CyberWire Daily - Transportation as an espionage target. Expensive, elaborate cyber campaigns by unidentified threat actors. Infraud operators sentenced in Nevada.
Episode Date: March 22, 2021Indian authorities warn the country’s transportation sector that it may be a target for cyberespionage. Google’s Project Zero describes an elaborate and expensive campaign that exploited zero-day ...vulnerabilities. The SilverFish threat group is elaborate, well-resourced, and well-organized. Threat actors are quietly altering mailbox permissions. REvil is back. Some say “yes” to Moscow; others say “nyet.” Dinah Davis from Arctic Wolf on Security Metrics. Our guest is Graeme Bunton from the DNS Abuse Institute. And two Infraud operators are sentenced. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/54 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Indian authorities warn the country's transportation sector
that it may be a target for cyber espionage.
Google's Project Zero describes an elaborate and expensive campaign that exploited zero-day vulnerabilities.
The Silverfish Threat Group is elaborate, well-resourced, and well-organized.
Threat actors are quietly altering mailbox permissions.
Our evil is back.
Some say yes to Moscow.
Others say nyet.
Dinah Davis from Arctic Wolf on security metrics.
Our guest is Graham Bunton from the DNS Abuse Institute.
And two in-fraud operators are sentenced.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 22, 2021.
The Business Standard reports that India's Ministry of Road Transport and Highways received an alert from CERT-IN
regarding targeted intrusion activities directed toward Indian transport sector
with possible malicious intentions.
The ministry has advised departments and organizations under transport sector
to strengthen the security posture of their infrastructure.
The warning prompted much speculation in the Indian press that China has
shifted its targets from the energy to the transportation sector. The Hindu business
line's coverage is representative. A note the paper obtained represents Sirtin's own conclusions.
Sirtin has observed continued targeted intrusion activities from Chinese state-sponsored actors towards
Indian transport sector with the possible intention to collect intelligence and conduct
cyber espionage. The notable threat actors such as APT41 Barium, Tonto Team, APT101 Stone Panda,
APT15 Kachang, APT27 Emissary Panda, Winti Groups, and Red Echo
have been targeting organizations across a range of industries
aligned with the national strategic goals of the Chinese national policy priorities.
Google's Project Zero has provided an update on a campaign they began tracking last year,
providing additional
information on seven zero days its researchers detected a threat actor using this past October.
Windows, iOS, and Android systems were affected. Victims were usually infected in watering hole
attacks. The unknown threat actor used a total of 11 zero days over their campaign's year-long run.
Their development would have been expensive,
and the infrastructure used was large and carefully constructed.
The operation seems beyond the capabilities of any ordinary criminal group.
Project Zero summarized the threat actor's sophistication as followed,
quote,
Overall, each of the exploits themselves showed an expert understanding
of exploit development and the vulnerability being exploited.
In the case of the Chrome FreeType 0-Day, the exploitation method was novel to Project Zero.
The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial.
The obfuscation methods were varied and time-consuming to figure out.
End quote.
The obfuscation methods were varied and time-consuming to figure out.
Researchers at Swiss security firm Prodaft report that they've identified a threat actor, they call it Silverfish, whose target list significantly overlaps the list of victims of solar winds exploitation.
The researchers also say that some of Silverfish's servers were also used by the Evil Corp crime group.
ProDaft offers no attribution, but they do characterize as a highly sophisticated group of cyber criminals
targeting exclusively large corporations and public institutions worldwide, with focus on the EU and US.
The actor can be viewed as an entity possessing a high degree of sophistication
and who goes beyond the necessary technical skills to conduct an operation of this magnitude.
The actor demonstrates a comprehensive and up-to-date knowledge of exploitation practices,
security architecture, protocols, and anonymization techniques.
More importantly, their knowledge transcends regional, cultural, and linguistic barriers.
Prodaft gained its information, the company says, by getting inside Silverfish's command and control servers.
Silverfish's list of victims looks like an espionage pick list.
The dashboard Prodaft found indicates that Silverfish is running several distinct teams.
that Silverfish is running several distinct teams.
Prodaft also says that the comments the operators entered alongside their targets are for the most part written in English and Russian
with a healthy leavening of urban slang.
And whoever Silverfish's operators are,
they punch the clock like a bunch of employees of the month.
Prodaft says they work mostly Mondays through Fridays
between 8 a.m. and 8 p.m.,
coordinated universal time. Researchers at FireEye's Mandiant unit say that they've observed
threat actors modifying mailbox folder permissions of user mailboxes to maintain persistent access
to the targeted user's email messages. Mailbox permissions, Mandiant says,
are often not monitored by defenders.
They've added mitigation suggestions
to their white paper on the topic.
