CyberWire Daily - The Solorigate cyberespionage campaign and sensitive corporate data. The cybersecurity implications of physical access during the Capitol Hill riot. Ransomware’s successful business model.
Episode Date: January 8, 2021Solorigate and its effect on sensitive corporate information. The DC riots show the cybersecurity consequences of brute physical access to systems. A North Korean APT resurfaces with the RokRat Trojan.... Ransomware remains very lucrative, and why? Because people continue to pay up. Thomas Etheridge from CrowdStrike on The Role of Outside Counsel in the IR Process.Our guest is Larry Lunetta from Aruba HPE on how enterprises can bolster security in the era of hybrid work environments. And a criminal hacker gets twelve years in US Federal prison. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/8 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
So, Laura Gate and its effects on sensitive corporate information,
the DC riots, show the cybersecurity consequences of brute physical access to systems.
A North Korean APT resurfaces with the rock rat Trojan.
Ransomware remains very lucrative.
And why?
Because people continue to pay up.
Thomas Etheridge from CrowdStrike on the role of outside counsel in the incident response process. Our guest is Larry Lunetta from Aruba HPE on how enterprises can bolster security in
the era of hybrid work environments.
And a criminal hacker gets 12 years in U.S. federal prison.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 8th, 2021.
The U.S. Justice Department has confirmed that it was among the organizations affected by the Celoragate incident.
Leaping Computer tallies the number of compromised DOJ email accounts and comes up with about 3,400 mailboxes,
roughly 3% of all the mailboxes in the department's networks.
Krebs on Security says that the administrative offices of the U.S. courts,
in its own efforts to clean up after Soloragate,
is particularly concerned about its case management electronic case files system,
which holds sensitive and often sealed court documents.
That system appears to have been hit hard by the cyber espionage campaign.
Bloomberg Law points out that much of that sensitive information
involves corporate data.
Those data include highly sensitive competitive
and financial information and trade secrets,
including companies' sales figures, contracts, and product plans.
Such matters are often addressed in court documents.
The material could include, attorneys cited by Bloomberg Law say,
quote, everything from the algorithms ERISA providers use The material could include, attorneys cited by Bloomberg Law say,
Even assuming the Saloragate operators are Russian state espionage services,
members of the large and active Huggy Bear family, the compromise of such information not only offers
opportunities for disruption of an adversary's economic activity, but the chance for a lucrative
APT side hustle as well.
The rioting on Capitol Hill has left a cybersecurity mess in its wake.
TechCrunch, while observing that classified material of the sort handled by various committees ought to be and probably is maintained on a separate secure network,
says that the physical access rioters had to ordinary IT systems was extensive.
Forbes quotes experts to the effect that Congress should consider its devices and networks compromised
and rebuild them accordingly.
Some of the first steps in remediating the goons' romp through the Capitol offices are now being taken.
Politico reporter Eric Geller tweeted a message from the chief administrative officer of
the u.s house of representatives who yesterday issued guidance on recovering systems affected
by wednesday's riot she said that while there was no evidence that house networks had been compromised
all offices should account for it equipment and seek assistance if they find any missing
they should regard any device that may have been accessed during the riots
as potentially compromised, and, of course,
they should change passwords on next login for any systems
that may have been exposed to unauthorized access.
For the rest of us, an after-action review of the rioting
should remind us of the threat that brute physical access to devices poses.
There's theft of equipment, of course,
and there's the simple obvious problem of people just looking at the stuff,
emails, documents, presentations, and so on,
that's left open to inspection by users fleeing their workstations in haste.
It's like a massive shoulder surfing,
or maybe the worst evil maid attack imaginable.
It would seem that planning shouldn't overlook such things
as device inventories, control of removable media, device encryption, easy locking of screens, and so
on, and of course, fundamental physical security itself. There are, of course, other things going
on besides Soloragate and Disorder in DC. ZDNet reports a renewed campaign by North Korea's APT-37,
also known as StarCraft and Reaper, that's deploying the RockRat Trojan against targets of interest,
for the most part South Korean.
The infection vector has been compromised Hangul office documents.
RockRat has been seen before, but researchers at security firm Malwarebytes
draw particular attention to the use being made in the current round of infections of
self-decoding VBA office files. That's been seen before, but it represents a new approach for APT37,
Malwarebytes thinks. How much money is there to be made in ransomware?
A lot. A report published today by the security companies Advanced Intelligence and HIAS concludes
they've looked into the crooks' wallets, specifically at 61 deposit addresses
attributed to RIAC ransomware affiliates,
which are used to launder their Bitcoin through altcoin exchanges.
