to be expected. Bloomberg runs through the U.S. options. Two especially severe strictures are, first, removing Russian access to the swift interbank financial transfer system,
and second, blocking Russia's ability to convert rubles into U.S. dollars, euros, or British pounds.
The second option is the more likely, since the first would wreak widespread indiscriminate damage to ordinary citizens.
Preventing conversion of rubles into other currencies would be more targeted and a more discriminating response.
According to the record, a senior unnamed administration official yesterday said
that a Russian offensive might well be a cyber as opposed to a kinetic campaign, and here too U.S. economic sanctions are seen as a likely approach to imposing costs.
Russian government activity in cyberspace retains, as Mandiant reported yesterday,
the high tempo it reached during the SolarWinds compromise.
Kremlin toleration and arguably encouragement of ransomware gangs is increasingly
an open secret the new york times says that extortion payments are passing through federation
tower east the tallest building in moscow and the choicest business address in the city's financial
district official toleration of cybercrime is expected to come up at today's summit
of cybercrime is expected to come up at today's summit.
Microsoft has seized, pursuant to a court order the company obtained,
websites operated by the Chinese government threat actor Redmond Calls Nickel, and others call Qichang, APT15, Vixen Panda, Royal APT, and Playful Dragon. Microsoft has been tracking NICL since 2016. It's known for pursuing
targets in both the public and private sectors, but its particular interest in foreign ministries
and diplomatic organizations suggests a concentration on foreign policy. NICL is
regarded as a capable and careful organization. Quote, the attacks the Microsoft Threat Intelligence Center observed
are highly sophisticated and used a variety of techniques but nearly always had one goal,
to insert hard-to-detect malware that facilitates intrusion, surveillance, and data theft.
Sometimes, Nickel's attacks used compromised third-party virtual private network suppliers
or stolen credentials obtained from spear phishing campaigns.
In some observed activity, nickel malware used exploits targeting unpatched on-premises
exchange server and SharePoint systems. End quote. Our cybercrime desk has been watching a lot of
Three Stooges reruns during the pandemic. Not always, we admit, to their profit. And today,
they tell us, spread out, knuckleheads. Here's why. Google has also been active against criminal
infrastructure. In this case, the company took action against Gluptibia, which might be roughly
translated from Russian as, you dummy. Moe Howard would have said, Why you? In this case, Mountain View is attempting to provide the IOTA
in the form of a technical head slap and a legal nose pull.
Gloobtibia is a botnet.
Google thinks it currently contains about a million compromised Windows devices around the world.
During growth spurts, Gloobtibia's bot herders have shown the ability
to bring in thousands of new devices daily.
The botnet is used for stealing credentials and other data,
for cryptojacking on infected hosts,
and for establishing proxies that can funnel other people's internet traffic
through infected machines and routers.
It's a criminal as opposed to an espionage operation.
Gloobtibia isn't new.
Malwarebytes has been tracking it for some time, but Google's
disruption is. As Google explains, quote, first, we are coordinating with industry partners to
take technical action, and second, we are using our resources to launch litigation,
the first lawsuit against a blockchain-enabled botnet, which we think will set a precedent,
create legal and liability risks for the botnet operators,
and help deter future activity.
End quote.
The technical seizure of Glutibia's infrastructure will, for now,
as Google cautiously observes,
prevent the botmasters from using their botnet,
but long experience teaches that criminal operations
tend to prove resilient in the face of such disruptions,
and Google thinks the bad guys will be back.
In some respects, Google thinks lawfare might offer the prospects of a longer-term solution.
Quote,
Our litigation was filed against the operators of the botnet who we believe are based in Russia.
We filed the action in the Southern District of New York
for computer fraud and abuse,
trademark infringement, and other claims.
We also filed a temporary restraining order
to bolster our technical disruption effort.
If successful, this action will create
real legal liability for the operators, end quote.
And if the operators, or more so,
those on whose support they depend, run afoul of the courts, there may indeed be some degree of deterrence here.
And finally, this just in, yesterday, from the Wall Street Journal.
Whoever Satoshi Nakamoto is or was, it's not Craig Wright and David Kleiman, at least according to a Florida jury in a civil case.
Mr. Kleinman's estate, he himself is deceased, was suing Mr. Wright for a share in a partnership
the two men have claimed to have established using the Satoshi Nakamoto pseudonym in order
to set up Bitcoin. The jury did not find that the partnership had existed in that form,
rejecting nine of the plaintiff's ten claims.
They found for the plaintiff on the 10th,
converting Bitcoin owned by the partnership to his own use,
and so Mr. Wright has been ordered to turn over $100 million in Bitcoin
to Mr. Kleiman's estate.
