CyberWire Daily - Vigilante action against Emotet. Third-party risks and data breaches. Cerberus is for sale. And WastedLocker ransomware and the fortunes of crime.
Episode Date: July 27, 2020A vigilante appears to be interfering with Emotet’s payloads. A fintech breach is blamed on a third-party service provider. A list of Cloudflare users is dumped online. There’s a going-out-of-busi...ness sale over at the Cerberus cybergang. Malek ben Salem from Accenture Labs on DeepFake detection. Our own Rick Howard gathers the Hash Table to sort some SOCs. And Garmin, restoring its services after last week’s attack, may have been the victim of Evil Corp’s WastedLocker ransomware. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/144 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A vigilante appears to be interfering with Emotet's payloads.
A fintech breach is blamed on a third-party service provider.
A list of CloudFlare users is dumped online.
There's a going-out-of-business sale over at the Cerberus cybergang.
Malek Ben-Salem from Accenture Labs on deepfake detection.
Our own Rick Howard gathers the hash table to sort some socks.
And Garmin, restoring its services after last week's attack,
may have been the victim of evil corpse wasted locker ransomware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday,
July 27th, 2020. A vigilante is contesting control of the Emotet infrastructure with its criminal
masters, ZDNet reports. About a
quarter of all Emotet payloads are thought to be affected. The specific method of interference is
replacement of the images that carry the malicious Emotet payload with harmless animated GIFs.
Emotet, you will recall, had for some time been reckoned among the more dangerous strains of crimeware in circulation.
Its botnet went silent in the first week of February, but returned in its present form
earlier this month. The vigilante's work was first observed last Tuesday. Who the vigilante
might be is unknown, but speculation runs from it being an individual or crew from the security
industry, to independent white hats, to a
rival criminal gang trying to take market share from Emotet.
Digital banking app maker Dave, also a tech unicorn, and no relation to this host of your
podcast, yesterday confirmed that it had sustained a data breach that exposed more than 7 million
users' data, ZDNet reports.
The data lost include names, phone numbers, emails, birthdates, and home addresses.
Social security numbers were also lost but were apparently encrypted,
and passwords accessed in the breach are said to have been hashed.
Dave attributes the compromise to a breach at WayDev, a third party which was once a service provider.
The data have appeared on more than one hacking forum.
The most prominent release was by the shiny hunters on Raid, where the data were posted without charge.
For its part, Dave says that it's working with the FBI and that it's brought in CrowdStrike to help recover from the incident.
and that it's brought in CrowdStrike to help recover from the incident.
Interfax reports that Ukraine's National Security and Defense Council reports that some 3 million Cloudflare users have been named
and their IP addresses identified in a dark web dump.
This story is still developing.
Hard times in the world of crime, at least for the gang responsible for Cerberus.
The Android banking trojan is up for sale.
Bleeping Computer reports that security intelligence firm Hudson Rock
found the for-sale signs malware-as-a-service racket
is auctioning itself off for a reserve price of $50,000.
If you'd prefer not to bid, then the whole shebang
customer list, installation guide, and source code,
can be yours for $100,000 cash on the virtual barrelhead.
Why the sale?
According to the post offering to sell Cerberus, it's a matter of time.
The gang broke up, and the maintainer can't sit on the site 24-7 to provide users the promised support.
We hope Cerberus disappears, but it will probably
be back under new management. Last week's attack on Garmin is now believed to have been wasted
locker ransomware, Bleeping Computer says. The BBC reports that the extortionist demanded a
$10 million ransom from Garmin. The company is continuing to restore its services.
Aviation services were first back up last week
and service for wearables returned over the weekend,
although some users are still complaining of problems.
The company has been relatively tight-lipped
concerning what it's characterized as an outage,
but Garmin has reassured its customers
that to the best of its knowledge,
none of their data are at risk.
The perpetrators are thought to be the Evil Corp Russian cybergang.
Evil Corp was placed under U.S. sanctions in December of last year,
and that complicates the risk calculation of any victim that might be considering paying the ransom.
We note that there's been no suggestion we've seen that Garmin is interested in doing this.
Paying Evil Corp would itself constitute a violation of U.S. sanctions
and could expose any victim who paid to legal consequences.
So what's up with Evil Corp?
Here we turn to British tabloids and the American feds for enlightenment.
