CyberWire Daily - Wipers, tak; grid takedown, nyet. Twitter 0-day exploited before patching. NHS 111 recovering from cyberattack. Notes on the C2C underworld.
Episode Date: August 8, 2022Shifting cyber threats during Russia's war against Ukraine. A Twitter exploit may have compromised more than 5 million accounts. A Cyberattack disrupts NHS 111. Developments in the C2C market. An alle...ged Russian cryptocurrency exchange operator is extradited to the US. Rick Howard looks at FinTech. Andrea Little Limbago from Interos on Industrial policy and the tech divide. And a Crypto mixing service has been sanctioned by the US Treasury Department. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/151 Selected reading. ESET Threat Report T 1 2022 (WeLiveSecurity) Twitter confirms zero-day used to expose data of 5.4 million accounts (BleepingComputer) NHS 111 software outage confirmed as cyber-attack (BBC News) Ministers coordinate response after cyber-attack hits NHS 111 (the Guardian) Thousands of hackers flock to 'Dark Utilities' C2-as-a-Service (BleepingComputer) Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns (Cisco Talos) Genesis Brings Polish to Stolen-Credential Marketplaces (Sophos) Cyber-related Designation (U.S. Department of the Treasury) U.S. imposes sanctions on virtual currency mixer Tornado Cash (Reuters) Crypto Mixing Service Tornado Cash Blacklisted by US Treasury (CoinDesk) Alleged Russian Cryptocurrency Money Launderer Extradited to United States (US Department of Justice) Russian accused of money laundering and running $4B bitcoin exchange extradited to US | CNN Politics (CNN) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Shifting cyber threats during Russia's war against Ukraine.
A Twitter exploit may have compromised more than 5 million accounts.
A cyber attack disrupts NHS 111.
Developments in the C2C market.
An alleged Russian cryptocurrency exchange operator is extradited to the U.S.
Rick Howard looks at fintech.
Andrea Little-Limbago from Interos on industrial policy and the tech divide.
And a crypto mixing service has been sanctioned by the U.S. Treasury Department. Andrea Little-Limbago from Interos on industrial policy and the tech divide.
And a crypto mixing service has been sanctioned by the U.S. Treasury Department.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 8th, 2022.
The opening phase of Russia's hybrid war was marked by a series of wiper attacks that at the time seemed to
foreshadow a more extensive cyber campaign to come, but failed to live up to the promised
menace of the preparation. ESET's threat report T1-2022 offers some perspective on the early
attacks, some of their after-effects, and their less-than-fully-successful successor
operations. ESET says, On the eve of the Russian invasion of Ukraine, ESET researchers discovered
new data-wiper malware deployed in Ukraine on that day, which was installed on hundreds of machines
in at least five organizations in that country. The attack came just hours after a series of distributed
denial-of-service onslaughts knocked several important Ukrainian websites offline. The data
wiper was first spotted just before 1700 local time, 1500 UTC, February 23rd. ESET researchers
assess with high confidence that the affected organizations were compromised well in advance of the wipers' deployment.
The early access and staging are significant insofar as they indicate Russian preparation for hybrid combat.
Another familiar attack failed, even with the malware in question being deployed in a new version. The Sandworm threat actor, also known as Voodoo Bear,
and for some time identified as Unit 74455 of the GRU,
had been active with some success against sections of the Ukrainian power grid as early as 2015.
It attempted to hit high-voltage electrical substations again in early April of this year,
but without success.
ESET says,
For over five years, ESET researchers have wondered why Indestroyer,
as sophisticated as it was, was never deployed again.
This April, the wait was over when we collaborated with CERT-UA
to respond to a cyber incident affecting an energy provider in Ukraine and
help to remediate and protect this critical infrastructure. The collaboration resulted
not only in the disruption of the attack, but also in the discovery of a new Indestroyer variant,
which we, together with CERT-UA, named Indestroyer 2. In this case, the sandworm attackers made an
attempt to deploy Indestroyer 2 against high-voltage electrical substations in Ukraine.