But that's a far cry short of the $50 billion, with a B,
he might have been found liable for.
The other upshot of the case, however,
is that Mr. Wright will not be required to produce proof
that he's the original owner of coins mined by Satoshi Nakamoto back in 2009.
It's worth noting that the claims Mr. Wright advanced in 2016
to be the inventor of bitcoin
have been widely examined and generally found wanting but in any case the exclusive and quite
possibly mythical mr nakamoto remains very much in the air free as a bird and elusive as a morning
song and elusive as a morning song.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The team at TAG Cyber recently released a quarterly report, this time focusing on the hybrid workplace,
largely brought on by the pandemic and what it means for the future of cybersecurity.
Ed Amorosa is CEO of TAG Cyber.
Cybersecurity experts generally have a model in their mind when they think about computing. You have to. The power of abstraction in thinking and coming up with ways of developing protection solutions
or any kind of technology is important.
And the model we always had was like that perimeter model, right, where you have this
blob of computing behind a firewall.
And we all knew that that was dissolving to some degree.
of firewall. And we all knew that that was dissolving to some degree. But I think things came into very clear focus for companies in the 2019 to 2020 timeframe. For example,
companies that go to a gigantic fuss about making sure that they very carefully program
access from their employees or from consultants to resources that they would be tucking behind
some VPN concentration in their enterprise.
We're suddenly having meetings talking about that where their employees were using their
home computers over Zoom to get a call.
And we would laugh because we think it almost was like this very twisted concept of you're doing something convenient and very cloud-focused and sort of, you know, from a device and you're sitting in a Starbucks.
And you're talking about designing something that has none of those attributes.
And it just became so obvious that this idea that you need to hairpin through a corporate gateway to get to
the internet, that's always been dumb. So I think it just exposed how silly that was.
And another one, for example, I do a lot of consulting with our team at TagCyber. We have a
lot of ex-AT&T folks that work with us. Well, during the pandemic, we noticed that attitudes toward that shifted considerably.
And I think zero trust came alive.
Now, we in cybersecurity have a way of sort of, we get a concept that's interesting, and
we beat it to death, right?
Yeah.
So it's not like zero trust is wrong.
It's just the marketers got a little bit too aggressive with the concept.
Now it's become a caricature.
But once that settles down, the idea that from a device, you'd hit a network to get
to cloud to reach an app, that's 99% of what we all do every day.
That is our use case.
And whether you're a user doing it to get to an app, or you're a
supplier dealing with a customer, or you're even a branch office getting to cloud, that cadence
is the same. And that's the essence of not only Zero Trust, but also this idea of secure edge,
like having this second generation business network that's no longer MPLS hub and spoke, but rather,
you know, what some people would refer to this as like sassy, not always so crazy about the term,
because I think most people who say it can't expand the acronym, but the idea is next generation
cloud hosted workload access. How do you manage that? And it's kind of magical because I remember
in the early days of networking when it was shown to me, I think it was Cisco showing me
when I was at AT&T, the idea of separating data and control planes. I know that shows you how old
I am. Take that for granted. But that was such a great idea. I mean, when you're managing
networks, that idea was like, I thought, what a really capable team that would think that up.
And it was the whole network industry. Well, once you've separated those two, the next insight was
take all the control. And instead of worrying about thousands of routers or endpoints or hundreds of branch offices, put it in the cloud.
And now you can control the network from the cloud.
And as that came into focus the last few years, nothing has made me happier.
And that is the essence of work from anywhere.
That's what work from anywhere means.
essence of work from anywhere. That's what work from anywhere means. It means that we can extend,
we can scale, we can manage in a way that allows us to build networks that can look like any shape you like instead of the old MPLS hub and spoke, which really was quite limited. You can't draw
hub and spoke networks in a way that scales. Anybody who's ever looked at a GUI that uses hub and spoke
knows what I'm talking about because the screen very quickly gets unmanageable, right? You got
all those lines coming out of a big dot and you go, oh, what good is that? So it's been an era
the last few years where hybrid work has allowed us to do better jobs as computer scientists,
as network engineers, and definitely
as cybersecurity experts. So we focus a lot about that in the quarterly. That's a big topic we cover.
That's Ed Amorosa from TagCyber.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health and Homeland Security. Also my co-host over on the Caveat podcast. Hello, Ben.
Hello, Dave.
Interesting article from ZDNet.
This is written by Campbell Kwan, and it's titled,
Social Media Platforms Need Complaints Schemes to Avoid Defamation Under Aussie Anti-Troll Bill.
