CyberWire Daily - Updates on the hybrid war in Ukraine. Industrial espionage in Germany, conventional espionage in Western Asia. C2C markets, social engineering, and scamware.
Episode Date: January 27, 2022Cyber risk continues over Ukraine as the US and NATO reject Russian demands. Emissary Panda’s industrial espionage against German industry. Fancy Bear is spotted in Western Asia. The C2C market’s ...initial access broker Prophet Spider is selling access to unpatched VMware Horizon instances. Social engineering adapts to its marks. Thomas Etheridge from CrowdStrike on the power of Identity/Zero Trust in stopping ransomware attacks. Our guest is Gary Guseinov of Real Defense to discuss M&A activity. And Dark Herring scamware is ejected from app stores, but not before hitting over a hundred million victims. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/18 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cyber risk continues over Ukraine as the U.S. and NATO reject Russian demands.
Emissary Panda's industrial espionage against German industry.
Fancy Bear is spotted in Western Asia.
The C2C market's initial access broker, Profit Spider, is selling access to unpatched VMware Horizon instances.
Social engineering adapts to its marks.
Thomas Etheridge from CrowdStrike on the power of identity and zero trust in stopping ransomware attacks.
Our guest is Gary Gusanoff of Real Defense to discuss M&A activity.
And dark herring scamware is ejected from app stores, but not before hitting over 100 million victims.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, January 27, 2022. There are concerns that any cyber operations accompanying the crisis in Ukraine will extend by accident or by design to civilian targets in many countries. we open with a brief review of how that crisis is unfolding. We remind you that the U.S. Cyber
Security and Infrastructure Security Agency has urged infrastructure operators in particular to
be on the alert and to look to their defenses. Russia closed the January 21st talks in Geneva
with a set of proposals that amounted to a soft ultimatum for NATO, that the Atlantic Alliance would agree to rule out eventual
Ukrainian or Georgian membership, that it would roll back troop deployments and infrastructure
in the near abroad and the former Warsaw Pact, and that it would agree not to deploy certain
classes of long-range strike weapons. It asked for a U.S. response in writing.
The U.S. delivered that response yesterday, and it unambiguously rejected all the Russian demands, the AP reports.
At a press conference, U.S. Secretary of State Blinken had this to say.
Today, Ambassador Sullivan delivered our written response in Moscow.
All told, it sets out a serious diplomatic path forward, should Russia choose it.
All told, it sets out a serious diplomatic path forward, should Russia choose it. The document we've delivered includes concerns of the United States and our allies and partners
about Russia's actions that undermine security, a principled and pragmatic evaluation of the
concerns that Russia has raised, and our own proposals for areas where we may be able to
find common ground.
We make clear that there are core principles that we are committed to uphold and
defend, including Ukraine's sovereignty and territorial integrity and the right of states
to choose their own security arrangements and alliances. This was entirely foreseeable,
as the Russian proposals were in NATO eyes simply non-starters. The response, which the U.S.
explained had been thoroughly coordinated with other members
of NATO, offered no concessions but sought to offer, as the BBC quotes U.S. Secretary of State
Blinken, a serious diplomatic path forward should Russia choose it. The challenge will be to arrive,
if the U.S. and NATO diplomacy should prove successful, at a face-saving way for Russia to back away from
its pressure on Ukraine. NATO delivered a response on behalf of the Atlantic Alliance as a whole
that was consistent with the U.S. position. Russia said that it would continue diplomacy,
but that it's not optimistic, as The Guardian and others report. Russian Foreign Minister Lavrov said,
If the West continues its aggressive course,
Moscow will take the necessary retaliatory measures, end quote. And while it will continue
to engage NATO diplomatically, there are limits to Russian patience. We won't allow our proposals
to be drowned in endless discussions, Lavrov said. In the event of a Russian invasion, NATO's immediate response would in all likelihood
prominently feature imposition of sanctions designed to cripple the Russian economy
and to damage the personal financial interests and reputations of Russian leaders.
As Ukraine continues to investigate the data-wiping attack that hit government websites two weeks ago.
The State Service of Special Communication and Information Protection of Ukraine
says it's found signs of false flag evidence planted to mislead investigators
into suspecting a Ukrainian hacktivist group as opposed to Russian intelligence services.
Ukraine has called that campaign bleeding bare,
and Deep Instinct has a useful account of what's presently known about the attacks. Zero Day reports that the wiper used in
the Bleeding Bear attacks was code repurposed from the White Black Crypt ransomware strain.
Other low-grade hacking continues in Ukraine. Reuters reports that a promotional website belonging to the
Ukrainian foreign ministry was knocked offline yesterday for several hours by unidentified
threat actors. Electrical power grids would be attractive targets to cyber warriors on both sides.