The two exchanges most commonly used appear to be Hubei and Binance, both of which,
the researchers say, claim to comply with international financial laws and express a
willingness in principle to cooperate with investigations. In any case, the security
companies say, quote, after tracing Bitcoin transactions for the known addresses attributable
to Rayak, the authors estimate that the criminal enterprise
may be worth more than $150 million.
End quote.
Two interesting side notes.
The crooks are all business.
They're quite indifferent to the mission
or resources of their victims,
except insofar as that might affect their ability to pay.
Sleazy chop shop or altruistic friend of the poor,
it matters not at all to the criminals once they've got you.
But there is some discrimination in choice of target
that's based entirely on ability and willingness to pay.
Potential victims are graded with a score on their performance during preparatory attacks.
As the report puts it, quote,
the precursor malware families that generally lead to riot
are used to create a score for the victim so that the operators will know how lucrative a target might be.
For example, the number of domain trusts is one significant indicator that is collected automatically by precursor malware that is observed prior to a RIAC incident.
This score is then used to identify victim networks that would be the most likely to pay a large ransom.
Ransomware continues to be profitable because people keep paying the ransom.
One example of this comes from Delaware County, Pennsylvania,
which paid its extortionists, the Delaware County Times reports.
It's not entirely clear how much the county paid,
but reports suggest that the total may have been as much as half a million dollars.
Most of that is believed to have been covered by insurance, with the county government on the hook for a $25,000 deductible.
It will take a while before incentives align in ways that discourage ransomware attempts.
One criminal hacker, a Russian national who in September of 2019 copped a guilty plea to stealing information on more than 100,000 U.S. consumers
from a baker's dozen or so of companies, has now received his sentence.
A U.S. federal court has awarded Andrei Turin a 12-year sabbatical with the Bureau of Prisons.
Mr. Turin targeted mostly financial institutions, brokerages,
and financial news outlets. Some 80 million of his victims were called from J.P. Morgan alone.
Mr. Turin was convicted of offenses related to computer intrusion, wire fraud, bank fraud,
and illegal online gambling, the AP reports. Working from his home in Moscow, Mr. Turin is said by federal prosecutors to have
taken in around $19 million. In extenuation and mitigation, he claimed to have only actually
received $5 million, none of which was actually stolen, the rest having gone to a collaborator
who apparently stiffed him of the remainder. Actually, $5 million seems like a lot to us, and we're vague on how his
acquisition of it didn't constitute some form of theft. But then we're not lawyers, so perhaps some
of the nuance escapes us. In any case, Mr. Turin told the judge in a letter that he feels terribly
ashamed of what he did, and that he's concluded he'd chosen a wrong path in life. Repent at leisure, sir.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, Thank you. My guest today is Larry Lunetta.
He is the Vice President of Solutions Product Marketing at Aruba.
They are a Hewlett Packard Enterprise company.
Larry, welcome to the Cyber Wire.
Nice to be here. Thank you.
So today we want to talk about this notion about improving security
as we find ourselves in the midst of this era of what you describe as a hybrid work environment.
And that it's really more than just kind of firing up that VPN
and thinking that you have everything covered there.
But let's start with just some sort of basic stuff here.
Can you give us a little bit of the lay of the land?
Where do we find ourselves today?
Well, obviously, the pandemic has dramatically changed
how we all work and connect to IT assets, right?
Which is essential to our work style and success
of the organization. And, you know, clearly what's happened is we've all almost instantaneously
become remote workers. And what that's done is not only put pressure on accessing IT resources
and connectivity, it's introduced a significant amount of security risk.
And the reason for that is that most of us, unless you're lucky and have some special
equipment, are connecting via a simple VPN.
And that connection, while encrypted, really needs a lot more security wrapped around it
to protect the individual and the organization.
What sort of things do you have in mind here? What's the additional security that you're recommending?
Basically, the idea is that instead of trying to use how you connect to the network to dictate your security and what you're allowed to access,
you use your identity and the identity of the user
and the device associated with that user and assign a policy.
And the value of this is an organization that's already doing that when the user's in the office
or, say, pre-COVID, can use the same policies when that user is connected remotely.
So no changes have to take place, no reconfigurations, no changing of rules,
and you get the same control for a remote worker as you do when that person's in the office.
So identity is very, very important. Authentication, then policy and authorization,
and then finally enforcement. And that's where the network comes in, and you want to be able to
enforcement. And that's where the network comes in. And you want to be able to
enforce those policies naturally and without interruption using infrastructure built into the network, such as embedded firewalling and things like that. And is this what we're discussing,
we've referred to as the zero trust mindset? That's correct. Zero trust started almost 10 years ago.
And the philosophy is, as I said, what you are entitled to access and your security position
is not dictated or assigned based on how you connect. It's who you are and what permissions
the organization wants to grant you. And the value of this is instead of using VLANs,
which can spiral out of control very quickly
and become unmanageable, you use, again,
identity as the talisman for access.
