The CyberWire Daily Podcast 8.11.21
Ep 1394 | 8.11.21

A $600 million alt-coin heist. LockBit claims it hit Accenture. A false-flag cyberespionage campaign. A REvil key is posted. AlphaBay is back. Facebook takes down vaccine disinfo campaign.

Transcript

Dave Bittner: Hey, everyone. We are continuing to build our team over here at the CyberWire, and we are looking to add to our marketing team. If you are a creative, results-oriented marketer or know someone who is, we'd love to talk to you. Passionate about podcasting and cybersecurity, too? Well, that's even better. Find out more at thecyberwire.com/careers.

Dave Bittner: A cross-chain attack steals millions in cryptocurrency. LockBit claims to have hit Accenture, but Accenture says with negligible consequences. Emissary Panda flies a false Iranian flag. Ekranoplan posts a key for the REvil strain used against Kaseya. AlphaBay has risen from the grave, sort of. Johannes Ullrich has thoughts on resetting 2FA. Our guest is Idan Plotnik from Apiiro on their win of the 2021 RSAC Innovation Sandbox Contest. And you can't fool us, you bought-and-paid-for influencers you - no vaccine is going to turn us into monkeys. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 11, 2021. 

Dave Bittner: A cross-chain attack has hit decentralized finance provider Poly Network, with more than $600 million in alt-coin stolen. The Block assesses the total theft as greater than $611 million. The BBC puts the losses at $267 million of Ether, $252 million of Binance and about $85 million in USDC. Poly Network appealed to the thieves to return the stolen coin, and their Dear Hacker plea appears to have fallen on mildly repentant, or at least slightly fearful, ears. Poly Network tweeted that so far, they've received a total value of just over $4.7 million in assets returned by the hacker. So that leaves $599,227,000 and change out there still missing. 

Dave Bittner: Decentralized finance providers, or DeFi for short, enable users to shift tokens from one chain to another. The theft from Poly Network is probably the largest theft from a DeFi organization to date. Why the crooks would have returned even a fraction of their take, assuming it wasn't clawed back through misconfigured criminal wallets, is unclear, especially since it amounts to just a fraction of the total haul. There's plenty of speculation in Twitter. Poly Network told the crooks they know who they are and so on, but really, nothing is known for sure so far. 

Dave Bittner: The Block, which keeps tabs on this sort of thing, says the blockchain security outfit SlowMist said it knows the attackers' email address, IP information and device fingerprint and that it's offered to share these with Poly Network in the hope of achieving what SlowMist calls a happy ending. In the meantime, efforts are underway to block the stolen funds. 

Dave Bittner: Le Parisien reports that LockBit's operators claim to have executed a ransomware attack against Accenture. According to CNBC Washington correspondent Eamon James (ph), the attackers said they would shortly release some of the files they obtained and have offered to sell unspecified insider Accenture information to interested buyers. Since these early reports emerged, Accenture late this morning told ZDNet that, quote, "through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from backup. There was no impact on Accenture's operations or on our clients' systems," end quote. 

Dave Bittner: Security firm Mandiant describes a Chinese false flag cyber-espionage operation against Israeli targets. The UNC215 group, also tracked as APTA27 (ph) or Emissary Panda, represented itself as an Iranian threat actor working from Tehran. UNC215 was fastidious in its efforts to clean up its spoor, taking care to remove as many forensic artifacts of its activity as possible. 

Dave Bittner: It also sought to avoid attribution by flying a false Iranian flag, one that would likely be taken as genuine given the deep mutual distrust between Israel and Iran. Mandiant says, quote, "the use of Farsi strings, file paths containing Iran and web shells publicly associated with Iranian APT groups may have been intended to mislead analysts and suggest an attribution to Iran. Notably, in 2019, the government of Iran accused APT27 of attacking its government networks and released a detection and removal tool for HYPERBRO malware," end quote. 

Dave Bittner: In any case, the researchers unambiguously attribute the activity to Beijing, not Tehran, and explain that, quote, "UNC215 has compromised organizations in the government, technology, telecommunications, defense, finance, entertainment and health care sectors. The group targets data and organizations which are of great interest to Beijing's financial, diplomatic and strategic objectives," end quote. 

Dave Bittner: Security firm Flashpoint believes it's found a REvil decryptor posted to the Russophone XSS Forum by a threat actor going by the hacker name Ekranoplan. BleepingComputer reports that the key is specific to the variant used in the Kaseya attack and not a universal decryptor. The identity of Ekranoplan, which had no previous presence in the forum and which left soon after it posted the key, is unknown. Why Ekranoplan as a nom-de-hack? Well, an ekranoplan is - or was - a wing-in-ground-effect vehicle, neither aircraft nor ship nor hovercraft, but officially classified as a maritime vessel that was used in the late Soviet Union and early post-Soviet Russia. It looks like a big, snazzy flying boat, but it really isn't, since it's designed to fly in ground effect at an altitude of just a couple of meters. The most famous ekranoplan was a 550-ton job U.S. intelligence services admiringly called the Caspian Sea Monster. 