Concern about the grid's vulnerability has led the U.S. over the past three years
to conduct a series of exercises on Plum
Island, New York, an isolated and closed island in Long Island Sound that formerly served as a
livestock quarantine and zoonotic disease research center. Plum Island is a useful site for such
tests because its isolated power grid replicates in miniature most of the features of a regional grid.
Bloomberg has an account of the drills and what the U.S. learned from them.
Nor, according to sources talking to Fox Business, does the threat run in only one direction.
The U.S. knows how to turn the lights off in Russia, too.
Or so they say.
Who knows?
We don't.
Reuters reports that Germany's BFV has found an extensive industrial
espionage effort mounted against the pharmaceutical and tech sectors. The threat actor the BFV
accuses is APT27, Beijing's emissary panda. Trade secrets and other proprietary information are of
principal interest to emissary Panda, and the operators are seeking
to scale their collection by gaining access to customer and service provider networks
from whence they can pivot to new targets. State-sponsored threat actors from Russia,
Iran, and North Korea, who've been known to rattle the Olympic rings in the past,
have been unusually quiet during the run-up to this year's Winter Games.
The reason for their good behavior, Recorded Future's Insikt group writes, is apparently a desire to not get on the bad side of the host, China. There's trouble enough elsewhere without
poking the panda. Trellix reports that a cyber espionage campaign against governments in Western
Asia is in progress.
It's a multi-stage attack designed to collect information.
Quote,
The infection chain starts with the execution of an Excel downloader,
most likely sent to the victim via email,
which exploits an MSHTML remote code execution vulnerability to execute a malicious executable in memory.
End quote.
The second stage is a DLL downloader,
and the third stage involves the installation of graphite malware.
In the fourth stage, a dynamic library file,
Empire DLL loader, is put to work,
preparing for the fifth and sixth stages,
in which the Empire PowerShell C-sharp stager
and the Empire HTTP PowerShell stager are installed.
The researchers offer a tentative attribution to APT-28, that is, Fancy Bear, Russia's GRU.
The reason for the targeting is connected with tensions in the vicinity of the former Soviet
republics of Armenia and Azerbaijan, which, if nothing else, shows that the bears haven't
forgotten the rest of the near abroad, as preoccupied else, shows that the bears haven't forgotten the rest of
the near abroad, as preoccupied as the leaders of the bears seem to be with Ukraine.
Bitdefender is tracking a resurgence of FluBot and TrickBot malware, both of which are enjoying
renewed popularity in the criminal-to-criminal market. Both vary their approach, with Is This
You in the video being as close to an evergreen
as The Criminals Come. T-Bot has lately been particularly interested in gaining a distribution
foothold in Google Play and other app stores. While quick response and hard work at remediation
have rendered the Log4J vulnerabilities less damaging than they might have been,
the risk of exploitation remains.
BlackBerry researchers have found that the criminal initial access broker tracked as Profit Spider
is trading in access to unpatched VMware Horizon instances.
Elsewhere in the C2C market, Zimperium describes a premium service abuse campaign they're calling Dark Herring.
It has some 105 million victims.
Distributed on Google Play before Mountain View recognized it for what it was and gave it the heave-ho,
Dark Herring has also been available in third-party app stores.
The Android unwanted app is Scamware,
malware whose operators inveigle the victims into unwittingly signing up
for premium services. Dark Herring's social engineering has been more effective than some
of its competitors for the care the hoods have taken to craft their bait to suit the geolocation
of the victims, since K-pop hotheads in Gangnam, for example, are probably interested in different
things than are the good burgers of Saskatoon.
Or so we imagine. Both of them, nice places, in their own way.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io.
The outlook for investment and M&A activity in the cybersecurity space remains strong in the
year ahead with plenty of opportunities for innovation and growth. Gary Guseinov is CEO of security software and services company RealDefense,
and I checked in with him for his insights on what investors may be thinking.
There's no area that I can think of where we're going to see a flattening environment,
where there's less demand or it becomes a commodity, because threats are constantly evolving.
And so if there were no bad people out there who wanted to steal your information,
then you could make an argument that we won't need it anymore.
We won't need cybersecurity, but that's not going to happen.
What's your advice for the folks out there who are in a startup situation,
who are looking to engage with those private equity firms?
startup situation who are looking to engage with those private equity firms? Given that we're in this environment that we're in when it comes to mergers and acquisitions, how should they be
considering this environment as they grow their company, as they consider their investment
strategies? The one thing I would focus on is finding out the gaps in the technology stack as it relates to whoever
the consumer is. So for instance, if it's enterprise, figure out
what is not being covered by existing solutions
and create a product for that. Look at existing
enterprise platforms within the technology stack and see if there's
opportunities how to make it better, optimize, make it faster, existing enterprise platforms and within the technology stack and see if there's opportunities
how to make it better, optimize, make it faster, more productive, cheaper, better ways to deliver
the solution, et cetera. In the consumer space, same thing. There are a lot of gaps currently.
