CyberWire Daily - Verizon's 2022 DBIR shows a sharp rise in ransomware. Origins of Chaos ransomware. GuLoader’s phishbait. Malicious proofs-of-concept. Hyperlocal disinformation and hybrid warfare. Robin Hood?
Episode Date: May 24, 2022Verizon's 2022 Data Breach Investigation Report shows a sharp rise in ransomware. Origins of the Chaos ransomware operation. The GuLoader campaign uses bogus purchase orders. Security researchers are ...targeted in a malware campaign. Hyperlocal disinformation. Turla reconnaissance has been detected in Austrian and Estonian networks. Ben Yelin describes a content moderation fight that may be headed to the supreme court. Our guest is Richard Melick from Zimperium to discuss threats to mobile security. Robin Hood (or not). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/100 Selected reading. 2022 Data Breach Investigations Report (Verizon Business) Yashma Ransomware, Tracing the Chaos Family Tree (BlackBerry) Spoofed Saudi Purchase Order Drops GuLoader: Part 1 (Fortinet Blog) Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof of Concept to Deliver Cobalt-Strike Beacon (Cyble) Network of hyperlocal Russian Telegram channels spew disinformation in occupied Ukraine (CyberScoop) Russian hackers perform reconnaissance against Austria, Estonia (BleepingComputer) New ransomware forces victims to donate to poor (The Independent) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Verizon's 2022 Data Breach Investigation Report shows a sharp rise in ransomware.
Origins of the chaos ransomware operation.
The Goo Loader campaign uses bogus purchase orders.
Security researchers are targeted in a malware campaign.
Turlar reconnaissance has been detected in Austrian and Estonian networks.
Ben Yellen describes a content moderation fight that may be headed to the Supreme
Court. Our guest is Richard Mellick from Zimperium to discuss threats to mobile security. And a
ransomware group acts like Robin Hood. Or not.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 22, 2022. Verizon has published its 2022 data breach investigation report,
finding that ransomware rose by 13% last year,
a greater increase than the previous five years combined.
82% of breaches involved the human element,
which encompasses phishing, stolen credentials, misuse, or error.
fishing, stolen credentials, misuse, or error. The researchers also found that supply chain breaches were behind 62% of intrusions last year. Verizon writes, there are four key paths leading
to your estate, credentials, fishing, exploiting vulnerabilities, and botnets. All four are
pervasive in all areas of the DBIR, and no organization is safe without a plan
to handle each of them.
And while the rise in ransomware features prominently in the report, Verizon notes that
ransomware by itself is, at its core, simply a model of monetizing an organization's access.
Researchers at BlackBerry have published a report outlining the genealogy of the Chaos
ransomware family, detailing six versions of the malware that have been released since it
first surfaced in June 2021. BlackBerry found that Chaos has ties to the Onyx and Yashma ransomware
strains, although Chaos initially and unsuccessfully claimed to be an offshoot of
Raiuk. It wasn't. The false claim was evidently a reach for C2C credibility.
Fortinet had earlier tracked Chaos's rise to prominence as its operators declared their
adherence to the Russian cause in Moscow's war against Ukraine. BlackBerry notes that
Chaos has advanced beyond its beginnings as a relatively basic
operation and has now evolved into a flexible, widely available, and difficult-to-track malware
operation. Fortinet reports that they have found a phishing email that drops GooLoader targeting a
Ukrainian coffee company. GooLoader, which is also known as CloudEye and VB Dropper,
is used to drop other malware variants.
The phishing email presented itself as a purchase order
from an oil company in Saudi Arabia
with a PDF containing an executable for Guloder.
The attack is unique in that it uses the less common
Nullsoft Scriptable Install System, NSIS,
a script-driven installer authoring tool for Windows, to deploy itself.
FortiGuard Labs calls it a medium-severity threat for Windows users.
Bleeping Computer reports that security researchers were the target of a threat actor
using fake Windows proof-of-concept exploits
that infected devices with the Cobalt Strike backdoor.
Cobalt Strike is an often-abused but legitimate pen-testing tool.
The threat actor took advantage of recently-patched Windows remote code execution vulnerabilities,
presenting themselves as a security researcher
who used the fix to inspire two proof-of-concept exploits for the flaw on GitHub.
