A look at cyber gangland. Sino-Australian tension in cyberspace. Vulnerabilities reported (and disputed) in a home security system. Labor Day warnings.
Dave Bittner: Ransomware continues to hold pride of place in cybercrime. A look inside the mind of cyber gangland - or at least that portion of their mind that they're willing to expose. Business email compromise operators look for communication skills, and the underworld seems to think university students make good money mules. Reports of vulnerabilities in a home security system. Canberra angers Beijing. Caleb Barlow has thoughts on the FBI response to MS Exchange vulnerabilities. Our guests are Peter Singer and Lisa Guernsey on New America's Teaching Cyber Citizenship initiative. And CISA and the FBI advise being alert over Labor Day.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 1, 2021.
Dave Bittner: Ransomware continues to remain at or near the top of defenders' concerns. Research released by the NCC Group has found what the security researchers characterize as a threefold increase in targeted ransomware attacks so far this year, and they note the now-familiar trend toward double extortion. Ransomware incidents are now routinely also data breaches, and both the criminals and their victims bring that expectation to their interactions.
Dave Bittner: So what are the ransomware gangs thinking? Flashpoint looks at Russian sources in the forum OSINT who've been talking to the LockBit gang, the outfit whose most recent caper has been the attack on Bangkok Airways. Among other things, LockBit dismisses reports that they're under law enforcement pressure. Short of kicking down doors and slapping on the cuffs, who cares? LockBit explains, quote, "We did not feel the pressure of the security forces. The pressure of the security forces can be felt only when they have already come to you with a warrant and jumped into your window. It is impossible to put pressure on us with other methods," end quote. So they take down your infrastructure. So what? Get more of it - just a cost of doing business. Sure, it disrupts you for a while, but you get up and get back in the game.
Dave Bittner: Are the gangs concerned about the law? I mean, what if governments made it illegal for companies to pay ransom? To gangland, that's not a problem. The hoods confidently predict that there will be no law that prohibits companies to pay a ransom. Information is often strategically important. Having lost data to encryption, this means loss for a company or at least the leading position in the market. This will cause serious damage to the country's economy. The authorities will not take such a drastic step. They see the insurance market as a hedge against their own risk, as well as the risk their victims face. In the U.S., they say, insurance in this area is very well developed, and it is here that most of the richest world companies are concentrated. They've had little difficulty recruiting talent, despite attempts by various gray-market fora to deny access to ransomware operators. They enjoy a big reputation in criminal circles, says LockBit, and they don't need mass-market advertising campaigns to let people know they're hiring.
Dave Bittner: And what about the frosty relations that currently exist between Russia and most of the West? LockBit says, the nonfriendly relations of the West are beneficial for us. It allows us to conduct such an aggressive business and feel calm being in the countries of the former USSR - that is, bad relations make privateering easier. But the main attraction Western targets hold for them, they say, is wealth. They pick their victims on the Willie Sutton-esque grounds that they'll follow the money. Besides, they're patriots, too, and don't like to see Russia bad-mouthed. As LockBit says, all media are controlled and not apolitical. Russia is presented in the West as an aggressor and the main enemy. Therefore, it is beneficial for the West, at any opportunity, to accuse Russia of all sins in order to form a negative opinion about the main enemy, and it is absolutely not necessary that these accusations be substantiated. Towards China, the West behaves the same way.
Dave Bittner: Finally, they, like many others, are on a journey of self-actualization. They love their work. They have passion, as legitimate types out in Silicon Valley are wont to say, and money won't buy happiness. But, we might note, neither does crime appear to beget guilt and guilt beget sadness. Whatever else is going on, there's a failure of imagination concerning the effects of their crimes on their victims.
Dave Bittner: Ransomware isn't the only criminal activity to flourish in the underworld markets. Security firm Intel471 has issued an account of the way in which underworld criminal markets have commodified business email compromise attacks, now adapted for and available to even the meanest criminal understanding. But it's not necessarily the technical chops that are in demand when BEC gangs look for collaborators.
Dave Bittner: Among the skills actively sought in the criminal job boards are strong communication skills. Native speakers of English are particularly valued. This is unsurprising given the place social engineering plays in business email compromise. The scruffily composed email lacks the persuasive sheen needed to induce people to act against their interests. So if you are good at business communication, you may have a big criminal future ahead of you - not, of course, that you'd want that. Another, service, in demand is the lower skill of money laundering. Researchers at security firm Mimecast reports seeing an increase in spam campaigns seeking to recruit university students as money mules. Recruiting is often a two-step process. First, the criminals compromise a student's email account, including their address book, and then send the students' contacts emails, offering them a future in the exciting world of, well, however you describe being a money mule. I don't know. They seem nice, and the work seems easy, right?
Dave Bittner: Rapid7 yesterday disclosed that multiple vulnerabilities affect the Fortress S03 Wi-Fi Home Security System. Rapid7 disclosed the vulnerabilities three months after reporting them to Fortress, during which time Rapid7 says it received no acknowledgment from Fortress. Lawyers representing Fortress told TechCrunch that Rapid7's claims were false, purposely misleading and defamatory, but they were short on details.
