CyberWire Daily - US ICS Cybersecurity Initiative formalized. Developments in the ransomware world. Addressing known vulnerabilities. Caucasus coinmining crackdown. A long-running IRGC catphishing campaign.
Episode Date: July 28, 2021US formally establishes its Industrial Control System Cybersecurity Initiative. Shooting wars in cyberspace. Developments in the ransomware criminal souks. This week’s iOS update may have closed the... vulnerability exploited by NSO Group’s Pegasus intercept tool. The US, UK, and Australia issue a joint advisory on the most exploited vulnerabilities. Abkhazia’s crackdown on coinminers. Joe Carrigan looks at the Mespinoza ransomware gang. And meet Marcy Flores, the Robin Sage of Liverpool aerobics. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/144 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. formally establishes its industrial control system cybersecurity initiative,
shooting wars in cyberspace, developments in the ransomware criminal markets.
This week's iOS update may have closed the vulnerability exploited by NSO Group's Pegasus intercept tool.
The U.S., U.K., and Australia issue a joint advisory on the most exploited vulnerabilities.
Abkhazia's crackdown on coin miners,
Joe Kerrigan looks at the Mespinosa ransomware gang,
and meet Marcy Flores, the Robin Sage of Liverpool aerobics.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 28th, 2021.
U.S. President Biden this morning issued a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. Among other goals, the memorandum seeks
to initiate development of baseline cybersecurity goals that are consistent across all critical
infrastructure sectors, as well as a need for security controls for select critical infrastructure
that is dependent on control systems.
The memorandum formally establishes the President's Industrial Control System Cybersecurity Initiative,
a voluntary collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility,
indicators, detections, and warnings. That initiative began informally with electrical
grid and pipeline security efforts. Would the next big shooting war begin in cyberspace?
Would the next big shooting war begin in cyberspace?
President Biden said it might well happen just that way.
In a speech delivered yesterday during his visit to the office of the Director of National Intelligence,
he said, quote,
I think it's more than likely we're going to end up, if we end up in a war,
a real shooting war with a major power,
it's going to be as a consequence of a cyber breach of great consequence, and it's increasing exponentially the capabilities, end quote.
Video of President Biden's speech was provided by Reuters. It's not a surprising speculation.
Cyber operations as the opening phase of a war are probably today roughly the equivalent of what calling up reserves and
organizing the railroads for mobilization were 125 years ago. There have been some developments
in the criminal-to-criminal ransomware markets. First, our evil may have reconstituted and
rebranded itself as Black Matter, although it's difficult to be sure. Forcepoint has found
chatter on the high-tier Russian-language illicit forums XSS and Exploit, which suggests Black
Matter is Areval's successor. Black Matter registered itself on July 19th, and two days
later they advertised for people willing to sell access to large corporations in Australia, Canada, the UK, and the US.
Recorded Future says that Black Matter claims to have incorporated the best, in a criminal sense, of both REvil and DarkSide.
REvil announced its occultation on July 13th, the same day XSS banned R-Evil's spokesman from the forum.
Black Matter doesn't openly claim to be either R-Evil Redux or a ransomware operation,
and so keeps narrowly within the forum terms and conditions.
But the wink-and-nod indirectness in their chatter suggests a force point
that that's indeed who the new group may be.
suggest to Forcepoint that that's indeed who the new group may be.
Another ransomware gang that may be the successor of older Notorious Groups is Haran, whose emergence is described by S2W Lab. Haran's approach incorporates features of
both Thanos and Avedon. So far, Haran has publicly claimed only one victim.
on. So far, Haran has publicly claimed only one victim. Cyber intelligence firm Kela this morning released its study of a new Russian language forum that may, researchers think, become a new home for
ransomware as a service operations. Called RAMP, the forum made its appearance this month. It too
seems to represent an evolution from earlier markets.
Kella says, quote, the forum emerged at the domain that previously hosted the Babook ransomware data
leak site and later the payload.binary leak site, end quote. Ramp hasn't been a runaway screaming
success, but it's attracted some interest. Registration is now closed, but will,
Ramp says, reopen in mid-August. It may draw criminal operators looking to work around other
forum bans on hawking ransomware. As Kala puts it, if the admins can leverage their competitive
advantage of welcoming ransomware-as-a-service programs, chances to grow are fairly high.
welcoming ransomware-as-a-service programs, chances to grow are fairly high.