The exploits were quickly found to be fake.
Hyperlocal sites have been marshaled by Russian influence operators
to normalize the occupation of Ukrainian villages controlled by Russian forces, CyberScoop reports.
They source their story to Detector Media,
which says that the effort is being organized over Telegram.
Detector Media writes, We managed to find 88 newly created Telegram channels of the occupiers.
However, their list is growing.
The vast majority of such channels were registered a few days after February 24th.
A significant part of local channels was created long before
the actual military occupation of the cities,
and some of those are the ones
that the Russians did not manage to occupy.
Conventionally, such channels
can be divided into two categories.
Those that can act as official sources
of the occupiers,
that is, such telegram channels
post on behalf of the occupiers. For is, such telegram channels post on behalf of the occupiers, for example,
inform about humanitarian aid or call for reporting on the movement of Ukrainian military equipment,
and those that mimic the media's behavior, publish news about the occupied city or village,
but are overfilled with propaganda and misinformation. The content mirrors familiar Russian lines of disinformation,
Ukrainian corruption and failure, the Western conspiracy behind the war, the promise of
liberation, and so on. The evidence of Russian creation and coordination that Detector Media
cites is circumstantial but convincing. Bleeping Computer reports that the Russian threat actor
Turla, also known as Snake
or Venomous Bear and associated
with the FSB, has staged
typo-squatting domains for use
against Austrian and Estonian
targets. The activity
so far represents a cyber
reconnaissance phase of battle space
preparation. It is, as
the Sequoia researchers who discovered it say,
a fishing campaign. And finally, the Independent describes research by CloudSec that outlines the
operations of the Goodwill Ransomware Group, a gang that, instead of conventional ransom,
asks its victims to do something good for the less fortunate. As the threat group's name
suggests, and we hasten to say that there's no connection here with the well-known legitimate
charity Goodwill, the operators are allegedly interested in promoting social justice rather
than conventional financial reasons. The actors suggest that victims perform three socially driven activities in exchange for the decryption key.
Donate new clothes to the homeless, record the action and post it on social media,
take five less fortunate children to Domino's, Pizza Hut or KFC for a treat,
take pictures and videos and post them on social media,
and provide financial assistance to anyone who needs urgent medical attention but cannot
afford it at a nearby hospital, record audio, and share it with the operators. Or so they say.
The Independent says it's been unable to determine whether any of those affected have
paid it forward or sideways or in whatever direction one pays this kind of ransom.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. mobile security platform developer zimperium recently released the results of their global
mobile threat report which analyzes the state of mobile security worldwide for insights on
their findings i checked in with richard mellick director of threat reporting at zimperium so you
have your personal device which is your information, which we should still be securing against.
And then there's the corporate-provided device.
That corporate-provided device, the standard operating procedure right now is to deploy out that device with a mobile device management solution installed on it.
And that is your, quote-unquote security layer.
I am here to tell you, you can quote me on this, mobile device management is not security.
It is not capable of protecting against phishing.
It is barely capable to detect an alert of a jailbroken or compromised device.
You can deploy out policies and say what apps are installed and what apps are
not. But what if those apps are compromised? What about sideloading, where it's not going
through the official Play Store, or somebody goes to a compromised website through a phishing link,
or an email? What if they're connecting into a compromised network. Those security controls do not exist within mobile device management.
And that's what is applied towards employee-owned devices.
But in this day and age right now, according to our data,
66% of the smartphones in the enterprise are employee-owned.
55% of the tablets are employee-owned.
So this massive one in, almost one in three, let's just focus on the smartphones, one in three, or sorry, two in three of the devices connected into enterprises are BYOD.
So we're not carrying around two devices.
That's not happening anymore.
You're not deploying out a mobile device management solution onto my personal device.
Why?
Because that's compromising my privacy.
I'm not putting my privacy in the hands of somebody I don't know.
This is my device.
I paid for it.
You're not paying the bill, none of that.
And I say that even now, if somebody was coming to me and say,
in order to be employed here,
we're going to install mobile device management on your device
so we can wipe your device if something was to happen.