Dave Bittner: Bloomberg has an account of an upsurge in cyberattacks against Australian targets, largely government agencies and universities. Their conclusions point to China and see the precipitating event as Prime Minister Morrison's call in April of 2020 for an international investigation into the origins of the coronavirus. The call was not to Beijing's pleasure, and the response was delivered in cyberspace.
Dave Bittner: Le Devoir reports that Quebec's Ministry of Health is assuring citizens of the province that the QR codes used in its vaccine tracking system are safe. The reassurance comes after Crypto.Quebec reported that QR codes associated with prominent political figures had been compromised, with attendant exposure of personal data.
Dave Bittner: And finally, the FBI and CISA warned, as the U.S. Labor Day holiday approaches this weekend, that holidays have commonly been occasions for heightened rates of cyberattack. BleepingComputer offers a rundown of such correlations. Eric Goldstein, executive assistant director for cybersecurity at CISA, said in an email that we and other outlets received, quote, "Ransomware continues to be a national security threat and a critical challenge, but it is not insurmountable. With our FBI partners, we continue to collaborate daily to ensure we provide timely, useful and actionable advisories that help industry and government partners of all sizes adopt defensible network strategies and strengthen their resilience. All organizations must continue to be vigilant against this ongoing threat," unquote. So as Labor Day approaches, enjoy, but be on your guard.
Dave Bittner: A group of scholars and researchers from the think tank New America recently released an education policy initiative titled Teaching Cyber Citizenship, bridging education and national security to build resilience to new online threats. On the CyberWire's "Caveat" podcast, I recently caught up with two of the report's co-authors, Lisa Guernsey, director of New America's teaching, learning and tech program, and Peter W. Singer, strategist and senior fellow. Lisa Guernsey starts our conversation.
Lisa Guernsey: My colleague and co-author on this report, Peter Singer, he's in the national security world. I'm in the education world. And the two of us were both recognizing at around the same time that there were some really big issues to grapple with when it comes to the way students, today's youth, but also adults, are taught about how to see and verify what's coming across their screens online and the social media platforms that they're experiencing and that this has real repercussions for national security, but it also has a lot of repercussions for what we're teaching students in school and how teachers are equipped to do that kind of teaching.
Peter Singer: So we obviously face major, major challenges when it comes to information threats. There's the traditional cyberthreat, so to speak, hacking the networks, but we also have what I've called in the past like war, hacking people on the networks. It's the threat of misinformation, deliberate disinformation, conspiracy theory, hate speech - how that all comes together to damage our democracy, how it threatens public health, how it threatens individuals, how it expresses itself in extremism and terrorism; how it's also, though, just challenging to youth if, you know, they're trying to figure out - I've got an assignment to do a school report on who built the pyramids. And where do they go? They don't go to a world book on a shelf. They now go online. They go on YouTube. And, you know, within a couple of hops, they're being told that the aliens built the pyramids. And they didn't, for our listeners.
Dave Bittner: Lisa, can we do a little defining of terms here? I mean, what does the term cyber citizenship embrace? How broad a spectrum of things are we covering here?
Lisa Guernsey: Now, we see cyber citizenship at the intersection of three fields that are really starting to come together. One is media literacy, which involves everything from algorithmic literacy to just understanding, you know, authorship and who created what and why. But then the second field is civics and citizenship and, increasingly, digital citizenship. What does it mean to be a responsible participant in today's society? How do we do that online? And then the third field of cybersecurity and cybersecurity awareness. And these - the threats that Peter's just noted and that I know your audience knows so well, they involve everything from, you know, of course, privacy and security and encryption but, increasingly, are also about various kind of individual actors online trying to funnel people into places where they might be seeing more and more disinformation, conspiracy theories. And so how do we understand that threat?
Lisa Guernsey: So at the intersection of those three fields, that's where we see cyber citizenship. And it's that ability to have the resilience to understand and to fend off disinformation, misinformation and, also, increasingly, mal-information, where it may be information that is, in fact, true but was put out there to harm, to harm others. So it's starting to really understand that full landscape, and that's what we - I define as cyber citizenship.
Dave Bittner: You know, Peter, you mentioned that there are 50 states, and I think it's fair to say that right now we are in a particularly divided era for our nation. And indeed, you know, one person's education is another person's indoctrination, it would seem, these days. Is it a challenge to find a common denominator, to find a starting point for this sort of thing that everyone can agree on?
Peter Singer: You know, it's a great point, and that's why - I'm usually a pessimistic guy, but I'm very optimistic about this approach. And so, you know, let's look at the challenges of mis- and disinformation. You know, there - they play out in lots of different ways. The calls to deal with them get sucked into those divisive debates. So if you are expecting legal code change to solve this problem, good luck - we have an incredibly divided Congress that can't even agree on the problem, let alone the approach of it. In turn, if you are looking for the platform companies to solve this on their own, they're not going to. That's just the hard reality of it.
