The CyberWire Daily Podcast 10.27.21
Ep 1447 | 10.27.21

Coups and comms blackouts. Fuel sale sabotage in Iran. Wslink described. Operation Dark HunTor takes down a contraband market. FTC looks into Facebook. LockBit speaks.


Dave Bittner: Sudan is under an internet blackout as a military junta consolidates control over the government. Iran says a cyberattack was responsible for disrupting fuel distribution in that country. A novel loader is discovered. Operation Dark HunTor takes down a dark web contraband market. The U.S. FTC is looking into Facebook's privacy settlement. The LockBit Gang talks, and it's insufferable. Andrea Little Limbago from Interos on government internet interventions. Carole Theriault weighs in on Facebook glasses. And Halloween is another day closer.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 27, 2021. 

Dave Bittner: The London-based global internet monitoring organization NetBlocks has confirmed that internet service has been disrupted in Sudan. A military coup was mounted Monday, and fighting continues in many parts of the country. Mobile service was briefly restored yesterday afternoon, and a few texts and images about the coup emerged. But even that limited service was soon shut down. The country is now effectively under a telecommunications blackout. 

Dave Bittner: The U.S. Embassy in Khartoum has advised American citizens in Sudan to shelter in place. Quote, "Sudanese Armed Forces have announced they are in control of the government. Demonstrations have been reported in Khartoum and around the country. There are unverified reports of violence against protesters. Flights are not leaving the country," end quote. It appears that the junta has taken down the internet in the country. Internet disruption has taken its place beside seizure of radio stations and printing presses in the standard playbook of the coup d'etat. We hope for the safety of all who are afflicted by the violence. 

Dave Bittner: According to The Washington Post and others, subsidized fuel sales at Iranian gas stations were disrupted yesterday in what the government in Tehran describes as a cyberattack. Investigation is in progress, and the incident isn't yet attributed to any particular threat actor. Observers compare the attack, if such it proves to be, with the disruption of rail services messaging earlier this summer, generally thought to have been the work of Iranian dissident hacktivists. 

Dave Bittner: While hacktivism may seem the likeliest explanation of the point-of-distribution outages at this time, and while fuel has for some time been a sore point in Iran, the evidence is still far too scanty for attribution. It's worth recalling that Iran has its fair share of adversaries in the region, and not just the obvious actors like Israel, but also the Sunni Arab powers of the Gulf region, not to mention the U.S. itself and those Western powers generally aligned with Washington. False flags remain a possibility, and, of course, hacktivist groups like terrorist organizations and activist groups generally considered have often enough themselves been fronts for state intelligence services. The situation in Iran is still developing. 

Dave Bittner: Security firm ESET announced this morning its discovery of a hitherto unknown malware loader, Wslink, that runs as a server and executes Windows binaries in memory. Who's operating Wslink and what exactly it's used for remains unknown. 

Dave Bittner: An international dragnet made 150 arrests, taking down a dark web contraband market. Operation Dark HunTor also seized 234 kilograms of drugs, 45 guns and more than $31.6 million in cash and virtual currencies, The Wall Street Journal reports. Arrests were made in nine countries, with the U.S. and Germany accounting for most of the callers. The successful roundup seems to have been built upon information shared in the course of another joint international investigation, notably the takedown of DarkMarket back in January. At that time, German authorities arrested the principal operators of that market and took down servers in Ukraine and Moldova the group had been using. 

Dave Bittner: The Wall Street Journal reported this morning that the U.S. Federal Trade Commission had opened an investigation into whether Facebook's internal research indicates that the company violated its 2019 settlement of privacy concerns with the FTC. 

Dave Bittner: Ransomware gangs continue to represent themselves as Robin Hoods who leave important sectors alone on humanitarian grounds, but those protestations ring hollow when organizations like Schreiber Foods are hit. Wisconsin State Farmer reports that the dairy producer and distributor has been disrupted by unknown criminals and that a great quantity of milk products may well be wasted if production can't be restored quickly. 