There's speculation from The Register, 9to5Mac, and others that this week's iOS fix addressed vulnerabilities exploited by NSO Group's Pegasus spyware.
In any case, iPhone users would be well advised to apply the update.
Zero days may draw a great deal of attention,
but a lot of frequently exploited vulnerabilities could be closed by patching.
This morning, a joint cybersecurity advisory was issued by the U.S. Cybersecurity and Infrastructure
Security Agency, the Australian Cybersecurity Center, the United Kingdom's National Cybersecurity
Center, and the U.S. Federal Bureau of Investigation.
You'll recognize them as the FBI.
The Allied Services list the top 30 vulnerabilities and briefly outline the mitigations that can be applied to avoid exploitation.
Good digital hygiene can go a long way.
As the report says, cyber actors continue to exploit publicly known and often dated software vulnerabilities against broad target sets,
including public and private sector organizations worldwide.
However, entities worldwide can mitigate the vulnerabilities listed in this report
by applying the available patches to their systems and implementing a centralized patch management system.
Even disputed, partially recognized states struggle with illicit coin mining.
Abkhazia, regarded as an independent republic by Russia, Venezuela, Nicaragua,
Nauru, and Syria, but seen by everyone else as a fractious, autonomous region of Georgia,
is, as Motherboard reports,
conducting almost daily raids to shut down coin mining operations.
The raids began in March and have, according to some accounts,
taken down almost 1,300 rigs. The miners' offense, fundamentally, is stealing power
and stressing the electrical grid.
And finally, Robin Sage meet Marcela Flores.
Iranian operators have for some time engaged in catfishing
to socially engineer access to targets in the UK, Western Europe, and North America.
Proofpoint today published a report on how the threat actor it tracks as TA-456
spent years running a fictitious persona, Marcela Flores,
in a campaign designed to install LEMPO malware
in the machines of a targeted aerospace contractor.
LEMPO, Proofpoint explains,
was designed to establish persistence, perform reconnaissance,
and exfiltrate sensitive information.
The campaign is probably connected to the Islamic Revolutionary Guard Corps. Through its own contractor, the Iranian
company Mahak Rayan Afraz, TA-456 is also known as Tortoise Shell and Imperial Kitten.
The approach worked as follows. Marcela Flores, Marcy to the would-be friends the catfish was wooing,
would begin with apparently benign emails that included with proof-point calls
a video to establish rapport and build rapport with the intended victim.
Another video was described as benign but flirtatious and included a OneDrive link.
A second OneDrive link from Marcy represented itself as a diet survey
with slacker leet-speak and sketchy idiomatic control,
but a smiling wink emoji.
A pro tip, this sort of stuff is not the kind of thing
that's normal interchange during professional networking.
We mention Robin Sage, and long-time listeners will recall that the fictitious Ms. Sage was
a persona created in 2009 by White Hats to test the gullibility of organizations in defense
and aerospace, both on the government and the industry side.
This mother-of-all catfish was represented as a 25-year-old analyst
at the U.S. Navy's NetWarCom,
an MIT graduate with 10 years' experience in the industry.
The name Robin Sage was itself a wink.
It's the name of a U.S. special operations exercise.
Some people were put on their guard by the implausible resume.
Others by their inability to find her through the
phone number in her profiles or an MIT alumni directory. And to their credit, neither the FBI
nor the CIA were taken in, but others were. While the winsome but quite non-existent Miss Sage
romped across the network for two brisk months, She received job offers from some big and sophisticated corporations
and lots of dinner invitations. After the gaffe was blown, Robin Sage entered the hall of fame
of people who don't exist, right beside Bertrand Russell's present King of France. Anywho, back to
Marcy. Her profile identified her as an aerobics instructor at the Harbour Health Club in Liverpool.
She's probably not the only one used by Iran.
Catfish, that is, not Liverpudlian aerobics instructors.
As Proofpoint concludes,
TI-456's dedication to significant social engineering engagement,
benign reconnaissance of targets
prior to deploying malware, and their cross-platform kill chain established TA-456 to be one of the
most resourceful Iranian-aligned threats tracked by Proofpoint. The Marcela Flores persona is likely
not the only one in use by TA-456, making it important for those working within or tangentially to the
defense industrial base to be vigilant when engaging with unknown individuals, regardless
of whether it is via work or personal accounts. So friends, watch out for the company you keep. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more
at blackcloak.io. Members of Congress have recently been proposing that the Department of Homeland Security
should undertake a study on hacking back, the notion that private organizations could go on
the offense in response to cyber intrusions. I recently spoke with Anup Ghosh, CEO of Fidelis
Cybersecurity, on the Caveat podcast to get his take on hacking back.
