CISA says no evidence of successful foreign election hacks. Ransomware gangs fail to keep promises.

CISA says no evidence of successful foreign election hacks.

Now that voting in the US elections has closed, the US Cybersecurity and Infrastructure Security Agency (CISA) has announced that "we have no evidence any foreign adversary was capable of preventing Americans from voting or changing vote tallies." CISA credits good preparation, good interagency collaboration, and a sound whole-of-nation approach with the successful defense of the election against foreign meddling. 

Senior officials at CISA on Tuesday tentatively attributed the relative lack of foreign adversaries' action against US elections to "deterrence by denial," but they also credited US Cyber Command's "hunt forward" operations with having made a significant contribution to election security. The Washington Post quotes the Cyber Command head and Director NSA, General Paul Nakasone, as confirming that his organizations took unspecified action against Iranian actors after the threatening email campaign that tried to fly a false Proud Boys flag was determined to emanate from Tehran. CNN reports that "hunt forward" operations extended to Russia and China as well.

For two years before Tuesday’s voting, US Cyber Command deployed “the whole spectrum of offensive and defensive measures” against threat actors in Moscow, Tehran, and Beijing, CNN reports. The New York Times says Cyber Command sent squads to Europe, Asia, and the Middle East to investigate tactics, techniques, and procedures. Deputy Commander Lieutenant General Charles Moore explained, “We want to find the bad guys in red space, in their own operating environment. We want to take down the archer rather than dodge the arrows.”

Returning to CISA, the Homeland Security agency executed a long-prepared national effort to secure the vote. CISA has for some time expressed the view that public engagement through the media and directly online make an important contribution to cybersecurity. Through Election Day CISA held a series of six online media briefings, the first at 9:30 AM Eastern time, the last at 11:30 PM Eastern time, providing updates on election security and the perspective their virtual situational awareness room provided.

The good news, repeated throughout the day, is that no major cybersecurity threats surfaced during the voting. A senior CISA official said on Election Day, "We're treating today as if it's halftime." Since foreign cyber activity is largely taking the form of disinformation aimed at eroding confidence in the elections, CISA expects to remain on high alert until all votes are counted and certified in January. The agency stated on Wednesday, "We will remain vigilant for any attempts by foreign actors to target or disrupt the ongoing vote counting and final certification of results. The American people are the last line of defense against foreign influence efforts and we encourage continued patience in the coming days and weeks. Keep calm, continue to look to your state and local election officials for trusted information on election results and visit CISA.gov/rumorcontrol for facts on election security."

For more, see the CyberWire Pro Disinformation Briefing.

Ransomware gangs fail to keep promises.

Coveware's ransomware report for the third quarter of 2020 found that nearly half of ransomware attacks now involve data exfiltration and extortion. Notably, the security firm says it's identified instances of ransomware gangs leaking data after victims paid the ransom, or returning to demand additional payment:

"Coveware feels that we have reached a tipping point with the data exfiltration tactic. Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cybercriminals (if that is a thing) to delete the data. The below list includes ransomware groups whom we have observed publicly DOX victims after payment, or have demanded a second extortion payment from a company that had previously paid to have the data deleted / not leaked:

• "Sodinokibi: Victims that paid were re-extorted weeks later with threats to post the same data set.
• "Maze / Sekhmet / Egregor (related groups): Data posted on a leak site accidentally or willfully before the client understood there was data taken.
• "Netwalker: Data posted of companies that had paid for it not to be leaked.
• "Mespinoza: Data posted of companies that had paid for it not to be leaked.
• "Conti: Fake files are shown as proof of deletion."

Coveware advises against paying the ransom, but concludes that victims should treat these incidents as data breaches from the start, regardless of whether or not they decide to pay:

"Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end. Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future. The track records are too short and evidence that defaults are selectively occurring is already collecting. Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel. Paying a threat actor does not discharge any of the above, and given the outcomes that we have recently seen, paying a threat actor not to leak stolen data provides almost no benefit to the victim. There may be other reasons to consider, such as brand damage or longer term liability, and all considerations should be made before a strategy is set."

