Ransomware is rising, and governments try to evolve an effective response. A look at the cyber underworld. Snooping smartphones. An advance fee scam is criminal business as usual.
Dave Bittner: BlackMatter continues to make a nuisance of itself on a large scale. The U.S. is woofing about taking action against ransomware. And Treasury has sanctioned a rogue cryptocurrency exchange, but some advocate stronger measures. Where did all those Ukrainian cybercriminal chat platforms go? A warning of the censor mode in some Chinese-manufactured smartphones. Caleb Barlow shares thoughts on CMMC certification. Our guest is Kevin Jones of Virsec with reactions to the White House cybersecurity summit. And, hey, no, really, Apple is not celebrating the iPhone 13 by giving away a stash of bitcoin.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 22, 2021.
Dave Bittner: The BlackMatter ransomware privateers are currently active against several targets worldwide, Computing says. The gang's activities aren't confined to the high-profile attack against the NEW Cooperative agricultural organization in Iowa, which, according to The Washington Post, continues its efforts to recover.
Dave Bittner: One prominent infestation is affecting media marketing organization Marketron, BleepingComputer reports. Marketron, which provides revenue and traffic-monitoring tools for broadcasters and other media organizations, was still having availability issues this morning, the company's website said. Quote, "Marketron is experiencing a cyber event which is impacting certain business operations. Currently, all Marketron customers may experience an interruption in services as a result," end quote.
Dave Bittner: In addition to the NEW Cooperative and Marketron, BlackMatter, which emerged in what appears to have been a rebranding of the DarkSide gang after this May's crippling attack on Colonial Pipeline, has also hit, according to BleepingComputer, a wine and spirits company, an investment banking services provider in the U.S., a vendor of citrus juicing equipment in Austria, a maker of drilling and foundation equipment in Italy, Japanese technology giant Olympus, a U.S.-based construction company and a unified communications company in the U.K.
Dave Bittner: In the case of the NEW Cooperative, BlackMatter is threatening publication of a terabyte of the co-op's data - things such as invoices, R&D files and the source code to NEW's soil-mapping technology. The deadline to pay the $5.9 million in ransom demands falls on this Saturday, September 25, at which point the gang says it will increase the ransom and begin releasing stolen files.
Dave Bittner: NEW Cooperative has clearly been affected by the incident, but it's not entirely clear how compromise of the sorts of data listed in reports on the attack would cripple food production and distribution, especially since the co-op doesn't dominate midwestern U.S. agriculture - Central Iowa, yes, but while important, it's not a major player in other regions.
Dave Bittner: The U.S. response to continued privateering by Russophone ransomware gangs is still under preparation. U.S. President Biden's address to the United Nations' General Assembly yesterday touched on cybersecurity and, by implication, on ransomware. The president expressed a commitment to building international norms in cyberspace while also asserting that, quote, "we reserve the right to respond decisively to cyberattacks that threaten our people, our allies or our interests," end quote.
Dave Bittner: C-SPAN has the president's remarks.
(SOUNDBITE OF ARCHIVED RECORDING)
Joe Biden: We're hardening our critical infrastructure against cyberattacks, disrupting ransomware networks and working to establish clear rules of the road for all nations as it relates to cyberspace. We reserve the right to respond decisively to cyberattacks that threaten our people, our allies or our interests.
Dave Bittner: That's President Biden at the United Nations, as recorded by C-SPAN.
Dave Bittner: Diplomacy and better security cooperation only go so far, and presumably naming and shaming the organizations and individuals behind the keyboards in such attacks will only go so far. The Treasury Department's sanctions against the Russian cryptocurrency exchange SUEX for its role in laundering ransom payments suggest the direction sanctions are likely to take. And Treasury's action has met with generally positive notices from the cybersecurity sector, but there's a school of thought that these measures are effectively, at this point, half-measures at best.
Dave Bittner: Along these lines, a New York Times op-ed this week by Silverado Policy Accelerator chairman Dmitri Alperovitch argued that response to ransomware needs to become a lot more vigorous and assertive than it has been. Diplomatic leverage seems to have had little effect on Russian policy, where the gangs that operate at the sufferance of the authorities have continued to operate at an accelerated pace since the U.S. talked tough to Russia earlier this year. And the gangs that operate from Iran and North Korea, while smaller than the Russian privateers, are even less susceptible to influence by U.S. diplomatic pressure than are the Russian groups. Both countries are already heavily sanctioned, and further measures of this kind only amount to making the metaphorical rubble jump.
