The CyberWire Daily Podcast 8.30.21
Ep 1407 | 8.30.21

Data breaches and ransomware. Another gang says it’s retiring. New warrants against cybercrime in Australia. Roles and missions in the US. Hoosier data?


Dave Bittner: A data breach and ransomware affect an airline's customers. The Phorpiex botnet operators say they're going out of business, and everything must go. New warrants for the Australian Federal Police in cybercrime cases. U.S. federal cybersecurity roles and responsibilities. Rick Howard takes on adversary playbooks. Josh Ray from Accenture Security on the Biden administration's cybersecurity executive order and what it means for product security. And Indiana warns of a COVID-19 contact tracking database exposure.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 30, 2021. 

Dave Bittner: Bangkok Airways disclosed at the end of last week that it had been the victim of an attack that compromised passengers' personal information, including name, nationality, gender, phone number, email, address, contact information, passport information, historical travel information, partial credit card information and special meal information. 

Dave Bittner: The airline is working with the Royal Thai Police and has offered advice, like the familiar but nevertheless sound counsel to change potentially compromised passwords and the also sensible warning to be alert for phishing or vishing attempts that might impersonate Bangkok Airways. They've also offered support in the form of helplines and dedicated email hotlines concerned customers can avail themselves of if they find they're in a jam over data or if they're simply concerned. 

Dave Bittner: ZDNet reports that the LockBit ransomware gang has claimed responsibility and threatened to release information if their ransom demands aren't met. An announcement DarkTracer found on the dark web said, using title case before a final switch to all caps, quote, "Bangkok Airways, We Have More Files - Extra plus 200 gigabytes - To Show And Many More Things To Say. ALL AVAILABLE DATA WILL BE PUBLISHED," end quote. 

Dave Bittner: LockBit says the deadline will expire today, but the gang has a track record of extending deadlines indefinitely, like a sophomore procrastinating on a term paper. They also have a track record of claiming to have data that they, in fact, do not, as they did most recently in their false claim of having hacked into Accenture. 

Dave Bittner: The Record reports that the Phorpiex botnet has shut down, and researchers at Cyjax have found that the botnet's proprietors are offering the source code for sale. If you're in the market - not that you would be - know that Phorpiex has a mixed reputation in the underworld. 

Dave Bittner: It's been profitable, with its spam module and ability to hijack cryptocurrency clipboards being consistent moneymakers. Phorpiex has also hired its botnet out for use by ransomware operators, among them Avaddon, a gang that's recently gone into hiding. 

Dave Bittner: On the other hand, Phorpiex's own security has tended toward the slipshod, with other criminals able to either uninstall it or even substitute their own payloads for those the proprietors intend to deliver. 

Dave Bittner: Phorpiex is the most recent criminal operation to announce that it's suspending its activities, going out of business. It's worth remembering that this sort of announcement as often as not signals a rebranding as opposed to a retirement. KrebsOnSecurity earlier this month offered a useful rundown of the ways in which criminal groups have morphed since this became a trend in 2014. A lot of the names will be familiar, and the successive identities are interesting. 

Dave Bittner: Vasa Locker became Babuk, which turned into Payload.bin. Defray777 became the cowboy-hatted, bandana-wearing desperado RansomExx. Sekhmet begat Maze, which begat Egregor. Hermes rose to fame as Ryuk, which is connected to the equally well-known Conti. BitPaymer got twice as bad as DoppelPaymer and then turned to Grief. Cerber became GandCrab and then REvil - or, if you prefer, Sodinokibi. DarkSide turned itself into BlackMatter. And finally, Gameover Zeus, also known as the Business Club, is now crawling the web as Indrik Spider. 

Dave Bittner: This long list of name changes isn't all that surprising. After all, it's not as if a criminal organization needs to take out a Doing Business As license or incorporate in Delaware. Just say you're now Jittery June Bug, and you're in business. 

Dave Bittner: A moral of this story is to take criminal announcements of retirement or professions of contrition and reform with the proverbial grain of salt - a big grain of salt. 

