Possible consequences of Afghanistan’s fall to the Taliban. Non-state actors’ political motives. Poly Network rewards “Mr. White Hat.” C2C offering will check your alt-coin. Breach at T-Mobile?
Dave Bittner: The Taliban has effectively taken control of Afghanistan, and the fall of Kabul is likely to have a quick, near-term effect on all forms of security. The Indra Group's actions against Iranian interests suggest the potential of non-state, politically motivated actors. Crooks return almost all the money rifled from DeFi provider Poly Network. A new C2C service tells hoods if their alt-coin is clean. DeepBlueMagic is a new strain of ransomware. Chris Novak from Verizon on advancing incident response. Rick Howard is taking on Orchestration in this week's "CSO Perspectives" podcast. And T-Mobile investigates claims of a data breach.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 16, 2021.
Dave Bittner: The Taliban yesterday took Kabul and announced, from the presidential palace, the restoration of the Emirate of Afghanistan. The effective collapse of Afghanistan's government Sunday and the country's general fall to the Taliban obviously represent a humanitarian disaster. U.S. President Biden intends to address the fall of Kabul later this afternoon.
Dave Bittner: The details of the Taliban's swift return to power after the withdrawal of U.S. forces are beyond the scope of our coverage, but the implications of the fall of Kabul for cybersecurity will become clearer over the coming weeks. ABC News reports that, from the U.S. point of view, it seems to have been more policy failure than intelligence failure, or at least an intelligence failure in the sense that, as sources in the U.S. Intelligence Community said, anonymously, that their assessments were disregarded.
Dave Bittner: General Sir Nick Carter, Chief of the U.K. Defense Staff, told ABC News that the situation would inevitably embolden Islamist radicalism both in Afghanistan and elsewhere.
Nick Carter: If we end up with a scenario where the state fractures and you end up essentially with a security vacuum, then there's absolutely ideal conditions for international terrorism and violent extremism to prosper yet again.
Dave Bittner: Go to ABC News and listen to the entire interview.
Dave Bittner: The Taliban's ascendancy may also augur an increase in newly emboldened Islamist activity in cyberspace. Historically, that had been largely concentrated on recruitment and operational planning, then on radicalization and inspiration and, of course, on website defacement. Website defacement is unlikely to rise above the nuisance levels it achieved earlier. Whether sufficient talent has or will be attracted to the movement to mount more disruptive or destructive attacks remains to be seen.
Dave Bittner: And of course, a surge in radical inspiration in cyberspace can be expected to follow any Islamist success, and the fall of Afghanistan is a major Islamist success indeed.
Dave Bittner: An example of what a non-state actor can accomplish in the ways of politically motivated cyberattacks may be seen in Iran's recent experience. Security firm Check Point has more on the Indra Group, an Iranian opposition group it believes to have been responsible for recent cyberattacks affecting Iran's rail system. Some of the effects amounted to taunting defacement in station message boards, but Check Point says that there was more to it than that. The group deployed wipers against some of its targets, and the code suggests that they were also behind operations against a range of companies in Syria during 2019 and 2020. The company said, quote, "Check Point analyzed artifacts left by the cyberattack on Iran's train system, learning that the attack tools were technically and tactically similar to those used in malicious activity against multiple companies in Syria," end quote.
Dave Bittner: The New York Times thinks the incidents illustrate the growing capability of non-state actors. Quote, "An opposition group without the budget, personnel or abilities of a government could still inflict a good deal of damage," end quote.
Dave Bittner: The Wall Street Journal reports that the thieves have returned almost all of the over $600 million taken from Poly Network. All but about $33 million has been returned, with the outstanding balance entirely in Tether tokens that Tether had frozen in an attempt to recover its funds.
Dave Bittner: Reuters confirms that Poly Network has offered the hackers a $500,000 bug bounty. The company has also publicly thanked the hacker, whom they refer to as Mr. White Hat, for helping them improve their security.
Dave Bittner: A question - is this a case in which the distinction between a bounty and an extortion payoff amounts to a distinction without a difference? It seems unlikely that a criminal would swap $600 million for 500,000. So the crooks may have felt the approach of the law and decided that discretion was the better part of valor. On the other hand, half a million bucks is an awfully big bounty. We imagine that there's more to this story.
Dave Bittner: As authorities and victims of various forms of online fraud have shown, an ability to track and claw back ill-gotten alt-coin, a subsector of the C2C market has emerged offering to verify that cryptocurrency being used for illicit purposes is clean, untrackable and unrecoverable. The BBC reports that the analysis firm Elliptic has found and looked into a service on the darknet that's designed to do just that. Elliptic told the BBC, quote, "It's called Antianalysis, and criminals are now able to check their own Bitcoin wallets and see whether any association with criminal activity could be flagged by authorities," end quote. So far, it's imperfect. But of course, that can be expected to change should Antianalysis proprietors be unmolested to improve their product.