It's like, absolutely not.
I will buy a second device that you can do that to.
Or we will work something out.
But my personal device is my personal device.
And now we have that problem.
Let's go back to what I originally started off with.
Technologically, there's not much of a difference between the iPhone and the MacBook or the
Android devices and a Chromebook or a Windows device.
All these devices are computers.
Why are we only applying advanced security solutions to the larger devices that don't fit our pockets when they have access to the exact same data as the mobile device that fits in my pocket?
And that's where we need to get to. We need to start going and saying,
we need security solutions for the applications and the endpoints that we carry.
It does not matter what it is.
And it needs to be an advanced solution
that understands what a threat is.
And this is not a pitch.
This is just the idea of,
why does my laptop get all the cool security features
and my phone does not?
But isn't it partially that the
mobile operating systems don't allow for this? Allow for what? That's a broad question there,
Dave. Well, I mean, they don't allow the security device to have the global access to the device
that I think security apps are used to on a desktop computer.
Yes and no.
So security devices, security applications do not get kernel access.
That's where the limitation comes.
That's the big difference.
And that's fantastic.
That's a great security layer.
The kernel access is a technological limitation
for the traditional approach towards endpoint security on a mobile device.
That said, there are the other layers of security that can be implemented,
such as phishing protection, network protection, application scanning,
and the likes that can go onto this endpoint, onto this mobile endpoint,
and say, okay, you are about to connect to a known malicious network
based off multiple vectors of data that's been fed
in. Or, hey, this application that you're downloading is a privacy risk. Here's why.
That link you're about to click on is going to go to a compromised website or is going to try to
collect your information or sideload an application. There are other ways to protect the mobile
ecosystems against the threats that are different in some ways than traditional security,
but also very similar. Artificial intelligence still exists for the mobile ecosystems.
The idea of what does a threat look like
in mathematical terms can be applied
towards application scanning and phishing
and phishing protection or network scans
and man-in-the-middle attacks.
So there is those software controls
that can be installed on the iOS and Android ecosystems,
but that idea, though, is that it's not the exact same as traditional space.
You know, based on the information that you've gathered here for this report, what are the
take-homes?
I mean, what do you want people to come away from reading this report to what's the action
item here?
Take-home is that the mobile security space is one that we do not need to be dismissing. What we have are devices that
have been forgotten about or accepted in their current state for so long, we have to start
re-educating the market. And this report, I hope, is the start of that re-education as we start to
build up towards the larger conversation of addressing the full attack surface of everybody
from the SMBs all the way up to the large enterprises. The trends do not lie. The data
does not lie. The vulnerabilities, the exploits, the attacks, the trends, the human element
that we have all trained against on the traditional desktops,
the traditional endpoints,
are still applicable on the mobile devices.
That's Richard Mellick from Zimperium.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hello, Ben.
Good to be with you, Dave.
So over on Caveat, over the course of the past couple of weeks, actually,
we have been tracking some interesting court decisions coming out of Texas and Florida.
And these two decisions may be on a collision course here.
They have some policy implications for those of us in cyber.
Can you give us the rundown?
What's going on here, Ben?
Sure.
So we have two separate state statutes that are very similar,
one in the state of Texas and one in the state of Florida.
The basic idea behind these statutes is to regulate content moderation among big tech platforms.
So there's this general allegation that the tech platforms are biased against particularly people with a conservative ideology.
against particularly people with a conservative ideology.
So what these laws say is it is illegal in the state of Texas to make any content moderation decisions
that are biased in terms of their viewpoint
or are biased in terms of their politically biased
or ideologically biased in terms of their viewpoint.
So Texas passed a law first.
It's House Bill 20.
And a district court, so the lowest level of federal court,
held that that law was unconstitutional.
Basically what they said is companies like Twitter and Meta and whomever
have their own First Amendment free speech rights.
They have the right to make content moderation decisions.
They have the right to make content moderation decisions.
And in the name of trying to foster free speech, what these state legislatures have actually done is restrict the free speech rights of this private entity, these tech companies.
I see.
So that was the district court decision in Texas.
That was appealed by the state of Texas to the Fifth Circuit Court of Appeals.