In addition to InDestroyer 2, Sandworm used several destructive malware families, including Caddywiper, OrcShred, SoloShred, and AwfulShred.
ESET researchers don't know how attackers compromised the initial victim,
nor how they moved from the IT network to the industrial control system network. If successful, this attack could have left 2 million people without electricity,
claimed Farid Safarov, Ukraine's deputy minister of energy.
As it was, the attempt failed.
On Friday, Twitter disclosed a cyber attack that compromised some users' personal information.
Twitter says, If someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email address or the phone number was associated with, if any.
This bug resulted from an update to our code in June 2021.
When we learned about this, we immediately investigated and fixed it.
At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.
But it turned out that a threat actor had exploited the vulnerability to collect personal
information before Twitter applied the patch and was now offering the stolen data for sale.
Twitter is in the process of notifying affected users. Bleeping Computer reports that some 5.4
million accounts were scraped
for personal data before the vulnerability was fixed.
A cyber attack against a third-party provider has disrupted Britain's National Health Service's
NHS 111 online service, an advice and scheduling platform designed to make it easier and quicker
for patients to get the right advice
or treatment they need. Advanced, a digital services provider for NHS 111, detected the
attack on Thursday. The BBC says the target of the attack was the system used to refer patients for
care, including ambulances being dispatched, out-of-hours appointments bookings, and emergency prescriptions.
The Guardian reported on Saturday that the government was organizing a coordinated resilience response
and that recovery might well take into this week.
There's so far been no public attribution of the attack,
but the Telegraph says that an unnamed nation-state is suspected.
Investigation, like recovery, remains a work in progress.
There are two noteworthy developments in the criminal-to-criminal marketplace.
First, as Bleeping Computer reported on Thursday,
a service that calls itself Dark Utilities offers command and control as a service for criminal clients.
offers command and control as a service for criminal clients.
Researchers at Cisco Talos describe the service as a platform that provides full-featured C2 capabilities to adversaries.
It's marketed to the underworld as offering affordable remote access,
command execution, distributed denial-of-service attacks,
and cryptocurrency mining operations on infected systems.
Subscribers can get command-and-control-as-a-service for an initial fee of just under 10 euros.
Dark Utilities has some 3,000 active subscribers.
In another C2C subsector, the initial access broker marketplace where stolen credentials are hawked,
sector, the initial access broker marketplace where stolen credentials are hawked. The Genesis marketplace is said to deliver its wares with sophistication and polish. Researchers at Sophos
described the service, which has been active since 2017, as follows. Genesis, called Genesis
Marketplace or Genesis Store or Genesis Market, the site refers to itself inconsistently,
is an invitation-only marketplace.
It sells stolen credentials, cookies, and digital fingerprints
that are gathered from compromised systems,
providing not just the data itself but well-maintained tools to facilitate its use.
On Thursday, Alexander Vinnick finally arrived in the U.S., extradited from
Greece. Mr. Vinnick, the U.S. Department of Justice announced Friday, faces money laundering charges
in connection with BTCE, an exchange that allegedly catered to the criminal-to-criminal market.
Assistant Attorney General Kenneth A. Politeite Jr. of the Justice Department's Criminal
Division said, after more than five years of litigation, Russian national Alexander Vinnik
was extradited to the United States yesterday to be held accountable for operating BTCE,
a criminal cryptocurrency exchange which laundered more than $4 billion of criminal proceeds.
which laundered more than $4 billion of criminal proceeds.
And finally, in a cyber-related designation,
the U.S. Department of the Treasury this morning added Tornado Cash to the department's specially designated nationals list.
Tornado Cash is a virtual currency mixer,
and the Treasury Department has concluded that this particular mixer
is implicated in laundering the proceeds of cybercrime.
In particular, Reuters reports,
the department is concerned about the uses North Korea's Lazarus Group has made of Tornado Cash.
The immediate effect of the sanctions, Coindesk notes,
is that U.S. persons will no longer be able to use the mixer.