Dave Bittner: Heimdal, the security company named for the Guardian of Asgard's rainbow bridge, late last week described a new strain of ransomware, DeepBlueMagic, that abuses a legitimate third-party disk encryption tool by initiating but not finishing the encryption process. DeepBlueMagic disables security software before beginning encryption, subsequently deleting its own executables, rendering it resistant to forensic analysis. Heimdal says that it's found a way of restoring affected systems, but DeepBlueMagic will bear watching.
Dave Bittner: Various ransomware gangs are actively exploiting the PrintNightmare Windows vulnerability, CyberScoop reports. CrowdStrike, last week, reported that Magniber operators were using the vulnerability against targets in South Korea. A little later, Cisco Talos described how the Vice Society, a criminal group that made its creepy bones by hitting school districts and health care organizations, has also turned to PrintNightmare. This particular vulnerability has proven unusually difficult to fix. Microsoft - and we disclose that Microsoft is a sponsor of the CyberWire - has both patched various aspects of the Print Spooler issue and recommended that users disable this particular service.
Dave Bittner: And finally, T-Mobile is investigating a criminal's claim to have breached a very large set of customer data, possibly 100 million fullz, held by the mobile company, Reuters reports. As we speak today, that investigation remains in progress. And we'll have some updates and industry reactions in this afternoon's Pro privacy briefing. One effect of the story, however, was already evident by late morning. Barron's reports that T-Mobile stock was down by 3.5% in early trading.
Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer, also our chief analyst. But more important than any of that, he is the host of the "CSO Perspectives" podcast, which is part of CyberWire Pro. Rick, it is always great to have you back.
Rick Howard: Thanks, Dave. I appreciate that.
Dave Bittner: So on this week's "CSO Perspectives," you are talking about orchestration. Now, I'm going to go out on a limb here and assume you have not replaced Dimitar Nikolov as the musical director for the Philharmonia Orchestra in our great city of Baltimore. So what exactly is going on here, Rick?
Rick Howard: Well, you're right about that, Dave. I had just under three years - count 'em - three of my mom force marching me to accordion lessons when I was just a wee lad. So unless the...
Dave Bittner: I'm sorry.
Rick Howard: Yeah, I know.
Dave Bittner: Oh, boy.
Rick Howard: Unless they want to - you know, the people of Baltimore want to hear a 55-year-old rendition of "That's Amore" - OK? - I think it's best that I stay off the stage.
Dave Bittner: (Laughter) Were the young ladies lined up around the block when they heard you playing the accordion? I can only imagine.
Rick Howard: They absolutely did. Yeah. And yes, I want to make that perfectly clear to everybody. I said accordion lessons. Yes, that was - accordion.
Dave Bittner: OK. Well, I learned something new here today. And...
Rick Howard: (Laughter).
Dave Bittner: …In addition to the endless pit of talent that you bring to the CyberWire, which never ceases to amaze me...
Rick Howard: (Laughter).
Dave Bittner: ...What exactly is going on here when we're talking about orchestration?
Rick Howard: Yeah, we're talking about orchestrating the security stack. And so how do you maintain and update with high velocity all of that software and hardware you're using to implement things like, you know, zero trust and intrusion kill chain prevention, resilience and risk forecasting?
Dave Bittner: Well, you know, I'm no expert when it comes to these things. But are you saying to me that security people shouldn't just remotely log into these systems and just start making changes manually?
Rick Howard: (Laughter).
Dave Bittner: I mean, come on. What is the better way?
Rick Howard: (Laughter) You know, sad face - I think a lot of people are still doing that - right? - because the crux of it is that there are many different approaches, but none have really caught on as the community's best practice that most of us are using. We have everything from using a standard DevOps model to using our sourcing tools to sort of bridge to the DevOps model, to installing a single vendor orchestration platform from one of the big firewall vendors and finally maybe moving our entire organization over to some SASE architecture. And I realize that I just threw a metric ton of acronyms at everybody, all right? So - but if they want to find out what all that means, they should just come listen to the show.
Dave Bittner: All right. Well, it is "CSO Perspectives." It is part of CyberWire Pro. You can find out all about that on our website, thecyberwire.com. And not only is he a chief security officer. He is an accordion player...
Rick Howard: The chief...
Dave Bittner: ...Accordion player extraordinaire.
Rick Howard: The chief accordion officer (laughter).
Dave Bittner: That's right. That's right. Rick Howard, thanks for joining us.
Rick Howard: You betcha, sir.