Dave Bittner: Alperovitch sees the successful cyber offensive Task Force ARES prosecuted against ISIS as a model for how to dismantle a hostile cyber infrastructure.
Dave Bittner: Quote, "the United States should build off the model used by Task Force ARES, targeting ransomware criminals' technical and financial infrastructure. Such a campaign could reveal personal details about the perpetrators, take down the ransom payment servers they are using to conduct operations, seize their cryptocurrency wallets and perhaps even introduce subtle bugs into their code that enable victims to unlock their data without paying a ransom," end quote.
Dave Bittner: Whatever might be done against them, the ransomware gangs have been very active recently. Security firm Positive Technologies wrote in their threatscape report for the second quarter of 2021, out this morning, that, quote, "the number of ransomware attacks reached stratospheric levels, accounting for 69% of all attacks involving malware," end quote.
Dave Bittner: Industrial and governmental targets were especially favored, and the retail sector saw a shift away from carding attacks to ransomware, which Positive Technologies interprets as a sign that the criminals are after a faster payout.
Dave Bittner: While the Russian underworld draws the most attention, other criminal subcultures are, of course, to be found. We heard yesterday about the Camorra-linked gangsters Europol rounded up in Spain and Italy this week.
Dave Bittner: Today, Digital Shadows released a look at the Ukrainian cyber underworld. A lot of the Ukrainian language fora, once well-known in the carding criminal subsector, have gone out of business. So what are those hoods up to nowadays in Ukraine? Apparently they're concentrating on bulletproof hosting, where Ukraine-based is said to be a mark of quality and security. There's also a lot of participation by Ukrainian speakers in Russophone chat rooms.
Dave Bittner: Digital Shadows describes the two languages as related but not mutually intelligible. Others might dispute this claim about mutual intelligibility. Our linguistics desk says that maybe mutually intelligible but easily distinguishable would be nearer the mark.
Dave Bittner: In any case, the Russians don't generally give their Ukrainian neighbors a good welcome in their chats, and they commonly ridicule the Ukrainian language, dismissing it as not up to dealing with the nuances of coding and hacking. It's like Heidegger pronouncing that philosophy could only be done in German or Greek, French and especially English being not all the thing.
Dave Bittner: Still, ethno-linguistic friction aside, Ukrainian hoods can bucket along in Russian criminal fora. One advantage of working on the Russian side is that the Ukrainian government, unlike the Russian security organs, isn't really in bed with the cybercriminals and cooperates with international partners in cyber law enforcement.
Dave Bittner: An audit by Lithuania's defense ministry of three Chinese-manufactured smartphones found security issues with two of them, the Huawei P40 5G and the Xiaomi Mi 10T 5G. The ministry recommended that users avoid the devices. Quote, "automated sending of messages and its concealment by means of software pose potential threats to the security of the devices and personal data. In this way, without the user's knowledge, device data can be collected and transmitted to remote servers," end quote.
Dave Bittner: The Xiaomi phone had a particularly intrusive censorship mode, The Record reports, which could detect and censor content based on keywords it found there. Censorship mode could be enabled remotely without the user's knowledge or consent.
Dave Bittner: The audit found no security issues with the third device tested, the OnePlus 8T 5G.
Dave Bittner: And finally, Zscaler has observed a surge in scams surrounding the iPhone 13 launch. As is so often the case, the grifters' come-on is a bogus cryptocurrency giveaway. Apple have allocated a total of 1,000 bitcoin to be given away. Learn how to participate, and don't miss out on your chance to get some.
Dave Bittner: It's always an advance fee scam. Deposit an amount in the proper wallet and you'll be repaid a big stack of altcoin. Of course, that never happens. And, no, Apple isn't celebrating the cryptocurrency markets and its new iPhone with an advance fee scam worthy of the widow of a Nigerian prince.
Dave Bittner: The Biden administration recently convened a White House cybersecurity summit with participation from some of the big names in the online security world - folks like Microsoft, Google, IBM and NIST. Kevin Jones is VP of public sector for Virsec, developers of software runtime security products. I checked in with him for reactions to the event.