The R-Evil ransomware gang
has hit Taiwanese device manufacturer Acer
with a $50 million extortion demand,
the record by Recorded Future reports.
The extortion includes the now-routine threat to release stolen company documents.
Acer told Bleeping Computer that to preserve the security of their continuing investigation,
they are unable to provide details on the incident.
Tech companies face a range of regulatory and legal challenges
as they do business in a range of countries.
Many of those challenges have to do with protecting personal data.
While certainly not trivial, in most cases that's a regulatory burden companies are meeting,
often by complying with the most stringent applicable rules
and letting those set the general standard way of operating.
So, businesses organize themselves to operate in compliance with GDPR, to take one common standard.
In other cases, it's trickier, especially where the law tends to serve policy and not vice versa.
Consider the accommodation Apple recently reached with Russia.
Wired reports that beginning next month, iOS devices sold in Russia will prompt users to install a set of government-approved apps,
browsers, messenger platforms, and even antivirus services.
It's not exactly preloading, and users can opt out if they so choose,
but Wired still sees it as a bending on Apple's part to the demands of an authoritarian regime.
And the magazine thinks that other such regimes will notice,
and that Apple may hear from like-minded governments soon.
Other vendors have pulled away.
Cellbrite, for one, the lawful intercept vendor that's been criticized
for the ways in which some of its government customers have abused its products,
announced last week that, effective immediately,
it would no longer do business with any customers, private or public, in either Russia or Belarus.
The company said, quote,
As part of our standard business operations, we regularly review and update our compliance policies
to ensure we operate according to accepted international rules and regulations, end quote.
And, by implication, selling its digital intelligence solutions to Moscow and Minsk And finally, the U.S. Justice Department announced Friday that two gentlemen associated with the
Infraud Organization were sentenced to terms of imprisonment for their part in the activities of in-fraud,
which Justice says involved the mass acquisition and sale of fraud-related goods and services,
including stolen identities, compromised credit card data, computer malware, and other contraband.
Sergei Medvedev, also known as Stels, Segmed, and Surgebear of Russia,
pleaded guilty in the District of Nevada to one count of racketeering, conspiracy,
and received 10 years in prison.
Mr. Medvedev is a co-founder of Infraud.
Marco Leopard, also known as Leopard MK of North Macedonia,
also copped a guilty plea,
and he received five years at Club Fed.
Infraud was a big operation. The Department of Justice says the transnational gang was
responsible for the sale and or purchase of over 4 million compromised credit and debit card numbers.
The actual loss associated with infraud was in excess of $568 million.
And that's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
PIR, the Public Interest Registry, the folks behind the.org domain,
recently launched the DNS Abuse Institute.
They say that their goal is to provide tools to identify and report DNS abuse.
Graham Burton has taken on the role as the DNS Abuse Institute's inaugural director.
He joins us to explain the mission of the organization.
So the DNS Abuse Institute was founded by PIR, who run the.org
registry. And PIR has a, in their name, public interest registry, this public interest mission.
And over the past few years, I would say the prevalence of DNS abuse, and I can go into the
definition of that in a minute, has become an increasing issue.
And they were trying to think about how they could use their public interest mission to really make a dent into that problem.
And the result of that was to try and stand up its own sort of institute.
Yeah, I mean, let's dig into that.
I mean, what are some of the issues that we face
when it comes to DNS? So DNS abuse, and let's make sure we're all talking about the same thing,
is we define as malware, botnets, farming, phishing, and spam, where it's serving as a
vehicle for those previous items.
And those are, you know, online harms that are using the DNS specifically to cause them.
And those are online harms that use the DNS itself to cause those harms. And so we have seen the sort of in the operation of the registry, and I actually come historically
from a registrar, and maybe I'll
come back to that in a sec, that those things are causing real harms around the world,
and there's been a lack of coordinated effort on these issues. And so this was really where
we thought the DNS Abuse Institute could make a real difference. And so what are some of the
things that you're
looking to do here? What do you hope to accomplish? So I think the first thing that we really need to
do, and maybe backing up slightly, is I've been on board now for I think a week and a half.
And so we're really still figuring out the breadth and scope of our strategy and how we're going to
prioritize the things that we're going to work on.
And that requires quite a bit of digging and some research.
But I think to start, we really need to be able to get the community, so the sort of
registrar and registry industry and cybersecurity to a certain extent, to make sure that we're
all talking about the same thing.
And so that's going to be develop a model to measure DNS abuse across the industry,
publish that model, and make sure that we're all addressing the same problem. So that, I think,
is step one. And then it's going to be working through the pillars that the institute is sort
of founded on. And those are collaboration, so that's making sure that we're working together
as an industry. It's education, and that's making sure that everybody has the resources
and understanding. And then innovation is our third pillar. And that's where we're really
going to begin building tools and providing really interesting things for the industry
to start really getting better. That's the one that I find pretty interesting.
