CyberWire Daily - Third-party data breach at Volkswagen. An anti-monopoly agenda with Big Tech in its crosshairs. Recovery ransom. How EA was hacked. Avaddon gives up its keys. Gamekeeper turned poacher?
Episode Date: June 14, 2021Volkswagen warns North American customers of a third-party data breach. An “anti-monopoly agenda” advances in the US House Judiciary Committee. Speculation about how the FBI recovered ransom from ...DarkSide. How EA was hacked. Is Avaddon going out of business? Craig Williams from Cisco Talos explains why they’re calling some cyber criminals “privateers”. Rick Howard shares thoughts on professional development. And a strange case of a gamekeeper turned poacher (allegedly). For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/113 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Volkswagen warns North American customers of a third-party data breach,
an anti-monopoly agenda advances in the U.S. House Judiciary Committee.
Speculation about how the FBI recovered ransom from DarkSide.
How EA was hacked.
Is Avedon going out of business?
Craig Williams from Cisco Talos explains why they're calling some cyber criminals privateers.
Rick Howard shares thoughts on professional development.
And a strange case of a gamekeeper allegedly turned poacher.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, June 14th, 2021.
Volkswagen has warned customers it's experienced a third-party data breach. On Friday, Daniel Weissland,
president of Audi America, sent affected Volkswagen Group customers in North America a letter warning them that their third-party data may have been exposed in a third-party data breach.
The company did not name the vendor who left the data exposed. The letter began,
quote, On March 10, 2021, we were alerted that an
unauthorized third party may have obtained certain customer information. We immediately
commenced an investigation to determine the nature and scope of this event. The investigation
confirmed that the third party obtained limited personal information received from or about
customers and interested buyers, including you, from a vendor used by Audi, Volkswagen,
and some authorized dealers in the United States and Canada.
This included information gathered for sales and marketing purposes from 2014 to 2019.
We believe the data was obtained when the vendor left electronic data unsecured
at some point between August 2019 and May 2021 when we identified the
source of the incident. Audi is one of Volkswagen's upmarket brands. The car company determined on
May 24 that sensitive personal information was among the compromised data, and that discovery
prompted Friday's letter. Much of the exposed information was relatively anodyne contact information,
but this is still a matter of some concern.
Other compromised data related specifically to customer interests,
such as information about vehicles purchased, leased, or even inquired about,
and in some cases the information was clearly more sensitive,
including information relating to eligibility for a purchase, loan, or lease.
More than 95% of the sensitive data included was the driver's license numbers.
A few other items of personally identifiable information,
including dates of birth, social security, or social insurance numbers,
account or loan numbers, and tax identification numbers,
were also exposed in
some cases. TechCrunch says Volkswagen put the total number of customers affected in Canada and
the United States at 3.3 million, with more than 90,000 figuring among those who lost the most
sensitive data. According to Reuters, most of the affected customers were Audi shoppers.
Reuters, most of the affected customers were Audi shoppers. The U.S. House Judiciary Committee announced its anti-monopoly agenda Friday, and they've got big tech in mind. The bills,
which advanced with what The Verge characterizes as bipartisan support, are the result of 16 months
of deliberation by the House Judiciary Committee. The agenda, which the committee calls a stronger
online economy, opportunity, innovation, choice, includes five measures. First, the American
Innovation and Choice Online Act, which would prohibit discriminatory conduct by dominant
platforms, including a ban on self-preferencing and picking winners and losers online, the Platform Competition and
Opportunity Act, which would restrict dominant platforms' acquisition of competitors,
the Ending Platform Monopolies Act, which would restrict self-preference that inhibits competition,
the Augmenting Compatibility and Competition by Enabling Service Switching Act, which has the
clever acronym ACCESS, which lowers barriers to
entry and limits customer switching costs, and the Merger Filing Fee Modernization Act, which would
increase merger filing fees to ensure that Department of Justice and Federal Trade Commission
have the resources they need to aggressively enforce the antitrust laws. The measures will now be available for consideration by the House.