Kevin Jones: Honestly, I was encouraged. And the reason for that is because this public-private cooperation to solve this cyber problem is desperately needed, and even if it didn't include the little guys like us, included some of the big names in tech that candidly have an opportunity to right the ship. So I think that this dialogue is imperative. You know, we can't turn the Queen Mary on a dime. Neither can we solve this cyber crisis - and that's exactly what it is, is a crisis - overnight. And so I think that's a really good step in the right direction.
Dave Bittner: Yeah. There's been some criticism out there that perhaps this event was more symbolic than anything. Do you think that's a fair criticism?
Kevin Jones: I think the criticism comes from the fact that big companies were invited. And I wouldn't view it as being - let's just say for a moment that it was symbolic. The reality is that it churned a conversation that, once again, is desperately needed. So irrespective of whether or not we're critics or fans, we're talking, and that's, candidly, a big step.
Dave Bittner: So what do you suppose has to happen now? What would you like to see in terms of next steps?
Kevin Jones: And I would like to see an approach towards just developing an entirely new mindset. I think that, you know, the security industry has just overgrown itself and made things extraordinarily complex. We don't believe that that's necessary. Virsec is taking a first principle approach to the problem, dissecting it down to its most basic attributes and trying to readdress it from there.
Kevin Jones: The challenge is that it's become such a huge issue that it's even - you know, there's even a language attached to cybersecurity. If you're, quote, "not in the business," you don't really understand all of these TLAs, the three-letter acronyms. And we're doing ourselves a disservice by taking the conversation to that point.
Kevin Jones: I think this is a business problem that's desperate in terms of the need to solve it. And we've overgrown the way that we solve this challenge. And so a new mindset, a reset, if you will, a moonshot is really what needs to be injected into the conversation.
Dave Bittner: Well, let's touch on investment and regulation then. I mean, what's the degree to which you think those dials should be turned?
Kevin Jones: Regulation is certainly something that's being looked at, I think, very seriously by the government because there is an awful lot of very big players out there who have been lax in their approach to cyber. And they would, of course, take issue with that statement. But it's difficult for us to deny reality when it hits us in the face every day on the headlines. So I think the regulatory component is important.
Kevin Jones: I think the investment is important. But, you know, the investment also goes both ways. So one of the outputs of this meeting, this summit was, of course, that two very large companies stepped up and gave a combined total of $30 billion into their protection of their own software. And they're also investing in smart ways into universities so that we can develop and train the next generation of cyber professionals. There's another that stepped in and is offering, you know, quite a bit of support towards training younger folks and getting cyber workers into the workforce.
Kevin Jones: I think these are great measures, but I think so long as we take the same approach to cyber - and I view these as being incremental - I don't believe that we'll solve the problem quickly unless we take a new paradigm, a new a new approach, if you will, again, a moonshot toward the problem. So I think there's a lot of work to be done, and it's going to take a heck of a lot more than the federal government and Big Tech to do it.
Dave Bittner: How do you get folks past the - that transitional period? You know, it strikes me that changing to a first principles approach is - I don't know - not unlike changing the oil while the engine is running.
Kevin Jones: I don't think we can land this ship - this airplane in the ocean right now. That's where we are. You know, we're kind of building the wings over the Atlantic. So I think you're right. You know, you can't exactly just stop it. So how do you integrate this - not only philosophy, but this capability into existing workloads without disruption? That's a key question.
Kevin Jones: It's something that, from our perspective, we've solved. The way that we've done it is we've done an enormous amount of testing. So we did a lot of testing with certain areas within the Department of Defense and some civilian agencies as well just to solidify the efficacy of the approach and the capability as it relates to specifically software runtime protection.
Dave Bittner: That's Kevin Jones from Virsec.
Dave Bittner: And joining me once again is Caleb Barlow. He is the CEO at CynergisTek. Caleb, it's always great to have you back. You know, you and I were recently talking about CMMC and some of the things when it comes to documentation that goes with that. One of the things that we mentioned was how this sort of ties into the NIST Cybersecurity Framework, and I wanted to use that as a launching point for our conversation today. How does NIST play into this, and how does CMMC sort of take it to the next level?
Caleb Barlow: OK, so I'm not going to get into government speak. You know, a lot of the audience here isn't coming from kind of the defense industrial base. But DIB suppliers for years have needed to comply with various regulations that, you know, if you really look at the DNA, are effectively extensions on top of the NIST Cybersecurity Framework, which is pervasively used across the industry. And I think everybody really loves the NIST CSF 'cause it was developed by industry.