Peter Singer: So where does that leave us? It leaves us with this third space. What's great about it is that it's nonpartisan, and it respects people's First Amendment rights. So the First Amendment rights element of it, it doesn't tell people what to say or what not to say. It's not about that. It fully respects your First Amendment rights. It's rather about equipping people with the skills to navigate this increasingly digital world safely and effectively. And those skills, into the nonpartisan side - and this why, I think, you know, whether you're a D or an R, you can get after this - is that they matter, whether it's someone who's searching for information on the news to public health to - I think we can all agree we care about just our kids. I want the kids to have those skills.
Dave Bittner: My thanks to Lisa Guernsey and Peter W. Singer for joining us. There is much more to this conversation. I hope you will check it out over on the "Caveat" podcast. You can find that on our website, thecyberwire.com.
Dave Bittner: And joining me once again is Caleb Barlow. He is the CEO at CynergisTek. Caleb, it's always great to have you back. You know, this recent story about the FBI's response to the Microsoft Exchange Server issues, how they went and removed the backdoor, have been gathering a lot of attention. I wanted to check in with you to get your take on it. What do you think?
Caleb Barlow: Well, first of all, I mean, the geeky side of me, Dave, just thinks it's awesome...
Dave Bittner: (Laughter).
Caleb Barlow: ...In that, like, it's hard to come up with an opinion on this. On one hand, you can't not be impressed with the legal argument. And, OK, yes, I said lawyers were impressive in this case - not something you normally hear me say.
Dave Bittner: (Laughter) OK. Don't let it happen again.
Caleb Barlow: Yeah, don't let it happen again. But it is really impressive in the legal argument.
Dave Bittner: Right.
Caleb Barlow: On the other hand, it's really kind of scary of the - what door did we just walk through, and did we consciously do it? But here's the thing I think it really underscores. First of all, part of the reason why they did this is because it was going to be too hard and take too long to notify potential victims. And I think we all have to kind of take a pause at that and say, wait a second - how is it that it's too hard for a government to notify victims? Well, and I agree with them. It probably would be. We almost - you know, we're not - this isn't like the roadway, where cars have a license plate. Half the time, you have no idea where these servers are operating from. And that's - you know, that's the first thing that's a real problem.
Caleb Barlow: But the second thing that I think it really underscores, as we start to think about IoT and all these rogue devices that could have some malicious software installed on them - and we've seen examples of, you know, like in the Dyn DNS attack, where lots of IoT devices were taken over. Now, what happens if you can't get to these devices, if you can't turn these things off, if they turn into some massive botnet? Do we rely on government to go in and do the things that security researchers can't do?
Caleb Barlow: And remember; in this case, you knew how to get access to the device. You could either go in the same way the bad guy did or, like in the IoT case, usually it's default credentials - right? - default user ID and password. And, you know, we thought for years, shouldn't security researchers be able to enumerate where these devices are that have a default user ID and password? The problem is to figure that out, you have to violate laws - right? - because, you know, you're up against the Computer Fraud and Abuse Act if you try to log into a system without permission. The bad guys can do it, but the good guys can't. And I think this was the first example of where we saw the good guys kind of stepping forward a little to say, yeah, I'm getting on that system, and I'm going to fix this mess. And maybe we need to think about stretching our wings a little bit and allowing more of that to happen to at least enumerate where these rogue devices or endpoints or Microsoft Exchange Servers might be in the future.
Dave Bittner: A couple of things come to mind, you know, as I try to wrap my head around this. I mean, there's the analogy of, you know, if my house is on fire and I'm not home, the fire department's not going to wait for me to get home before they start fighting the fire, right? They're not going to wait to get my permission to start putting out that fire. That's clearly an emergency situation. But I guess, at a lesser degree, what if you have an abandoned property, and it's full of rats and problems and, you know, just - it's a blight on a neighborhood? Well, the government could come along and try to get that building condemned and torn down and - or whatever, you know. Which of those analogies do you think - if either of them - fits best for what we're seeing here?
Caleb Barlow: Well, I think both of them do, right? So in the case of the house on fire, let's say somebody's upstairs out the window screaming for help. The neighbor runs in to help, right? They weren't worried about breaking in the window or anything else. They ran in to help.
Dave Bittner: Right.
Caleb Barlow: In the same way, security researchers, when - you know, you can go out on Shodan and figure out where there's a whole bunch of devices that are likely vulnerable. The question is, which ones have default credentials? And my argument is, should we maybe take it to the next step and actually allow people to try logging in to go, wait a second - this device is not only vulnerable; it's out there with default credentials. I need to blacklist it. So this takes me right into your blight example - right? - of, I want to be able to declare this neighborhood bad. And the question is, who gets to do that? Does government get to do that? Do security researchers get to do that?
Dave Bittner: (Laughter).
Caleb Barlow: And there's a whole bunch of ramifications of who gets to do that. But here's the interesting point that I think the FBI demonstrated in this case - somebody needs to have the ability to do that. And up to this point, nobody really has.
Dave Bittner: Yeah. Who are your cyber firefighters?
Caleb Barlow: Exactly.
Dave Bittner: Yeah. Yeah. All right. Well, food for thought - Caleb Barlow, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.