Fleet Street, which glories in lurid tales of crime, has published
some screamers over the weekend about Maxim Viktorovich Yakobets, generally regarded as
evil corpse proprietor. Permit us to share some of them. The Daily Mail calls him a 33-year-old
Russian playboy hacker who drives a customized $250,000 Lamborghini that sports vanity plates featuring the word vor, that is, thief.
He shares the Russian underworld's odd predilection for making pets of exotic big cats,
in his case, a pet tiger and lion cubs.
The mail site says evidence of his immunity from molestation by Russian police,
Mr. Yakubets' selfie videos of
doing donuts around cop cars in his tricked-out Lambo, which apparently don't even get him a
traffic ticket. The Sun points out, complete with glamour shots and wedding photos, that Mr.
Yakubets is married to the glamorous and well-connected Alyona Bendiarskaya, whose daddy is a senior retired officer in Russia's FSB,
one of the KGB's successor agencies.
Papa is said to have popped for a €250,000 wedding at a golf club,
which the Sun reports on rather breathlessly,
as if all of this is a bad thing or something.
Maybe there's something to that,
since traditionally golf was regarded as a decadent Western sport over in Russia.
But times change.
And as for those £250,000 spent on cake, DJ, hall renting, catering, specially printed paper, napkins, and so on,
well, come on, it was the bride's special day.
Where's the love?
But anywho, any of that high-octane social juice is said to explain, in part,
why Mr. Yakubets enjoys the apparent immunity he does from arrest in Russia.
A more significant piece of the explanation, at least as seen through Anglo-American eyes,
is that Mr. Yakubets is in cahoots with the FSB.
That is, his gang is among those the official Russian organs call upon for various services against those they wish to damage in cyberspace.
That's what the U.S. Treasury Department said when they lowered the sanctions boom last December.
So, Mr. Yakubets is wanted by the U.S. FBI for conspiracy and conspiracy to commit fraud, also for wire fraud, bank fraud, and for intentional damage to a computer.
also for wire fraud, bank fraud, and for intentional damage to a computer.
The Bureau is offering up to $5 million for information leading to Mr. Jakobets' arrest and conviction.
He and his associates remain at large, and they're expected to do so until they either wear their welcome out at home or decide to do something rash like vacation in Florida,
which when we last checked had an extradition agreement in place with
the United States. Still, trying to check in at the Disney World Four Seasons seems like a logical
next step for one consumed by criminal hubris, or at least someone with a major urge to visit
the happiest place on earth. And whatever they may say, that ain't the Arbot.
And whatever they may say, that ain't the R-Bot.
Rick Howard is the CyberWire's Chief Security Officer.
He is also our Chief Analyst.
But more important than any of that, he is the host of the CSO Perspectives podcast over on CyberWire Pro.
Rick, great to have you back.
Thank you, sir. It's great to be here.
We are deep into Season 2. I guess not too deep, episode two of season two, and you are kicking off something you're calling your
hash table interviews. What's going on here? Yeah, we're bringing in a new element. We're
calling it the hash table interviews. We talked about this last week, but I cajoled a bunch of
my friends and thought leaders and just really smart people about coming on and talking about a specific topic.
And this show will be the first time that we do that.
And it turned out really well.
All right.
So I think you guys will all be pleased with the results.
Yeah.
Yeah.
I was able to listen to a preview and it is compelling content.
Take us through what some of the stuff you're covering this week?
Well, the thing I want to point out here is that, you know, we've been talking about what
are the skill sets for, you know, just generally cybersecurity people, but specifically in
this episode, what does a SOC analyst need?
And for the last five or six years, CISOs have been talking about just table stakes
these days as not really having a deep computer science background or some deep technical math background.
A little bit helps.
But what you really need is be able to learn on your own.
Okay.
And because I'm not going to solve your problem for you.
I'm going to hand you this big dripping bag of problems and expect you to figure it out.
Right.
And so that's kind of been the general theme.
But I was talking to Kevin Ford on the show. He's the CISO over the state of North Dakota,
which is a, this is a fascinating job. And we could probably spend three hours talking about
that. But he has a different take, or at least an additional take on this, right? But before I play
the clip, okay, just you have to know that
Kevin cut his teeth as a young network defender at NASA, right? That's a cool job. He was a master
information assurance and security specialist. So he's kind of a space nerd, just like you and me.
Yeah. So here's the clip. You know, I'm looking for the astronauts. I'm looking for the people
who won't buckle. And generally,
those people are the people who will have a conversation with you and be very genuine.