Security on the Caveat podcast to get his take on hacking back. Every serious study I have seen has concluded this is a bad idea, primarily because attribution of attacks is very hard.
Also, oftentimes, attackers use public infrastructure. And so when you're hacking back, you're more likely hurting someone else other than whom you might intend.
And finally, the consequences of escalation can go very badly for victims.
So from a policy perspective, this is a bad idea.
And I think anyone who's studied it has reached the same conclusions. What are the comparisons to, you know, sort of real world crimes? You know,
if someone were to kidnap someone or someone were to, you know, physically restrict access to a
space or a business or something like that. There would be real-world reactions there.
Yeah, I think we do have real-world analogies here that hold up to some extent.
So, for example, think about someone breaking into your house, robbing you,
and then later you actually find out or you think you find out who it is
right well you might be tempted to uh go and try and get back your your stuff and maybe cause some
pain on that person we know you know first of all this is illegal. Second, vigilantism typically doesn't end well, right?
And so for these reasons, we do have law.
We do have a justice system and law enforcement.
And the same holds true in the cyber domain.
We might think we know who got at us, but chances are we really don't. And anything we
attempt to do against the adversary outside of our own networks can end badly, just like it
might in the real world. Yeah, it strikes me too that, you know, even though we have robust laws
for defending your homestead, for example, you castle doctrine, you're not allowed to have booby traps all around your property.
That sort of thing isn't allowed.
Well, I think you bring up a really interesting point, which is you are allowed to defend your property right in many states uh what does it stand my ground
kind of laws the castle doctrines you mentioned and and that's uh that actually does uh create a
guide uh i think in the security profession that you are allowed to defend your network, right? And if you do encounter an adversary on your network,
you are allowed to engage and counter that adversary.
And actually, that's a discussion we should be having, in my mind,
is not the hack back.
It's the detect, respond, counter your adversary on your network. And you are allowed to do that by law. And there are different levels of detection and response you can take. Active defense is something that is getting more fluency now in security circles as a philosophy, as a doctrine, if you will.
Do you suppose there might be a communications gap here? As you and I have been talking about,
I think there is that powerful emotional component. And I think sometimes people feel
as though they're not being heard, that they're not seeing a direct and immediate response. And perhaps if
there was a way for law enforcement to say, look, we hear you, we see what's going on,
we're working on it, and trust us. Things are being done even though they might not seem
evident or immediate.
Yeah, and I don't think you'll really be able to build that trust until we see better results.
So, for example, an individual's business or machine being held ransom is not going to get the attention of the FBI, right? But a critical infrastructure like Colonial Pipeline
that ends up causing gas lines throughout the East Coast in the summer, that's going to cause
a lot of pain for politicians, for the president in particular. And we have seen some stronger words come out recently from the Biden administration
that it will hold Russia accountable.
And I think that is the right strategy going forward.
That's Anup Ghosh from Fidelis Cybersecurity.
There's a longer version of our conversation over on the Caveat podcast.
Check it out.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting article caught my eye.
This is written by Danny Palmer over at ZDNet.
It is about the ransomware gang Mespinosa.
Over on Hacking Humans, you and I talk about ransomware a lot.
And one of the things we've followed is kind of the evolution of ransomware, the ratcheting up of ransomware.
Real quick before we dig into this group, you want to just walk us through sort of the, you know, where ransomware began and where we are right now with it? Right. Ransomware began as a way of
encrypting individuals' files, right? They would attack people. They would, you know, home users,
anybody they could get their hands on. Right. Then ransomware started being able to spread itself.
And that gave the ransomware operators the opportunity to go after larger targets,
right? So if I can go into an enterprise now and encrypt all of their computers, then I can demand a larger ransom.
And rather than asking Dave Bittner to pay me $200 to decrypt his computer, I can ask SuperCorp for millions of dollars, and they might pay it.
So that's a higher rate of return.
Eventually, corporations started saying, well, we're just not going to pay the ransom.
We have backups.
We'll restore from that.
It's cheaper.
It's faster.
It's more ethical.