Emsisoft's Fabian Wosar agrees with this view, telling KrebsOnSecurity, "Technically speaking, whether they delete the data or not doesn’t matter from a legal point of view. The data was lost at the point when it was exfiltrated."

For more, see the CyberWire Pro Privacy Briefing.

Maze announces retirement.

Malwarebytes notes that the Maze ransomware gang announced their retirement over the weekend, claiming on its news site, "We never had partners or official successors. Our specialists do not works with any other software. Nobody and never will be able to host new partners at our news website. The Maze cartel was never exists and is not existing now. It can be found only inside the heads of the journalists who wrote about it."

Malwarebytes is skeptical that the criminals are actually getting out of the game, and many of Maze's affiliates are shifting to the new Egregor ransomware. Like Maze, Egregor operators exfiltrate data and threaten to release it unless the ransom is paid, giving victims just three days to make a decision, according to ZDNet.

RegretLocker targets virtual hard drives.

BleepingComputer reports on a new ransomware strain, "RegretLocker," now being analyzed by several threat researchers. It’s got a simple, old-school way of communicating its ransom note. No fancy Tor portal, no bombastic gasconade, just a simple email saying, "Hello friend. All your files are encrypted. If you want to restore them, please email us."

RegretLocker was first noticed in October, and it’s still operating on a relatively small scale. It will, however, bear watching for some of its advanced features: it encrypts virtual hard drives and closes open files for encryption. RegretLocker gets around the challenge of encrypting a large VM disk by mounting a virtual disk file and individually encrypting each file.

Google Drive feature exploited to send phishing links.

WIRED describes a new scam, evidently the work of Russian organized crime, that phishes victims with invitations to collaborate on Google Drive documents. @JCyberSec_ on Twitter has an example of what the messages look like. Essentially, it's Google Drive spam, convincing in the same way earlier campaigns have abused Google Calendar invitations. Such notifications can bypass spam filters, and people are disposed to trust notifications that come from Google itself. While Google says it’s doing what it can to suppress this campaign, it does note the difficulty of providing foolproof protection from spam. David Emm from Kaspersky told WIRED, "It’s difficult for Google to do anything if the notification is coming from a legitimate account, which is, of course, easy to create."

New Kimsuky malware.

Cybereason says that CISA's recent alert concerning the Kimsuky APT led the security firm to uncover two new strains of malware being used by the North Korean threat actor. The first is a "modular spyware suite dubbed KGH_SPY that provides Kimsuky with stealth capabilities to carry out espionage operations." The second is the CSPY Downloader, which the researchers assess to be "a sophisticated tool with extensive anti-analysis and evasion capabilities, allowing the attackers to determine if “the coast is clear” before downloading additional payloads." Cybereason also identified the infrastructure used by the new tools, and says two of the phishing documents connected to this infrastructure referenced human rights violations in North Korea (a subject used in previous Kimsuky operations, and DPRK intelligence services have an obvious interest in human rights critiques of its notorious regime).

For more, see the CyberWire Pro Research Briefing.

Blackbaud expects insurance to cover data breach expenses.

GovInfoSecurity reports that Blackbaud believes its insurance will cover much of the losses incurred by the data breach the company sustained earlier this year. Blackbaud's president and CEO Michael Gianoni said in an earnings call last week, "As can be expected, the security incident resulted in a number of legal claims and regulatory inquiries. We carry insurance policies that we believe will provide coverage for a significant portion of current and expected future losses and expenses related to the security incident, although this is inherently difficult to predict."

Blackbaud is a cloud provider that primarily serves charities, non-profits, and educational institutions. The company thwarted a ransomware attack in May 2020, but the attackers were able to exfiltrate data belonging to hundreds of Blackbaud's customers. GovInfoSecurity, citing the US Department of Health and Homeland Security's HIPAA breach portal, notes that the Blackbaud breach has impacted around ten million individuals in the healthcare sector alone.

More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.

Patch news.

Apple has released patches for three vulnerabilities uncovered by Google’s Project Zero researchers, Ars Technica reports. The vulnerabilities were being actively exploited in targeted attacks in the wild. One could lead to remote code execution, another enabled kernel privilege escalation, and the third allowed for kernel memory leaks.