So how did the FBI recover ransom payments from the Dark Side's wallets?
They must have had, many believe, the private key to the crook's wallet.
But how did they get that key?
The Bureau hasn't said, understandably, but Decrypt offers some informed speculation.
Recorded Futures' Dimitris Smiljanets thinks the answer lies in the DarkSide's affiliate structure.
The portion of the funds recovered probably belong to a less skillful affiliate.
Decrypt coldly puts it, quote,
mere amateurs who ran a franchise operation under the real masterminds, end quote.
The Feds recovered 63.7 of the 75 bitcoins Colonial Pipeline paid the dark side. The
missing 11.3 bitcoins amounts to 15% of the total, and 15% is what affiliates owe big dark side when
their franchise scores ransom.
Smillionettes believes the affiliate made the rookie mistake of hard-coding their private key into the ransomware package they deployed.
They also rented a server in the U.S. from cloud provider DigitalOcean
for temporary storage of their funds before they could be shipped overseas.
But they delayed in moving their take out of reach, and the FBI
was quicker than they were. That's informed speculation. Speculation, but also plausible.
For now, the FBI is not offering any explanations. How did the crooks hack EA's network? They got
into the company's Slack channel and persuaded a well-meaning employee to give them
a login token. The hackers explained to Motherboard that they got into EA's Slack using a stolen
cookie they purchased in an underground market for about 10 bucks. Why were the cookies important?
Among the information cookies can save are a user's login details, and in this case the details were enough to enable the attackers to log in.
Once in, the attackers slacked members of EA's IT support team,
said they'd lost their phone at a party the night before,
and asked for a multi-factor authentication token so they could get back to work.
That succeeded.
Twice.
Once inside, they found a service for game developers and eventually stole the code.
The attackers provided Motherboard with screenshots that documented their hack,
and also some EA documents they stole in addition to the source code they took.
EA confirmed to Motherboard that these were indeed the general outlines of the way the incident unfolded.
were indeed the general outlines of the way the incident unfolded.
The money to be made through the theft of code may well lie in the revenue streams that flow through the EA games themselves.
Game coins amount to a virtual currency,
and Tech Republic claims that players of EA's popular FIFA
spent $1.5 billion on FIFA coins in 2020,
compromising the game's source code could make gold farming,
that is, playing the games to earn game coins and then selling them to other players for
more liquid fiat currency, far easier and far more lucrative than it already is.
The Avedon ransomware gang is closing shop, or at least rebranding.
Leaping Computer on Friday received an anonymous emailed tip,
with attenuated and misleading anonymity, it pretended to be from the FBI,
that included a link to a zip file and a password to open it. The file contained decryption keys to Avedon ransomware.
Leaping Computer shared the files with Coveware and Emsisoft, both of whom
confirmed that they were indeed what they claimed to be. Avedon's Tor sites have all gone dark,
and while the gang has issued no communique saying it's going out of business, that seems to be the
case. Avedon had over the course of last week pushed its victims harder in what Bleeping Computer calls a mad rush to
finalize payments. By Friday, they had effectively shut down, possibly because they were feeling too
much heat. That's the view Emsisoft expressed to Bleeping Computer, quote, the recent actions by
law enforcement have made some threat actors nervous. This is the result. One down, and let's hope some others go down too,
end quote. Emsisoft has released a free decryptor for Avedon victims.
Others think Avedon may simply be rebranding, undergoing one of the periodic name changes and
reorganizations such groups undertake. The record, by Recorded Future, summarizes InfoSec community
opinion to this effect.
Avedon had been among the more professional criminal up-and-comers,
and it may well be that this episode is simply designed to throw their pursuers off,
not to go to ground permanently.
Finally, in a strange case in which a gamekeeper apparently turned poacher,
a former security executive, faces hacking charges.
The U.S. Department of Justice has indicted Vikas Singla,
identified in media reports as a former executive with Securalytics,
a cybersecurity firm based in Atlanta, Georgia.