And then the ransomware guys, not wanting to lose their revenue streams, started exfiltrating data.
And that exfiltration of data then became a, essentially a data breach and they
would approach the, the, the people who they, these enterprises and say, not only have we
encrypted your data, but we've also exfiltrated it and we have it here.
Uh, and if you don't pay us, you can restore your own data.
That's fine, but we're going to publish or sell this other data.
Right.
We're going to publish or sell what we stole.
Yeah.
Uh, and that's been pretty effective.
Well, there's a new tactic from this Mespinoza group that is they go through the data that they've exfiltrated and they look for evidence of criminal activity, which they then use to ratchet up the demand for the ransom. So let's say I'm an organization and I fear, I've been having
interactions with my law firm or my legal team or my in-house lawyers. And I'm saying, hey,
I think we may have an exposure here. Maybe we didn't do things right. Maybe who knows what it
is. But it's a problem and I don't want anybody to know about it. And there's potential legal problems here. Right. Mespinoza does what?
They use that as a factor in the double extortion. So I've said often that you should not let the
fact that these guys have exfiltrated your data influence the calculus on whether or not you pay
the ransom. That's been my advice and my stance.
And my reasoning for that is you're dealing with criminals.
You really don't have any reason to trust them.
There's actually evidence to the contrary that they're going to keep the data confidential.
They're going to publish or sell it anyway, or they're going to come back and demand more money.
All that stuff happens.
And you've still suffered a data breach. That has still happened.
By paying them off and getting them to agree to silence, you have not eradicated a data breach.
That has still occurred. But now, if they go through the data and they see the evidence of some illegal activity, now they're going to say, oh, and by the way, not only are we going to
disclose this data, but we might also notify law enforcement about this piece of information, whatever it is
you found. It's the same tactic, but it's a new angle on that tactic that would make a vulnerable
organization much more likely to pay up. Much more embarrassing and, well, you know,
potentially legal implications as well.
Right. Yeah. Not only now are you dealing with the legal problems of a data breach, but now you're dealing with legal problems of past activity that may or may not have been illegal.
And in fact, the information or the activity may not be illegal.
It may just be something that you were like, okay, we have to mitigate this, right?
Or it may be something you've already taken care of and there's no more concern about it.
But you do not want that information becoming public and you don't want it – certainly don't want law enforcement knowing about it.
Yeah.
Right?
That's just more motivation.
What about ways to take the sting out of data exfiltration?
In other words, we hear about folks talking about encrypting all of your data at rest.
So is that effective? Is that practical? What do you think?
It's effective and practical.
You just got to make sure that you don't give these guys the access at some point in time
because they're still going to go after that.
If somebody exfiltrates a bunch of encrypted data, you can tell them,
well, go pound sand.
You know, that data is encrypted.
Good luck finding the keys for it.
But if they're smart enough and they're good enough, and this group is, I think Unit 42 calls them highly disciplined.
Yeah.
Right?
They know what they're doing.
They're pretty good, and nobody knows where they're operating out of.
So that's impressive that nobody knows where they're operating out of, and they've been doing this for over a year. Mm-hmm.
That's impressive that nobody knows where they're operating out of, and they've been doing this for over a year.
So if they do exfiltrate encrypted data, that kind of mitigates that problem.
And then you technically have not suffered a data breach.
But these guys, what they're doing is fairly standard.
They're getting into enterprise computer systems via remote desktop protocol or RDP.
And the article says they don't know if they're using brute force or if they're phishing for credentials.
My money is on phishing.
I'll bet they're phishing for credentials
because that's fairly easy and inexpensive to do.
It's not a lot of overhead.
Yeah.
And it produces pretty good results.
Yeah.
Pretty effective.
Right.
So once they get in,
they also install backdoors of their own making,
which is devastating and very hard to get rid of.
I mean, you're going to have to go through and do all kinds of scanning of your network and every single endpoint on that network to find everything that they've put in there.
Right.
And these guys are very good at maintaining their presence. So best thing to do to mitigate this is before you suffer the data breach,
before you actually, before you suffer the credential leaking, is to implement multi-factor
authentication on your remote desktop protocol. Yeah. Yeah. Yeah. And if you're worried about
crimes you may have committed, encrypt your conversations about that.
Exactly. But I guess maybe we could back up and say, don't do crimes.
Yeah, yeah, you could do that.
Don't do crimes.
All right.
Well, Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Thank you. I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.