Dave Bittner: Remember AlphaBay, the big darknet marketplace that flourished from 2014 through 2017, until it was taken down by an international law enforcement operation? One of its principal administrators, who goes by the hacker name Alpha02 - real name Alexandre Cazes - was arrested and died by his own hand in a Thai prison while awaiting extradition and trial. AlphaBay sold all manner of contraband. Now, Flashpoint says, AlphaBay is being reconstituted by one of its other administrators, hacker name DeSnake. It's in part an homage to Alpha02, in part, of course, a moneymaking operation. DeSnake hopes to keep the market's virtual nose relatively clean with bans on advertising hit man services, guns, erotica, fentanyl, ransomware or COVID vaccines, which - pretty much everything. Also, no doxxing allowed, which leads one to wonder what kind of contraband this reconstituted AlphaBay is actually going to amount to. What are they going to sell? Counterfeit Tupperware, scalped tickets to curling events? Oh, and one other restriction - no activity related to Russia, Belarus, Kazakhstan, Armenia or Kyrgyzstan, which suggests something about which law enforcement operations DeSnake takes seriously going forward. 

Dave Bittner: And finally, Facebook reported yesterday that in July, it took down 65 Facebook and 243 Instagram accounts originating in Russia, but using the services of the U.K. marketing firm Fazze, which had been engaged in a coordinated effort to recruit influencers to spread COVID vaccine information. Fazze itself is now also unwelcome on Facebook's platforms. The effort apparently enjoyed only indifferent success, but the concentration on influencers was an interesting wrinkle. It's also how the campaign was unearthed. Reuters reports that Fazze approached various influencers with offers to pay them for distributing anti-vaccine content. And two of the influencers - one French, the other German - blew the gaff by complaining publicly about the approach. That prompted investigation and eventually ejection. 

Dave Bittner: The anti-vaccine themes were the familiar Russian wheezes about how the shots would for sure be turning people into chimpanzees, which, of course, we hasten to say doesn't actually happen. The campaign went Hollywood a bit and sought to use "Planet Of The Apes"-themed memes. And again, you can take it from us straight. Whatever the effects of COVID vaccines are, morphing recipients into apes would not be among them. We've kept a sharp eye out around Johns Hopkins, for example, and we're pretty sure we would have noticed any ape women or chimp men out and about. So nice try, Vladimir Vladimirovich, but no banana for you. 

Dave Bittner: One of the highlights of the annual RSA Conference is the Innovation Sandbox competition, where hopeful startups take the stage and make their case in front of a panel of seasoned industry luminaries as judges. This year's winner was Code Risk Platform developer Apiiro. Joining us to share what that winning experience was like is Apiiro CEO Idan Plotnik. 

Idan Plotnik: So as you know and everyone knows that the RSA Innovation Sandbox is the place to get recognition from professionals, top-tier leaders in the cybersecurity industry. I can tell you a secret. I tried in my previous startup, Aorato, that was acquired by Microsoft in 2015, and we didn't even get to the top 10. So it was (laughter) - it was exciting to pass the top 10 and finally win the contest. 

Dave Bittner: What sort of preparation goes into that presentation? I mean, this is - it's not a small task. 

Idan Plotnik: It's not. It was an orchestration of at least four or five people at the company. We worked so hard on recording and on the messaging and on the text itself, on the demo, that it will be super clear, and it will resonate to all the practitioners and the leaders that will hear or see the video. And we did a lot of work, like, day and night. And eventually, you know, you saw the outcome. 

Dave Bittner: What are your recommendations to other organizations who are considering entering the Innovation Sandbox? 

Idan Plotnik: So 1, they need to take into consideration that it's - I would say - I want to say a lifechanging event. Because the amount of traction that we got after winning the RSA Innovation Sandbox was amazing, both from, you know, customers and venture capitalists and also from talent, new talent that - you know, it's kind of a very important recognition for the company. This is one thing. 

Idan Plotnik: Second thing is to take into consideration that you need to invest a lot of resources. And it's not just yet another presentation that you prepare for, you know, a sales presentation. You need to differentiate yourself, not only in the technical capabilities, but also in the big picture, like, why the problem that you are solving is much bigger than all others in the competition. And we had an amazing, you know, companies out there. 

Idan Plotnik: This is basically what you need to take into consideration - one, the impact of winning. You need to have the fundamentals or, you know, maybe even more than the fundamentals. But you need a way to collect all this feedback that you will get after winning. And before that, you need to take into consideration that you need to invest a lot of resources. 

Dave Bittner: What was that day like when you were waiting for the results to come back? How were you feeling that day? 