This is the second virtual currency mixing service
Treasury has sanctioned for connections with North Korea.
Blender.io came under sanction early this past May.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new
way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, great to have you back.
Hey, Dave.
So on your CSO Perspectives podcast this week, you are highlighting a topic called FinTech.
And that phrase pops up all the time as I'm reporting the news. But I have to admit that
I am less than crystal clear on exactly what it means. So can you clarify it for us here?
What's going on?
Exactly what it means.
So can you clarify it for us here?
What's going on?
Sure.
So it's kind of like a general term, this ex-tech, quote, unquote.
It's new technology that seeks to improve and automate services like in various sectors. You've heard of agri-tech for agriculture, ed-tech for education, ad-tech for marketing.
FinTech is for financial services.
The FinTech ecosystem has been around for years,
but just recently, venture capitalists have been investing huge wads of cash into FinTech startups
to take advantage of this new thing called Web 3.0, all this new innovation going on there,
which is essentially taking the middleman out of the equation, like the banker,
and maybe using blockchain technology
to do it. So in this episode, I'm going to talk to two fintech experts, because I had no idea what
it was until we started talking about this. They're both from Akamai, so they'll tell us
what's going on. Shouldn't it be fintech? It's financial. I don't mean to be pedantic,
but maybe a little bit. Maybe FinTech, yeah.
It is spelled FinTech, yeah.
It is spelled FinTech.
It's financial.
I guess if you called it FinTech, people would think it was about finding people.
So, all right. The two Akamai guys said it was FinTech, so we'll go with them.
All right.
Yeah, no, no.
I definitely bow to their expertise.
All right.
Well, that is for our CyberWire Pro subscribers.
What's going on over on the CSO Perspectives public podcast feed?
Yeah, so that's the ad-supported side where we are publishing old episodes of the Pro version.
And this week, we're talking to Bob Turner, the education field CISO at Fortinet,
and Kevin McGee, the Microsoft CSO for Canada,
about how they talk to their customers
about orchestrating the security stack.
And that particular subject never gets old.
There's always something new going on there.
Yeah, absolutely.
All right, well, last but not least,
how about the word of the week
over on the Word Notes podcast?
Well, Dave, I may have mentioned on this show
from time to time, you know,
that I regularly get my backside kicked
by seven-year-olds
playing my favorite video game, Fortnite. And it has occurred to me that maybe my losing record
is not because I'm such a bad player, but maybe it's because the seven-year-olds are cheating.
Okay. I'm just saying, how could they be that good? Okay. I'm just saying.
Oh, Rick. Poor, poor, sweet, innocent Rick.
Just saying.
Oh, Rick.
Poor, poor, sweet, innocent Rick.
Okay.
Well, so for this week's phrase on WordNotes, we're talking about anti-cheating software from the gaming vertical.
So that should be fun.
All right.
Very good.
Once again, Rick Howard is the host of CSO Perspectives.
That is part of CyberWire Pro.
You can find out all about it on our website, thecyberwire.com.
Rick Howard, thanks for joining us. Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
and i'm pleased to be joined once again by andrea little lumbago she is senior vice president for research and analysis at enteros andrea always great to welcome you back to the show i want to
touch base with you today on some of the things we're seeing when it comes to industrial policy
and how that intersects with some of the
work you're doing as a social scientist. There's some interesting developments going on around the
world. No, there really are. And for a long time, industrial policy really isn't the most
exciting thing to be discussing. And really what we mean by that really is more so government
intervention in different aspects of the economy for national security or economic security purposes and really having a bit more of a hand in there as opposed to the complete free range of the market.
And what we're seeing a lot, largely driven by national security, is the steep rise of technology companies that are getting sanctioned due to national security
concerns. And so that's exactly where that intersection is. It's that the technology
concerns over surveillance, data access, data manipulation, the tool being used to help
protect against that in the United States and Europe is industrial policy via a range of
sanctions. And so that is really a fascinating area to be looking at.