Dave Bittner: Australian Federal Police have received extraordinary authorities for the enforcement of laws against cybercrime in the form of three new warrants covering network activity, data disruption and account takeover. The authorities extend beyond investigation to disruption of criminal activity. ITnews says that the standard for issuing the warrants is that they be, quote, "reasonably necessary and proportionate," end quote. 

Dave Bittner: The Parliamentary Joint Committee on Intelligence and Security had recommended approval of the bill, which had the support of both the Liberals and Labor. The Greens have complained that authority to seize a person's account to gather evidence of serious crime, coupled with the ability to copy online material or even add, delete or alter it in order to disrupt criminal operations or collect intelligence, is the royal road to a surveillance state.  

Dave Bittner: The government, of course, disagrees, seeing the new authorities as necessary to dealing with the current transnational threats. 

Dave Bittner: U.S. cyber czar Chris Inglis sees his role fundamentally as an exercise in soft power, Politico reports. Among the things the national cybersecurity director intends to do in the budget reports he'll render OMB and Congress will be to draw attention to investments that are not on the books but that should be made, as well as inefficiencies in existing spending. 

Dave Bittner: He does see a role for regulation. Quote, "enlightened self-interest and market forces only get you so far," he told Politico. "There are going to be some critical functions where we must consider to what degree is it not optional to achieve a certain standard," end quote. 

Dave Bittner: Organizationally, although his shop is separate from the National Security Council and subject to closer scrutiny by Congress, Inglis sees no fundamental tension between his role and that of Anne Neuberger of the NSC. Their goals can be aligned, their roles and responsibilities easily deconflicted. 

Dave Bittner: And, finally, if you're a resident of the U.S. state of Indiana, you may well be receiving a letter from the Indiana Department of Health warning, with apologies, that almost 750,000 Hoosiers - that's what citizens of Indiana are called, we note for the benefit of our international audiences, Hoosiers - they've had some of their COVID-19 online contact tracing survey data improperly accessed. 

Dave Bittner: The data includes name, address, email, gender, ethnicity and race and date of birth. The state of Indiana believes the risk is relatively low, but there's a small but real chance of identity theft, and Indianapolis wants to help all Hoosiers protect themselves. 

Dave Bittner: And it is always my pleasure - I will go so far as to say one of the highlights of my week - to introduce Rick Howard, our chief security officer, chief analyst. Rick, you have a special "CSO Perspectives" this week. I know you've been looking forward to this. And the reason I know about this is because you've been talking about this for weeks on our CyberWire Slack channels. So why is this one so special to you? 

Rick Howard: Well, first, thanks for those kind words, Dave, and I will keep sending the monthly checks for you to continue to say nice things for me. 

Rick Howard: So let me answer the question this way. Have you ever come across an idea to solve some really hard problem that was so crystal-clear in your mind that you just knew as soon as people heard about it, adoption of it would be swift and unambiguous, and you would all be moving on to the next thing, but later, you are shocked to find that the entire world hasn't followed your lead? 

Dave Bittner: Like what you're talking about here. 

Rick Howard: (Laughter) Exactly. So, you know, things like don't iron the shirt while you're wearing it - you know, kind of a rule of thumb, right? 

Dave Bittner: OK. 

Rick Howard: You know, by the way, that's an actual warning label on some clothing because you know somebody actually tried to do that, all right? Or how about a line from one of our favorite movies, "The Princess Bride"? Never get involved in a land war in Asia, OK? 

Dave Bittner: Yeah. 

Rick Howard: Seems like good advice, all right? 

Dave Bittner: Yeah. 

Rick Howard: Or how about just take the damn vaccine already? I'm just saying, OK? 


Dave Bittner: Right, right. Right, OK. Once again, I will put on my hosting hat and say, how is any of this related to the current "CSOP" episode? 

Rick Howard: Well, I run across a lot of these ideas in my career - you know, cybersecurity ideas that were great but never saw the light of day. And I've generated a few of them myself over the years. But there's this one concept that I've helped develop that I refuse to give up on. It's called proactive defense and adversary playbooks. 