Idan Plotnik: This was very emotional for all of the company, not only for me, you know, personally. A lot of people invested a lot of resources. And the culture in Apiiro is that everyone feels that it's kind of their baby, you know? They invested a lot of resources in the product, in the engineering, in the messaging, in everything around, you know, this success. And we were stressed. And everyone wanted to be there with me. I was sitting with a glass of wine in my house, just watching the - you know, the results. It was an emotional tipping point, you know, to get this result. And, you know, we had a lot of top-notch leaders as judges. Everyone, you know, in the judges are top-notch. And it was exciting, eventually, to see the outcome. 

Dave Bittner: That's a Idan Plotnik, CEO at Apiiro. 

Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC "StormCast" podcast. Johannes, always great to have you back. We want to talk today about two-factor authentication and in particular, what happens when you have to reset those passwords. What can you share with us today? 

Johannes Ullrich: Yeah. So, you know, we all like two-factor, multifactor authentication, and we all have these little apps with dozens of tokens stored in them. But what happens when you lose your second factor? And that actually sort of happened to me a while ago with my online banking. They actually gave me one of those physical tokens that often has the different number that shows up every 30 seconds. And it failed. It literally failed. I think I washed it. But anyways... 

(LAUGHTER) 

Dave Bittner: Sent it on a trip through the washing machine (laughter). 

Johannes Ullrich: Washing machine. It no longer worked. So I still, for some reason, want to get to my money. 

Dave Bittner: Yeah. 

Johannes Ullrich: So I called up the bank and figured out, you know, how do I replace this? And what I sort of expected is that they're just going to mail me a new one. But, of course, the problem here that you run into is that it takes a couple of days or so to receive that new token. So they actually just disabled the token and then allowed me, via their website, to order a new one. But the process to disabling the token, well, it was good old password reset questions, which we know don't really work well for passwords. And it's a real hard problem, I think, to solve. I also saw this a few years ago with Apple. Again, you know, my phone broke down, and I used my phone as my second factor for Apple. And I couldn't find it right away that - the reset code they give you. Now, they give you one of those reset codes. But, of course, I had it stored on my phone. 

Dave Bittner: Right. Of course. Right. 

(LAUGHTER) 

Dave Bittner: It's convenient there. 

Johannes Ullrich: And I didn't remember exactly where I had - I had it printed it out in the end, so it wasn't that bad. But actually, what Apple back then told me was, hey, just set up a new Apple account kind of (laughter). Never mind all sort of the different software and such that I had associated with the old account. So there doesn't really seem to be a great solution for this. Everybody use these emergency codes, but then again, you're going to lose them as likely as you're going to lose your primary token. And I feel like if you never used those emergency codes, then, you know, once you need them, you forgot where you put them. So one workaround here maybe - if you're using these emergency backup codes, every so often, ask the user for one of them just to remind them where they are while they still have their primary token. And, you know, then at that point, if they can't find them, if they lost them or whatever, they can always issue new ones because they still have their primary token. 

Johannes Ullrich: But that's sort of one little measure here to implement to make it less likely that these backup factors get lost. And, you know, then when you implement two-factor authentication, definitely think through that process. What are you going to do that's reasonable from cost perspective? I heard some rumors that with Apple you can go with your ID to the Apple Store - haven't tried that yet. But, you know, that's a fairly costly process. Not every company has stores all over the country... 

Dave Bittner: Right. 

Johannes Ullrich: ...Where you can do that. Maybe banks could do that with branches. But, you know, how many banks still have branches out there? And even then, you know, you're not necessarily close or convenient to one of those locations. So think that through in particular when you're relying on a hardware token like these YubiKeys or things like this for web authen. Allow users to register, like, two or three tokens because they tend to break. You know, you - if you expect people to carry them around with them all the time, they'll fall into the pool or stuff like this. So stuff happens to them, and you need to allow for a backup to exist. 

Dave Bittner: Yeah, that's interesting. I mean, I - what I have taken to do is I have a backup version of YubiKey. And there's a place in my house - it's sort of an out-of-the-way place, but I actually have it stuck to the wall, you know, hanging off a hook so that if I need it, that's where it is, you know? (Laughter). 

Johannes Ullrich: Yeah. Yeah. 

Dave Bittner: But I'm - I want to swing back, though, with your bank. I mean, what good is two-factor if you can just call them up and answer a few questions and they disable it? 

Johannes Ullrich: Correct. And that's - it's pretty much the same question they would ask me if I would have lost my passport, for example. 

Dave Bittner: Right. 

Johannes Ullrich: So I was pretty much - I didn't push it so - to check whether... 

Dave Bittner: Yeah, yeah. 

Johannes Ullrich: ...I could use the same answers to also reset my passport at the same time and sort of completely take over my account. Now, the questions weren't bad kind of. They were sort of, you know, your last transaction, your bank balance and what banks typically do for these questions. But again, you know, you're trying to defend against a little bit more sophisticated attackers here with these tokens. So you're kind of getting back to single-factor, things that you know again. So that thing you have really doesn't have that much value in the end. 

Dave Bittner: Yeah. No, it's definitely something worth thinking about when you implement these sorts of things. Johannes Ullrich, thanks so much for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Tre Hester, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.