We reached out to Securalytics by email for comment over the weekend,
and we'll update this story
should we hear from them. Mr. Singla was arraigned Thursday on charges related to a cyber attack
against Gwinnett Medical Center in 2018. The indictment lists 16 counts of intentional damage
to a protected computer and one count of obtaining information from a protected computer.
The specific actions alleged include disrupting phone service,
obtaining information from a digital device,
and disrupting network printer service.
The U.S. attorney alleges that the attack was conducted in part for financial gain. Thank you. with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000
companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
blackcloak.io.
And joining me once again is the CyberWire's Chief Security Officer and also our Chief Analyst, Rick Howard.
Rick, welcome back.
Thank you, Dave.
So, this is the last episode of Season 5 of your CSO Perspectives podcast that you've
got coming up this week.
Now, first of all,
I can't believe five seasons completed already. Boy, not that time has had much meaning through
COVID, but boy, time has flown with the seasons of CSO Perspectives. Congratulations. Yeah, well,
thank you. And you're right. But it has blurred. You know, I can't remember season two from season
three. I can't believe we're on season five. Yeah. Yeah. Well, bring us up to date here. What are you covering in the last episode of this
season? So we've got a special one for this last episode. We're ending on a subject that you and I
care a lot about, right? And it is, how do you stay current with the latest news and advancements
in the cybersecurity space? And, you know, I would
say that most of our listeners, the reason they listen to us is one of their sources of that
information. But I put that question to our CyberWire hash table collection of experts, about
30 in all, and I will say that everybody has a different way to do it, including me, all right?
Everything from what we want to learn about to the information sources that we trust to do it, including me, all right? Everything from what we want to learn about to
the information sources that we trust to get it. So in this episode, we summarize all of that,
and I think our listeners will get a lot out of it. But you're right, we're at the end of season
five. Season six starts on 19 July, and the CSO Perspectives team is busily working on those
episodes right now. And as I just want to hint here, I may take some vacation between now and then too.
Just, you know, just saying.
Okay, we'll allow it.
We'll allow it.
Well, I think, you know,
the good news is that if our listeners cannot bear
to be without the CSO Perspectives podcast.
As they should all be thinking.
Yeah, as they should all be thinking.
Yes, as they're crying and crying their tears.
But they can
always listen to the season one episodes, which we've been releasing over on the ad-supported
side of the house. What do we have there this week? Yeah, so Dave, as you know, we've been
releasing my cybersecurity first principle strategies episodes. And so far, we've already
talked about zero trust and intrusion kill chain prevention. But for this show, we're talking about resilience and the fact that a good resilience program can greatly reduce your chances of being materially impacted in the future due to some cyber event.
So that's a good one.
All right.
Well, check it out.
It's over on thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Craig Williams. He's the Director of Outreach at Cisco Talos.
Craig, it's always great to have you back. You and your team have attracted a little bit of notice lately with a recent blog post regarding threat actors and perhaps a new naming convention.
Why don't you unpack it for us and share what you all are up to?
Absolutely, Dave.
One of the things that everyone's familiar with is the traditional type of threat actor.
What I mean by that is effectively someone who's working directly for the government,
being paid to develop malware to accomplish missions for that government.
That's the traditional APT model that everyone's aware of, and we've all read countless
reports on various activities. The problem we noticed is that over the last couple of years,
we started to see more and more actors pursuing behavior patterns that appear to be in line with
interests of certain countries, but we don't believe the actor is working directly for those countries.
And when we started seeing the pattern a few years ago,
I think Rob Joyce was probably the first one to do it
when he named specific hackers behind the NotPetya attack.
And he put their pictures up on CNN.
That was really the first time that somebody had called out
specific people and put out an indictment, at least that I can remember, on national television.
Now, the result of that was that nothing happened.
And so looking back at it, why did nothing happen?