Google patched two vulnerabilities in Chrome that were under active exploitation, one of which could be used to achieve remote code execution, according to BleepingComputer. The company didn't share many details, stating, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed."

Crime and punishment.

Two more former eBayers, both executives, were indicted Tuesday on fifteen counts related to the alleged stalking, witness tampering, and destruction, alteration and falsification of records during the harassment of the mom-and-pop newsletter EcommerceBytes. James Baugh, formerly eBay's senior director of safety and security, and David Harville, formerly eBay's director of global resiliency, were the two former executives named, the Silicon Valley Business Journal reports.

Joshua Schulte's (second) day in court for espionage has been scheduled for June 7, according to SecurityWeek, after a jury found him guilty of contempt of court and making false statements, but hung on allegations that he leaked CIA cyberweapons to WikiLeaks. The thirty-two-year-old coder has pleaded not guilty to the biggest breach in the history of CIA, with his attorney arguing that "hundreds of people had access" to the database in question.

Aleksandr Brovko, identified as both a Russian national and as "formerly of the Czech Republic," has been sentenced to eight years in prison for his role in trafficking and monetizing botnets. Mr. Brovko in February pled guilty to conspiracy to commit bank and wire fraud. The US Department of Justice says that Brovko's botnets are thought to have cost victims more than $100 million.

Asia Times reports on the continuing legal struggle over Huawei CFO Meng Wanzhou’s extradition from Canada to the US. Arrested in Vancouver two years ago on a US warrant and charged with wire and bank fraud, obstruction of justice, and violating sanctions against Tehran, Meng is currently pursuing a due process legal strategy, according to BBC News. It has emerged that she was questioned for almost three hours before being informed that she was under arrest and permitted a lawyer. Her device passwords were also handed over to the police in another apparent violation of her rights. At issue is whether these steps were mistakenly taken or part of an arranged plan. Canadian officials insist the delay was a lawful attempt to follow protocol, preserve public safety, and establish the legitimacy of her detention, CTV News says. If Meng’s lawyers can reveal coordination with US authorities, however, it would bolster their case that the arrest was political. The suit could drag on for years and impact Beijing-Ottawa relations for decades. China has already retaliated by arresting two Canadians days after Meng’s apprehension.

Courts and torts.

The US Justice Department has seized more than $1 billion worth of Bitcoin (69,369 BTC) from a wallet associated with the now-defunct Silk Road criminal marketplace. According to a civil complaint, the IRS's Criminal Investigation unit determined that the funds had been hacked from the Silk Road in 2012 or 2013 by an unnamed "Individual X," whose identity is now known to the government. The hacker's online identity was also known to Silk Road founder Ross Ulbricht (currently serving two life terms in prison), who threatened the hacker for the return of the funds. Individual X refused and apparently left the money sitting untouched until this past Tuesday, when he or she signed a Consent and Agreement to Forfeiture with the US Attorney’s Office for the Northern District of California. The Justice Department notes that the action "represents the largest seizure of cryptocurrency in the history of the Department of Justice."

Policies, procurements, and agency equities.

According to Ballotpedia, Californians voted to approve a revision to the 2018 California Consumer Privacy Act (CCPA). The new statute, Proposition 24, establishes a Privacy Protection Agency and expands consumers’ rights. Upon demand, companies must now stop distributing consumers’ data and amend incorrect information. They have to provide an opt-out for targeted marketing, and can no longer avoid fines by curing violations. Businesses are also required to seek the consent of individuals under the age of sixteen—and guardians of individuals under the age of thirteen—before harvesting their data.

Singapore’s Monday amendment of its Personal Data Protection Act brought two main revisions, according to the Business Times. The maximum fine for breaches was increased, and organizations were given additional leeway over data usage, in an attempt to harmonize competing interests of consumers and companies. The bill highlights four primary goals: augmenting individuals’ autonomy, businesses’ responsibility, the bases for data handling, and the Personal Data Protection Commission's (PDPC's) enforcement capabilities. Some worry that the higher penalties might drive away business.

For more, see the CyberWire Pro Policy Briefing.