Dave Bittner: And joining me once again is Chris Novak. He's the global director of Verizon's Threat Research Advisory Center. Chris, it's always great to have you back. I want to touch today on incident response. I know you and your team have been focused on this lately. It's something where you're looking on advancing your capabilities there. What can you share with us?
Chris Novak: Sure. Yeah, always great to be on the show, Dave. Thanks again. So yeah, we're always looking to try to figure out what it is that we can be doing to evolve our capabilities, evolve the kind of outcomes that we can bring to clients when they're looking for help from an incident response perspective. And you know, when we look at things, you know, there's been the historical, traditional way of doing things. You'd go on site. You'd grab disk images. Heck, I remember back in the early days - I mean, these are real, real early days. I'm dating myself here. But we'd go on site with a, you know, a binder full of floppy disks to boot up a system. And then you'd have a hard drive. You'd try to pull that data down on it. It would take seemingly weeks to grab a forensic image. And obviously, things have...
Dave Bittner: Right.
Chris Novak: ...Evolved substantially since then. Things have gotten so much faster. But we're trying to obviously move away from that entire model altogether. Now almost everything we do is able to be done remotely. We're able to extract a lot of triage data from systems without ever having to actually physically lay hands on them. But one of the things we're trying to extend beyond that is, you know, obviously, everybody knows Verizon as a giant telco. One of the things we're trying to take advantage of is some of our new capabilities around things like 5G and how we might be able to integrate 5G connectivity and the speeds that that brings with our ability to provide a client with out-of-band data collection, right? So think of it as, you know, historically, if we had to pull a lot of data out of an environment for incident response purposes or we wanted to stream data out while there was maybe a live incident going on and we didn't want it going in and out, the same pipes are crossing the same east-west corridors within their network because, you know, maybe the threat actor's looking at it. Maybe the threat actor has access to some of their infrastructure. Being able to drop in, essentially, a 5G transmitter will allow us to actually be able to take that data and provide that organization with a complete out-of-band mechanism of us being able to interact with them and them being able to interact with us and being able to do it at, you know, gigabit-plus speeds. And that's something that just, historically, you just couldn't do before.
Dave Bittner: You know, the shift we've seen - I'd say the accelerated shift that we've seen to the cloud thanks to so many organizations responding to COVID - does that make your life easier, as well? As you say, you don't necessarily have to be on site.
Chris Novak: Yeah, it actually does. So I think that it makes our life easier in a couple of ways. One is, you know, a lot - we're finding an increasing number of organizations have either already moved or in the process of moving to cloud and replicating data from their instance to ours for purposes of doing, you know, instant response or investigations. I mean, that is almost as simple as a button click. And the speed to do that is tremendous. So that has been, you know, I'd say a huge improvement that I think probably all of us in the incident response community have seen and seen for our clients. But then the other benefit we get out of that, as well, is Verizon had announced that we've got a pretty extensive partnership with Amazon Web Services as it relates to our 5G MEC capabilities. And so that actually goes one step further and says we not only have the ability to pull data at incredible speeds over 5G, but our 5G radio is literally connected right to the edge of an AWS environment. So we can either push or pull data between - think of it as a cloud environment over gigabit-plus out-of-band in and out of a customer environment just as seamlessly as we would do anything else.
Dave Bittner: Yeah, that's fascinating. I mean, I have to say, it's nice to hear of a specific use case for 5G. I think a lot - for a lot of us, that's been a little fuzzy till now. So it's interesting to hear a specific description like that.
Chris Novak: Yeah, and I mean, that was something that our team was always looking for as we said, hey, this is fantastic. You know, it's great for, you know, streaming more movies or all the other things people have talked about. But for us and my team as it relates to security, that out-of-band piece is critical. I mean, I'll give you a for-example. We had an organization that was suffering a fairly massive incident, and they needed some really bad help. And they were basically saying, look. They got to the point where they were basically saying that they were going to just shut down all of their internet connections worldwide. They said, look. We need to get this under control before this gets worse. We're just going to shut down all of our internet connections. But then the next question they had was, how do we get all of the necessary incident response data now out of the environment? Trying to do that all via sneakernet is really just not feasible. And we said, well, we could drop in wireless connectivity. And so we did some proof of concept around some of these areas to be able to say, all right, let's see what we can actually move in and out. We can drop in some of these things in strategic locations where we know we already have the 5G infrastructure in certain cities to be able to essentially pull that data out. And so that proof of concept was fantastic for us. I expect that that'll be something that will be integrated more formally into, you know, a lot of our offerings going forward, especially as it relates to incident response.
Dave Bittner: All right. Well, Chris Novak, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, HAH. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And. Every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.