That's Graham Bunton from the
DNS Abuse Institute. Cyber threats are evolving every second, and staying ahead is more than
just a challenge. It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Dinah Davis.
She is the VP of R&D at Arctic Wolf.
Dinah, always great to have you back. I want to talk today about measuring success and how you establish good security metrics within a company.
What sort of things can you share with us?
metrics within a company? What sort of things can you share with us?
Yeah. So really your metrics have to be related to the organization's risk profile, right? One set of metrics that is going to help one company isn't necessarily the same set of metrics that
matters for another. You know, like a healthcare organization has very different risk levels than a law firm or than a tech company, right? And so
you can't just have a basic blanket set of metrics that are going to work for everyone.
But what you can do is really measure your amount of risk in your threat landscape. So
the first thing you need to do to do that is to identify the vulnerabilities you have in your
system. So you can do this with a vulnerability assessment tool. We have one with Arctic Wolf.
It will look through your system to find the level of software that's running everywhere,
like each piece of hardware and software. What is it running? It'll then look those versions of software up in a publicly
accessible system that the National Vulnerability Database or the NVD, it's what it's called,
and determine if there's any vulnerabilities. And it'll give you a list of the vulnerabilities
and their common vulnerabilities and exposures, which we call a CVE score. So if you hear people
talking about a CVE score, that's what it is.
And so once you have this list of like everything that's going on in your network and,
and vulnerabilities, uh, this is how you like, you want to prioritize, right? So the, the CVE
score goes from like zero to 10. Okay. If it is a nine or a 10, you drop everything,
if it is a nine or a 10, you drop everything. You drop everything and you go patch that immediately. A high is pretty close to drop everything, but maybe not quite as severe as
the nine or 10. A nine or a 10 means there's active hacks against it. There's active attacks,
right? So if you're in a medium of a four to a 6.9, then you can use, you know, you want to plan a maintenance window to fix it.
You want to maybe wait until the next one, but you want to plan one, but it doesn't need to be the next day.
It should just be soon.
And anything below that you can fix in a regular maintenance window, right?
So now you want to measure yourself against your CVEs and what your scores are here. So you want to change process around patching so that you can improve,
right? So tracking how many issues above a nine or a 10, really anything above a seven,
how many of those you have, how many mediums and how many low risk you have, trending that over
time and looking at the mean time to patch. Those are really good metrics to look at. That doesn't
matter what kind of organization you are, but it takes into account your risk profile, right?
Another important metric to watch is your account takeover risk, right? So for an account takeover
critical risk, it means the password and the username and possibly personal identifiable
information was leaked, and there personal identifiable information was leaked.
And there could be malware using that information being used right now.
So you want to drop everything.
Go immediately force a password change for all accounts for that user on your system, and then audit any activity that your user had in the system,
making sure you're doing scans of their laptop.
user had in the system, making sure you're doing scans of their laptop. High risk is, you know,
the user account was revealed and maybe a decryptable or plain text password. Pretty high risk. Again, reset their passwords immediately. And then medium and low is, you know, a little
slower. You have to react. They're probably, maybe their account was exposed,
maybe an encrypted password was exposed, but not a lot else. And so then you can have, you know,
the user rotate their corporate credentials the next business day. It's not a drop everything.
So that's something you want to track on an ongoing basis.
Now, do you ever find that you sort of have a little,
I don't know, like a mismatch between the severity,
but what it actually means to a particular company?
In other words, if something comes back and it says,
hey, this isn't in a normal ratings ranking of severity,
it may not be that high,
but for this particular company, it is high.
Yeah, that can happen too, because it depends on what you're using various systems for.
a lot of like customer specific or private data or or or important data in it that could mean it bumps it up quite a bit for you so you do want to evaluate them as they come in oftentimes they'll
get a score and then the client can also you know a lot of the systems will allow for you to mark it
as higher um than it than it is like manually push it higher so that you can schedule it to be changed faster.
All right. Well, Dinah Davis, thanks for joining us.
You're welcome.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. It takes the day's
work right out of your hands.
Listen for us on your Alexa smart speaker,
too. Don't forget to check out
the Grumpy Old Geeks podcast, where I contribute
to a regular segment called Security,
Ha! I join Jason and Brian
on their show for a lively discussion of the latest
security news every week.
You can find Grumpy Old Geeks where all the fine
podcasts are listed, and check out the Recorded Future podcast, which I also host. The subject there is Thank you. podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.