And they vacated the district court decision, meaning they superseded it.
And as a result, the Texas law is now in place.
It is illegal in the state of Texas currently to have viewpoint discrimination in one's content moderation decisions.
This was a big surprise.
We didn't get much from the Fifth Circuit in terms of its reasoning.
All they said was that the decision of the lower court, the district court,
had been enjoined, meaning it had been stopped.
But there was no explanation as to how they saw the constitutionality of this issue.
Now, there were a lot of raised eyebrows from legal experts and scholars and so forth, right?
Yeah, it was rather shocking.
I mean, I don't think anybody thought – I think a lot of scholars thought that the purpose in terms of these state legislators was just to make a point about content moderation knowing
that the courts would strike it down.
I see.
But you wanted to get the political message out there, pass a law saying that you think
that these platforms are biased and make the courts do something about it.
I mean that's a well-worn tactic of political advocacy.
But the Fifth Circuit, shocking everybody, said, OK, we're going to let this law go into place.
Don't throw me in the briar patch.
Exactly.
The tech companies seemingly right now really have no idea how to comply with the statute.
They don't know how it's going to be enforced.
Okay.
They are unsure if they're going to be sued for their content moderation decisions, which
decisions they're going to be sued for.
I think there is a bit of a panic among these tech companies.
And as a result, they have appealed this decision to the United States Supreme Court.
The Supreme Court could step in at any time and vacate the decision of the Fifth Circuit.
They have not yet done so.
But that's certainly an option that's out there.
But that takes us to Florida.
That takes us to the great state of Florida.
So Florida passed a similar law, Senate Bill 7072.
This bill is nearly identical.
It made its way up to the 11th Circuit Court of Appeals, which is the appeals court for the Southeast United States.
And that court came to the opposite conclusion, saying that this type of ban on viewpoint-based content moderation is unconstitutional.
The state of Florida and, for that matter, the state of Texas have tried to argue that even though these are private companies, they are so-called common carriers.
Generally, our government is allowed to regulate private companies if they are common carriers where they are the entity that fills some sort of service on behalf of the government.
So whether that's transportation, something like the railroads who had a monopoly on transportation in the 1800s, or something like telecommunications company where there really is no government institution who's performing these functions.
So the common carriers step in and it's kind of their prerogative to enforce constitutional rights.
That's the argument that Florida and Texas have been making. What the 11th Circuit said in this decision is these are not common carriers. These are private companies, and they have the right to police their
own services as they see fit. That is a vestige of their free speech rights. Content moderation
itself is a form of free speech. And one really interesting element of this decision
was the fact that critics can even claim
that they're being discriminated against
by social media platforms.
The fact that Florida legislators can do that
is evidence itself that the companies
are First Amendment speakers
in terms of how our Constitution works.
One CNN reporter who was reviewing this decision called it the judicial equivalent of pointing out a, quote, self-own, which I thought was
very well put. So this could be on its way to the Supreme Court then?
Absolutely. So I think we are on a collision course here. We have two judicial circuits who
have come to opposite conclusions as to the constitutionality of these types of laws.
I don't believe Florida and Texas are going to be the only states who try some type of regulation on
big tech content moderation. So we might see more cases like this. And because we have a
disagreement among circuits, I think it's very likely that this is an issue that's going to make its way to the Supreme Court.
Now, they could weigh in at any time and say the Fifth Circuit went over its skis and that decision is going to be vacated.
The district court decision would go back into effect and the law would no longer be in effect.
Or they could hear either of these cases on the merits.
And I think we might see that next year.
There might be oral arguments where we have a discussion about whether these platforms
have, as private actors, a constitutional right to free speech or whether they can be
regulated like common carriers.
All we know so far from the Supreme Court is that one justice, Justice Thomas,
has at least entertained the idea that big tech companies can be considered common carriers
and can be subject to this type of regulation.
We don't really know how the other eight justices feel on this issue,
although I will say that Justice Thomas is part of the ideological majority on the Supreme Court.
So it's certainly not out of the question that the Fifth Circuit holding on this would prevail.
So we are in limbo, but I do think this is headed to some sort of final resolution of the Supreme Court.
All right. Stay tuned. Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.