Dave Bittner: Rick, I have known you for years now, and you and I have talked about many of your ideas, your interesting ideas... 

Rick Howard: (Laughter). 

Dave Bittner: ...Ideas of varying levels of merit. So why is this particular idea so special? Why - some would say stick with it. Others would say, why can't you let it go? 

Rick Howard: Oh, it's a good - I should be following your advice. 

Rick Howard: The concept of proactive defense and adversary playbooks - it represents this idea that instead of focusing on blocking individual tools that bad guys use - you know, like malware or zero-day exploits - we instead build proactive defensive plans designed to defeat how specific bad guys operate in cyberspace. So in other words, we just don't only block a tool like EternalBlue that Sandworm used during the NotPetya campaign. Instead, we block the entire Sandworm attack sequence at every stage of the intrusion kill chain. 

Rick Howard: So with that elevated thinking, we are trying to defeat the adversaries like BlackMatter, you know, a ransomware group, or Stone Panda out of China, or even Cozy Bear out of Russia, not just the tools that they use. So in this episode, we explain with more detail about what this means, and we talk about the current state in our industry and why we've been slow to adopt it. 

Dave Bittner: All right. Well, I'm intrigued, and I look forward to hearing the rest of the story. That is the upcoming episode of "CSO Perspectives." It is part of CyberWire Pro, which you can find on our website, Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He's managing director and global cyber defense lead at Accenture Security. Josh, it is always great to have you back. As you and I are recording this, it's not that long after the Biden administration released their cybersecurity executive order. And I wanted to check in with you to see what in that order in particular caught your eye. 

Josh Ray: Yeah, thanks, Dave, and glad to be back. So, you know, really, we believe at Accenture that this executive order is probably the most ambitious U.S. cyber policy directive we've seen. We really expect it to have significant impact on federal government, private sector and the local government. 

Josh Ray: But, you know, one of the things that really has jumped out to me is the product security aspect of it - right? - the ability for the CEO to drive significant changes in companies' secure software design and readiness operations. And we think that if the industry and government, you know, really follow through on this promise, it will definitely raise the security bar for everybody, both improving the resilience for U.S. companies and subsequently, you know, the resilience of our country at large. 

Dave Bittner: Well, based on what you've seen in the executive order itself, how do you suppose those specific things might be rolled out? What might we see? 

Josh Ray: Yeah, so one of the things I'm very encouraged about is part of the order that focuses on software and hardware product design requirements and really requiring companies to provide the government and, you know, other customers with that bill of materials that details the various code and components in a given product. This move, which I applaud the transparency, we really hope - hopefully give both the government and customers a better chance to proactively mitigate vulnerabilities before they get exploited. 

Dave Bittner: What do you suppose a realistic timeline is here? When might we see actual things, you know, hit the ground? When might we see real effects take place? 

Josh Ray: Well, I mean, the hope is that, you know, companies are not waiting for the stopwatch to start, right? And, you know, we think that product manufacturers and vendors and CISOs and CIOs really need to start taking a hard look at their strategy and their capabilities to meet these standards now. 

Josh Ray: And this is a very complex challenge, Dave. And we've observed clients who do this well focus on a couple of things. They integrate product security into their strategy, their road maps and their current and future business objectives. So they're aligning their product security with the ultimate success of their business. 

Josh Ray: And secondly, they embed product security practices into their engineering life cycles from early planning through launch - right? - so that all of the generations of their product remain secure and reliable. And this really ultimately helps them extract the most value out of that product as well. 

Dave Bittner: Do you suppose this is going to be a competitive advantage for the companies who are able to take the lead in this? 

Josh Ray: Absolutely, yeah. No, first movers on this, I think, is - are going to benefit. It's going to accelerate their time to market. I think it's going to definitely increase the trust that the government, as well as customers, have in their product. And it's also an opportunity - right? - to really build improved security capabilities that can support future business plans (ph). And this will allow for really more direct focus on innovation and ultimately product differentiation. 

Dave Bittner: Well, Josh Ray, thanks for joining us. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.