They won't be afraid to tell you they don't know something. They won't be afraid to tell you, hey, I'll try to do this, but no guarantees. Because I want people I can trust,
not a bunch of yes men and women when we're doing incident response. I want people I can trust, not a bunch of yes men and women, when we're doing incident
response. I want people who aren't afraid to fail. And so that's something I really try hard to
instill in the team is that, you know, don't be afraid to fail. We need to try things.
And one of my metrics is hold your beer moments. So however many hold my beer moments we've had within the sock in a week, I take more as good as long as things, you know, as long as smoke's not coming out of the machines and something's on fire, right?
But if we've tried some pretty interesting things and failed, okay, well, at least we tried.
And now we know and we've learned lessons.
things and failed. Okay. Well, at least we tried and now we know, and we've learned lessons.
You know, the more lessons you've learned by the time you have, you know, your big event or your big breach, the better off you're going to be. Wow. Interesting stuff. I love both of those
points, right? He's looking for people who will not buckle in a crisis, which is, you know,
I guess I just always assumed that, but it's great to point it out. And also people willing to try, and I love this phrase he uses,
hold my beer events inside a sock.
It kind of reminds me, remember Samuel Jackson in Jurassic Park?
Yeah.
They had to bring back the power to the whole thing,
and they basically do a reboot of the system.
And when he does it, he goes, hold on to your butts.
Okay, that's my hold my beer moment.
All right.
Well, we'll look forward to checking it out at CSO Perspectives over on CyberWire Pro.
Do check it out.
Rick Howard, thanks for joining us.
Thank you, sir.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber. That's vanta.com slash cyber
for $1,000 off.
Clear your schedule for you time
with a handcrafted espresso beverage
from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio
or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Malek Ben-Salem.
She is the America's Security R&D Lead at Accenture Labs.
Malek, it's always great to have you back.
I want to touch today on deepfakes,
and particularly, how do you go about detecting if someone has generated a deepfake?
Hi, Dave.
Yeah, as you know, deepfakes are becoming a real problem. You know, deepfakes
first are known as these manipulations to image, sound, or video content that can be subtle,
but, you know, they may have drastic consequences. And so Accenture wanted to look into this problem.
There are a number of deepfake detection models that have been proposed that look at the facial expressions and extract the subject's facial expressions from the frames in a video.
And based on that, they're trying to predict whether the video is a deep
fake or not. But there have been limitations to those models. They mostly rely on CNNs,
the convolutional neural networks, which show great ability in detecting the deep fakes when they trained with data, but their main limitation
is that they cannot generalize, meaning that if you expose them to data that they have not seen
before, to videos they have not been seen before, they are unable to accurately predict whether the video at hand is a deepfake or not.
So within my lab, what we wanted to look at is address this problem of lack of generalizability
or what we call overfitting to the training data that was used to build the model.
the training data that was used to build the model. And in order to do so, we built some additional models that work hand-in-hand with the full-face CNN model to make this prediction.
So you end up with an aggregate model, a primary model that is the full face CNN and a secondary model that itself is made up of weaker models that look at certain features within the image or within the facial expression.
So you may have a model looking at the chin.
You may have a model looking at the blur in the image, etc. All of these
secondary or weaker models are making their own predictions. Secondary model is evaluating all
of them and making its own prediction. And then we aggregate that with the main full-face CNN model
to come up with a final prediction
whether the video at hand has been deepfaked or not.
And this approach, we think, will be much more robust,
less vulnerable to overfitting,
and we'll be able to predict deepfakes at reasonable accuracy
when it sees previously unforeseen data.
So is the idea here that I could have a video clip,
I could load it into the type of system that you're describing,
and it would, I don't know, come back with a percentage number or something
and say with this amount of confidence, we think this either is or is not a deepfake?
Exactly. It will come up with that likelihood assessment
of whether this is a deepfake video or not.
And is this, to a certain degree, a game of cat and mouse?
I mean, as the deepfakes get better,
and I suppose they would react to the type of things
that you're developing here to try to stay one step ahead of you.
This has been, yeah, a catamask game,
and it will continue to be so,
as in anything in security, I suppose.
So we'll just have to keep improving the technology
as our adversaries keep improving theirs.
Yeah, yeah.
All right, well, interesting work for sure. Malik Ben-Salem,
thanks for joining us. Thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.