And from 2019 to 2020, about 350 different Chinese companies
were sanctioned by the United States alone
and by the Department of Commerce alone.
So that's not even counting some of the Treasury sanctions.
This was solely from Commerce.
And a large part of those were technology companies.
And then we're seeing with Russia's invasion of Ukraine,
we really are seeing that sort of the foundation that was established with the approach to China being applied to Russia.
And there's over 600 different companies now, Russian companies, have been sanctioned by the U.S. since Russia's invasion of Ukraine.
The U.K. has sanctioned over 100 different Russian companies.
And so it's not just the U.S. doing this.
companies. And so it's not just, you know, it's not just the U.S. doing this. We're starting to actually see, in the case of the Russian sanctions, much greater coordination from, you know,
Australia, Korea, across the EU in pursuing various kinds of sanctions to serve as a symbol of,
you know, support for Ukraine and then also to harm both the Russian economy and Russian
technologies. And that's what we're seeing is that many of the Russian companies are starting to have a hard time getting access to certain parts that they need because of this strategy.
The FCC in the U.S. has listed Kaspersky as a national security threat.
Prior to that, it was only Chinese companies that the FCC had listed.
And so that's a shift now.
And, again, whether there's a whole school of thought that wants more more information on that and so forth and that certainly is understandable and hopefully more information will be coming out in those areas
but regardless I think this is what the government has stated as a concern, as their law
and for partners they're willing to deal with and so it does have economic implications
and implications for really technology writ large and for what
kinds of technologies are allowed in a corporate infrastructure.
Yeah, it's fascinating to me. And one of the elements I find interesting is that there seems
to be the political will, I guess, combined as part of the national security interest,
that there's going to be a little bit of pain here.
You know, as the U.S. decouples from some of the Chinese providers for 5G technology,
and as the EU decouples from Russia for some of their, you know, fossil fuel needs,
that's going to require some adjustments and things may cost more. It may be harder to get
things, but that's the value balance and equation that the nations are making.
It is, and it's interesting how much support there has been.
I think with Russia and Ukraine, it's a very visible and existential reason that various countries are willing to take some pain.
that various countries are willing to take some pain.
There's also the fear of Russian expansion and dependency on a country that is acting that way.
I think on the side of 5G,
there has been a whole lot more pushback,
especially from those who are going to have to actually implement
the rip and replace of Huawei, for instance.
And the government did, I think,
something along the lines of $1.8 billion in the U.S. to help offset those costs. And then just
recently, maybe even in the February, March timeframe of this year, the private sector came
back and said, well, our initial estimate was off. It's something closer to $5.7 billion to
rip and replace. But who's counting? Yeah, who's counting?
So the government is providing some support,
and that's why the government has to offset some of this
and to actually get compliance.
The government does need to combine the carrots and the sticks in this area.
Japan has provided a couple billion to their own domestic champions as well
to facilitate the replacement of the
Chinese technologies. And to your point, it's very, very expensive. And I imagine along the lines of
oil and gas in Europe, there'll be increasing support in that area. And not even adding on
top of this, in the past, we've talked about collective resilience. And this is exactly where
allies and trusted partners are so important that the U.S. has offered additional natural gas, and that comes with some
concerns over environmental impact and so forth, but almost putting that
aside, which you can't really put it aside, but just at a higher level, it does show greater
willingness of the U.S. to support Europe to offset some of their own costs as well
on that, and looking at this much more so as we're only as strong as
the collective group.
And if we can help build that resilience across like-minded countries, that will help offset a
lot of the costs as well. Because it is, it's going to be expensive. It's not going to be easy.
And it's going to be disruptive. And at the same time, if there can be replacements from,
the US can't create a replacement all on its own.
EU can't create replacements all on its own.
Japan, Korea, Australia can't on their own.
But doing it together can help offset some of the pain
a whole lot more, and hopefully building
an even more secure network.
Yeah, absolutely.
All right, well, Andrea Little-Limbago,
thanks for joining us.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, huh?
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
podcasts are listed. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Haru Prakash, Justin Sabe, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.