And if you look at it holistically, look at all the devices connected to your internet environment at home, how you travel and how you connect to your other devices like your car and home automation.
There are all kinds of gaps there in terms of security and be really good at that one area.
Don't try to build an antivirus company.
Don't go and build a identity protection company today.
There's too many of them. There are lots of overlapping technologies
and solutions. There's no need for new players to come in. But there's lots of
gaps in the cybersecurity space on the enterprise side and the consumer side.
Plenty of them. Focus on the gaps. Figure out what they are. Create a market
fit. Product market fit. Find good engineers. That's super
important. That's probably the most important. And then go to market. There's plenty of interests out there. Consumers are willing to
pay for it. Enterprises are certainly willing to pay for it. The cost of not doing it is too high.
The opportunity costs are too high. The risks are too high. Someone breaks into your bank account,
steals $100,000. Would you be willing to spend $1,000 to protect that $100,000?
Of course you would.
And businesses look at it the same way.
And we're still underspending as a whole globally on cybersecurity as it compares to global economies combined and total assets that are being managed by some form of technology.
So we still have a ways to go.
some form of technology. So we still have a ways to go. I mean, we should be spending half a trillion dollars on cybersecurity globally a year if we really want to protect us from
threats. And we're just at the cusp of these threats where we're seeing a lot of crypto-related
scams and crimes. And those are going to grow exponentially because they're, to a certain extent,
you know, no one's being harmed
by it physically. There's no bank robbery taking place. No one's using a gun. Criminals think that
way too. They say, well, I didn't hurt anyone. So my crime is okay. So it's, you've got a lot
of people thinking that way. And so more criminals become criminals and you've got more crime. And so
that's where we're at. That's Gary Gusanoff from Real Defense.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Thomas Etheridge.
He's Senior Vice President of Services at CrowdStrike.
Thomas, always great to have you back on the show.
I wanted to check in with you today.
You know, there's been no slowdown when it comes to ransomware attacks.
And I'm curious what your perspective is when it comes to implementing things like identity management and, of course, the hot topic of zero trust these days
to protect organizations against ransomware. Thanks, Dave. Great to be here. I agree.
Ransomware is a huge prolific problem out there in the market. CrowdStrike's been talking about
big game hunting and the proliferation of
ransomware across every industry vertical and across the globe really. Big game hunting
incidents so far in the telemetry that we collect show that there's been about 2,400 plus big game
hunting incidents so far this year and that's equivalent to about 52 targeted ransomware events every single week.
And the impact is pretty substantial as well, with the average ransom demand being roughly
around $6 million. Big impact. So in an organization's response to these attacks,
what part does identity play? I think it's really important, Dave. In the recent data from our customer-based
index in our threat graph, more than half of the detections that we've analyzed were not
malware-based, meaning companies need to provide a more holistic approach to their breach prevention
capabilities and strategy. A lot of the initial entry points for malware deployment or the
deployment of ransomware and environment is through the leverage of compromised credentials.
We see that week in and week out with victims that we respond to.
that individuals within the organization have and what your remote access capabilities are,
as well as critical to being able to implement the right defensive strategy to make sure these events don't happen. Zero trust is a big part of that. Well, let's talk zero trust then. What part
does that play in all this? Well, zero trust really requires all the users in an environment,
whether in or outside the organization's network, to be continuously authenticated, authorized, and validated before being granted access to applications and data in an environment.
Really putting strong governance and controls around how folks access infrastructure and applications from within an environment, but also if you're
coming in from outside the environment. And implementing a zero trust strategy really
puts better controls in the hands of the defenders in terms of understanding if somebody's credentials
have been compromised, we would be able to detect that and know it to be able to shut down an attack in the event one started.
Is my understanding correct that zero trust really requires a certain amount of maturity from an organization,
that proper implementation of this isn't something, it's not something you do at the beginner stage of your security journey?
Absolutely. I mean, we look at zero trust as a journey.
It's not something that you flip a switch and implement,
although there are tools and technologies
that can help you implement that a lot faster.
Once you gain an understanding of where those risks are at,
how credentials are being provisioned within an environment,
and where you may have at-risk credentials,
things like service accounts, which are prolific in terms of the use by threat actors in navigating
across an environment or compromising applications within an infrastructure.
All right.
Well, Thomas Etheridge, thanks for joining us. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Guru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.