Caleb Barlow: Well, what the U.S. government has done is they're stretching their muscles using their procurement power to drive their suppliers to touch controls on classified information to take it to the next level. And I think there's something that everybody ought to pay attention to in this.
Caleb Barlow: So first of all, if the U.S. government, which has 300,000 suppliers, is going to require those folks to kind of step it up, all those suppliers are going to look at their suppliers and go, hey, we're doing this; why aren't you doing this? And it's highly likely that this or some future variant of it probably gets passed on down the road. And guess what. That's exactly what the U.S. government is trying to do. Power to them, right? It's a great way to drive better cybersecurity defenses is to use their purchasing power.
Caleb Barlow: Well, the cool part about this is because its DNA is very much linked to those underpinnings coming from NIST, you know, if you're using, let's say, the NIST CSF, ignore the fact that maybe you don't touch controls on classified information. But let's start to dig into, can you up your game on documentation? Can you up your game on some of these capabilities? Can you up your game on how you assess it? And all of those things are things that the CMMC starts to cover.
Caleb Barlow: So, for example, you know, in the past, you might have asked questions like, do you have multifactor authentication, right? Well, you might've pen tested it to see if it really works. You know, now you say, actually, show me the policy that says I need to have multifactor authentication, and then show me what systems it's on by showing me the logs and attempting to log in.
Caleb Barlow: So it's not only saying, OK, you know, hey, we have multifactor authentication. And a traditional assessment would say, oh, OK - check - and move on. You're saying, prove it to me, OK? Show me the exception list. Show me the onboarding policy for a new application that shows how you add multifactor authentication. Show me the budgeting process where you carve out the budget for this of how you're maybe ramping that budget up over time. Show me who's responsible. Show me who their backup is. So all of these policies and procedures start to get more robust with CMMC.
Caleb Barlow: And here's the other cool thing. Anything you inherit with CMMC - so let's say you've outsourced your IT to a cloud provider. Well, you need to then inherit their policies and practices for what they run for you. So think about how hard it is today with vendor security management. You know, you're using an outsourced security provider. What are your policies and procedures? Oh, well, you know, we talk about our SLAs. We don't share that. Well, with CMMC you have to. So it's a great tool to not only up your own game, but to start thinking of your downstream suppliers and how you learn more about what they're doing and your expectations from them.
Dave Bittner: Let's say I am one of those downstream suppliers. Is it in my best interest, dare I say, is it a competitive advantage for me to come back to my customers and say, listen; we are doing this voluntarily? We're being proactive about this. We are adopting the things that go into CMMC, even though technically we might not have to, but we feel this is going to make life easier for everybody by being on board, and we're way ahead of our competition on this. Is that a good way of thinking about it?
Caleb Barlow: Well, interestingly enough, that's the bet I'm making with my own business, right? So, you know, we have two business units. We have Redspin, and then we have CynergisTek, which is more on the health care side. We only needed to do this for our Redspin business 'cause that's the part of our business that does government work.
Caleb Barlow: And when I started looking at it, our team said - they were like, we should be doing all this anyway. Like, there's - again, there's nothing in here that we didn't think we weren't already doing. So we finally made a decision and said, you know what? We're just going all-in. We're going to do it across the entire business. Now, only one portion of that needs to actually get assessed by the government, but why not do it across the board?
Caleb Barlow: And it has already shown benefit because all of our customers ask us, you know, hey, how do you handle this? How do you handle that? And rather than giving them some flimsy document that's a little checklist of the things we do, like, here's the binder. Here's how we do this. And we can pretty much guarantee you we follow every step in the binder. That has completely changed the conversation with our clients because, oh, OK, you guys clearly have your act together. By the way, can you help us do this kind of documentation of what we're doing? So, yeah.
Dave Bittner: Right, right.
Caleb Barlow: I think it has a huge benefit.
Caleb Barlow: And again, if you really think of the motivations of the federal government in this, they not only need to secure the defense industrial base, but this is a great way to change behavior across the private sector in a way that's a little more positive than driving down, you know, a required regulation over private companies.
Dave Bittner: Yeah. All right. Well, Caleb Barlow, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.