The folks in Australia are proposing a bill here that could clamp down on some social media companies.
What is going on here, Ben?
This is the type of bill that would never stand a chance in the United States just due to our
political culture and our respect for civil liberties. But nevertheless, it's always
interesting to see what happens in other countries. So this is a proposed bill. It hasn't
been enacted yet. It's called the Social Media Anti-Trolling Bill of 2021. Tech companies in
Australia would be classified as publishers of any comments posted on a social media platform.
This would apply to any platform that has more than 250,000 users in Australia.
Okay.
Under this law, if somebody reasonably believes that they have been the victim of defamation or trolling,
then the social media companies would be compelled to share
identifying information
about the supposed troll.
So username, address,
phone number, et cetera.
IP address, I suppose.
Exactly.
And that would allow
Australian law enforcement
to undertake an investigation.
There is sort of a safe harbor provision
to protect people's identity if the
platforms reasonably believe that the complaint doesn't actually relate to defamation. If it's
something that's frivolous, then the companies wouldn't be required to provide this information
to the person complaining. I understand the impulse for this law. Trolling is certainly
bad. We don't want to see people harassed on the internet.
Right.
But I always worry about a slippery slope with these types of things. in place where it can be employed for political purposes, to target disfavored groups, identify
people who, you know, might have a good reason about posting certain types of content on social
media platforms that isn't defamatory. So I think this is an interesting idea by the Australian
Parliament. But like I said, I just don't think this is something that would be seriously considered in the United States. So is this a matter of that there are compelling
cases for anonymity online that benefits us all? Yeah, I mean, we've had a debate over the years
about whether there's a right to be anonymous online, and there are costs and benefits to the
rights of anonymity. Obviously, the benefits are, you know, we can foster a better marketplace of ideas.
People aren't going to be willing to say what they think and feel and, you know, start the sort of broader political, religious, et cetera, discussion on online platforms.
So that's the positive side.
The negative side is people control other people without there being any consequences.
So you have to kind of weigh those values.
I think in the United States, just based on our political culture,
generally most people would weigh on the side of let's keep this marketplace of ideas open.
You know, if somebody's threatening violence against themselves or somebody else,
maybe that's a rare opportunity where social media companies should have to identify that user. But when we're talking just about mean words, about trolling, even if it is
defamatory, it shouldn't rise to the level where we're de-anonymizing individuals. Again, that's my
personal view, but I think it's something that would be widely shared here in the United States.
It's something that would be widely shared here in the United States.
Again, you know, I think every country is different. If you have a culture that prizes the protection of people online, online safety, the protection from trolling, then I can understand why this would be a compelling proposal.
I'm curious if Australia were to put something like this in place, how does that affect the global marketplace of your Facebooks of the world that are global platforms?
How do you manage when people are exchanging things across international borders and you have one nation, Australia in this case, a democracy, who has this set of rules that might not align with others.
So, you know, it would apply to companies like Facebook because it's any company that has more than 250,000 users in Australia. I'm sure that's true for every single big tech organization,
big tech company. They definitely could meet that threshold of users. So you'd have to have
a compliance team as it relates to this Australian
law to make sure that you're able to respond to these types of requests. Now, you're only able to
get information on subjects over which Australia has jurisdiction. So people who are actually in
Australia or under the legal jurisdiction of Australia. You know, that means we could see, Right. and then you wouldn't be subject to penalty under the law. You know, I don't know enough about the broader tech statute provisions in Australia,
whether, you know, there are laws against concealing yourself in that way.
But it certainly, I think, seems right for people to try and get around these requirements.
It reminds me of an old social media hack, and I don't know if it's like a social media life hack.
And I don't know the degree to which this is true. But I remember hearing several times years ago that if you wanted
to get rid of the Nazis on your Twitter feed, tell Twitter that you're located in Germany.
Right. Exactly. Where the Nazis are banned. Exactly.
And so they go away. And so evidently, they're capable of filtering them. It's just you have to,
they have to be compelled to do so. So it's interesting.
And this, you know, I don't think this would be that much of a burden on Facebook because,
or, you know, similar tech companies, because I think there are provisions to varying degrees
like this in other countries. I'm not sure in Western democracies it's ever gone this far,
but it's not something that they're necessarily, that they're not going to be capable of adhering
to. Yeah. All right. Well, it'd be interesting to see it follow through, see if it actually
becomes a law there, and if so, how that might affect the rest of the social media world.
Ben Yellen, thanks for joining us. Thank you.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio
or shake up your mood
with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Peral Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. Business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.