And why does it seem like that's happening again and again? again. And as we saw with the colonial pipeline attack, right, one of the very first things
President Biden did when he addressed the country was to call on President Putin of Russia to take
action. And so this is kind of the situation we're in, where we see these threat actors that are
operating within the interests of a country that are really, in a lot of cases, directly benefiting
from what appears to be state protection.
And so what we wanted to do was define a set of criteria
to draw a big circle around these groups
so that we could talk about them with purpose.
And the name that you're using for them is?
Privateer groups.
And what made you select that as opposed to, let's say, mercenaries?
You had choices here, right?
Absolutely. One of the ones I was a big fan of was marauders.
If you look up the pirate definition of marauders,
it's people in pursuit of loot and plunder, I think it was.
It's all tongue-in-cheek.
When we use these type of names, we're trying to accomplish two things.
One is to have something that will stick in people's minds.
The second one is one that accurately describes the group.
What we're seeing here with these privateer groups
is they're acting a lot these privateer groups is they're acting a
lot like privateer groups from history, where we saw people acting with a letter of mark for
countries doing things in the name of the countries with effectively legal immunity from breaking the
laws that are in the countries. Well, you have a set of criteria here that you've outlined to put someone into the category of privateer. Can you go through that with us?
And what does that mean?
Well, when countries say these three people were behind this attack that ransomed a hospital or shut down an oil pipeline,
that crippled a country, that put people's lives at risk,
if not actually cost people their lives through the ability of the medical industry
not being able to function or other things like that, and nothing happens.
The state is at a minimum tolerating them, and in a lot of cases
outright providing protection for those attackers, even though
they're breaking local laws.
Just dive into that a little deeper.
That's a pattern we see repeated.
And what's really interesting about that pattern is when you look into the types of malware
that's often deployed by privateer actors,
it's usually got specificity in who it targets.
It'll ignore things like Cyrillic keyboard types
and it'll try and ignore the independent states.
It's often something like that.
That's a lot of very common behavior we see in privateer groups.
They're more careful about who they don't hit, perhaps,
than who they do hit.
The way we joked about it, and that's how we deal with discussing
these type of things, was that imagine you were a bank robber.
If you're a bank robber, you don't mind being on the most wanted list. You want to be were a bank robber. If you're a bank robber, you don't mind being on
the most wanted list. You want to be a successful bank robber. You're going to be on that list.
And if you have state protection, it doesn't really matter that much anyway. But where you
run into problems is when you make the top 10 list. No one wants to be on the top 10 list.
That's how bad things happen to you. That's how a drone might come after you.
Really, if you're a bad guy, where you probably want to stay is around the 11 to 15 range,
where you're not on the nightly news by name, right? You don't want-
Be a comfortable second tier actor.
Yeah. You don't want the president of some of the most powerful countries in the nations
calling the president of the country where you reside saying,
you need to arrest this person or there will be consequences.
So while we do see privateer groups benefiting from that state protection,
I don't think that state protection is infinite.
There is a limit to these things.
And like we saw with DarkSide,
there did seem to be a little bit of scrambling
towards the end there.
So I think that's a good way to think about it, right?
They're benefiting from direct or indirect protection,
but there are probably limits to that protection.
And like we saw yesterday,
where people are going to start considering cyber actions
on par with kinetic actions,
we may see further more influential consequences
for these actors.
Right, right.
What are some of the other things
that'll put them in the privateer category?
I think the main one is the fact
that the country is not cooperating
with foreign law enforcement, right?
And this also includes intelligence organizations.
You know, in any normal country, in any country that behaves responsibly,
that cares about people of Earth,
when these type of crimes are committed that put people's lives at risk,
they offer extradition.
They offer assistance.
They don't say snide remarks on TV and then nothing ends up happening
and the pattern of behavior continues
and wrecks havoc around the world
before politically convenient meetings.
Right, right.
All right, well, you all have a blog post about this.
It's titled, Elizabethan England Has Nothing on Modern Day Russia.
You can find that over on the Talos blog.
Craig Williams, as always, thanks for joining us. Thank you.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Thank you. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.