And that can follow now that individual,
whether they connect in the office,
whether they connect remotely, whether they connect wireless the office, whether they connect remotely,
whether they connect wireless or wired, doesn't matter.
The policies still apply.
What are your recommendations for folks
who are looking to explore this?
I mean, how do they, what's the best way to get started?
I think having an architecture
or a philosophy is very important.
And I mentioned Zero Trust.
There's also another framework called Secure Access at the Service Edge, or SASE, that incorporates cloud services and security that's delivered associated with things like SD-WAN.
But know what they are because they're good guideposts and guidelines.
They're not necessarily prescriptions or solutions, but it'll suggest a path that an organization
can take.
And you can kind of benchmark yourself where you fit in these frameworks and what the priority
might be in terms of next steps.
So it's important to look at this, and it's a bit of a cliche, but I think it's true,
to look at this as a journey. No one buys a set of products and instantaneously is 100% conforming
with zero trust or sassy. But what you want to do is look at how you're moving workloads to the
cloud. Are you using things like SD-WAN?
And then think about how you want to organize your security based on that.
Larry Lunetta is the Vice President of Solutions Product Marketing at Aruba.
Larry, thanks so much for taking the time for us today.
Delighted to be here. Thanks for the time.
Don't forget we have extended versions of many of our CyberWire interviews
as part of Cyber Wire Pro.
You can find out more about that on our website, thecyberwire.com.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Thomas Etheridge.
He's the Senior Vice President for Services at CrowdStrike.
Tom, it's always great to have you back.
I wanted to touch today on when it comes to incident response,
the role of outside counsel in that process.
What sort of things can you share with us today?
Thanks, David.
I appreciate being on again.
One of the reasons we partner with outside counsel is there's the concept of attorney-client
privilege.
It is designed to protect confidential communication between attorneys and their clients.
And the work product doctrine precludes disclosure
of many of these materials created at the direction of counsel, specifically in preparation
for litigation. So when an organization is compromised and they're looking to ensure
that the risk to their business is protected and that they are able to manage the communications effectively between stakeholders, business partners, their insurance provider.
Those communications are typically best handled under privilege and working with outside counsel is a great vehicle to do that.
And what is kind of the pecking order here?
to do that. And what is kind of the pecking order here? I mean, where does outside counsel sit in terms of leading things or collaborating? How does that all play out? So when we're engaged
under privilege through outside counsel, outside counsel actually controls and leads the investigative path. They leverage the technical expertise of incident response firms, such as CrowdStrike,
and our expertise in doing forensics investigation and this type of analysis.
All communications, all coordination of the scope of the investigation,
the scope of the investigation, the expected path for communicating findings from the investigation is all typically managed through outside counsel. And that's in order to maintain
privilege and also to maintain the integrity of the investigation from a scope and from a
communications perspective. And how do you make sure that, I don't know, things don't get bogged
down? You know, when you have a lot of different, I guess I'm thinking of that old notion of having,
you know, too many cooks in the kitchen. How do you maintain that communications is happening,
you know, quickly, efficiently? When you're in the midst of an incident, I imagine, you know,
that's hard to do. It is, but one of the great things about working
with outside counsel, especially experienced counsel, is that we typically set the ground
rules for who's involved in the investigation, what the scope of the investigation is, and
what the escalation path is going to be, how often we will share information and communicate status and coordinate
the investigation at the very beginning of an incident response investigation. So a lot of
that framework is laid out in advance of all the work being done. And this is something that we do
with outside counsel regularly. And I guess this is also one of those kind of, you know, you practice
like you play sort of things that better to have all of these things laid out ahead of time and
have your playbook ready. So when incident response kicks in, you're not making a lot of
these decisions while you're in the middle of a crisis. Exactly. And exactly. Yes. Well said. No, I mean, we do see a lot more
maturity in terms of organizations running tabletop exercises, having documented policies
and playbooks for handling incidents. One of the trends that we reported on a little last year was
an increase in the number of organizations that are starting to
include outside counsel and the concept of privilege in their tabletop exercises and in
their policies and playbooks. So although the practice is there, the expansion of that practice
to include stakeholders such as outside counsel is starting to rise in the engagements that we're
involved in.
Interesting. All right. Well, Thomas Etheridge, thanks for joining us.
Thank you, Dave. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Savor these precious things.
Listen for us on your Alexa smart speaker too.
Don't forget to check out Research Saturday
in my conversation with Shimon Oren from Deep Instinct.
We're going to be talking about why Imhotep's latest wave
is harder to catch than ever before.
That's Research Saturday.
You check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Kirill Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.