Dave Bittner: One of the gangs that piously claims to avoid critical infrastructure is LockBit. The Record has interviewed a representative of the LockBit ransomware gang, formerly a bit player, now risen to prominence as it took a top slot in September's ransomware leaderboard. The interview displays LockBit representatives every bit as smugly self-righteous as their colleagues in Conti have recently been. When asked what the secret was to their recent market dominance, LockBit did its best Silicon Valley unicorn imitation and replied, quote, "We haven't started to conquer the market yet. Now we are at the stage of developing and improving the software. The secret is very simple - an impeccable reputation. We are the only ones who have never scammed anyone or changed our brand. People trust us. Accordingly, the more affiliates, the more attacks. The LockBit blog is just a small fraction of the companies that refuse to pay the ransom. In the past three months, we have attacked over 700 companies," end quote. 

Dave Bittner: They see the Stealthbit information stealer as their competitive secret sauce, and it's clear that they see themselves primarily as a player in the C2C market. There's a lot of talk about the mutual trust that LockBit has built with its affiliates. Quote, "There is no reason not to trust the affiliates. If a person is inclined to long-term cooperation, then they will never leave us. But the most important thing is maintaining an impeccable reputation. We cannot deceive our advertisers and steal their ransom as Avaddon, DarkSide and REvil did," end quote. 

Dave Bittner: The slanging of the competition is interesting. And for what it's worth, LockBit thinks REvil's disappearance was probably an exit scam. Quote, "Nobody really knows, but I'm sure this is a classic exit scam. The same thing happened with Avaddon and DarkSide. As soon as a large payment comes, the owner of this partnership program thinks about whether it's worth working further and risking his life. Or is it better to exit right now and calmly spend the money for the rest of his life?" end quote. 

Dave Bittner: But, says LockBit, you can trust them because, quote, "In our case, such a case is impossible since we fundamentally do not touch the money of our affiliates," end quote. 

Dave Bittner: Two refreshing bits of realism do emerge from the interview. When asked about their banning from the criminal forum Exploit, LockBit replied sensibly enough. "It is not very clear how cybercriminals can prohibit certain types of cybercrime because, in fact, everyone on this forum is breaking the law. It turns out that conducting a pen-test with post-payment for rich companies is prohibited, but stealing money from the bank cards of millions of individuals is allowed," end quote. That's right. This does seem to be a distinction without a difference. 

Dave Bittner: The other realistic comment concerning the gang's vulnerabilities to infrastructure takedowns by law enforcement - gangland has its problems here, too. Quote, "This is one of the most effective methods to deal with us. No one is immune from hacking infrastructure with the help of zero-days. Using NSA hardware backdoors, it is possible to access any server on the planet. Therefore, the risk of being hacked is always present," end quote. Still, they say, talking basically to their criminal client audience, "At the moment, we are absolutely confident in the security system for storing decryption keys and stolen data. No competitor has any analogs. In addition to this, we have several backups of stolen company data on servers in various parts of the world, as well as encrypted offline backups held by trusted parties who receive a salary for safekeeping the data," end quote. 

Dave Bittner: So more irritating and smug than truly scary, but may the cops close in on them soon. But finally, because Halloween is almost upon us... 


Dave Bittner: ...Here's something scarier, courtesy of Bitglass, who say that as recently as 2019, some 38% of the Fortune 500 didn't have a chief information security officer. When they were hit with a cyberattack, the reputational damage was such that stock prices took an average of 46 days to return to their pre-disclosure levels. So happy Halloween, and stay safe out there, kids. 

Dave Bittner: Facebook recently revealed their latest consumer product. And given the bad time Facebook has had in the press lately, it's not surprising that their latest offering has at best received mixed reviews. Our U.K. correspondent Carole Theriault files this report. 

Carole Theriault: Do you remember Google Glass, the wearable smart glasses way back in 2014? They were available to buy for a bucket full of money, really - $1,500. And the product garnered quite a bit of criticism with concerns about its price, obviously, but also about safety and privacy. Thing was, Google Glass apparently didn't do any single action especially well, and they were also pretty dorky looking. At the time, the public also weren't comfy-cozy with the idea of people having clandestine computers that could record and take pictures simply strapped to people's faces. Even some bars and restaurants barred wearers from entry if they were wearing Google Glass. 

Carole Theriault: But that was then, and this is now. And like the space race spate that seems to be happening between Bezos and Musk, we may also be witnessing a kerfuffle when it comes to who's going to be the market leader in smart eyewear, because Facebook has now decided to join the smart eyewear party. 

Carole Theriault: So these smart glasses made by Facebook are actually a collaboration with Ray-Ban and are on sale for $299. You can find these now at LensCrafters and Sunglass Hut stores, and they're called Ray-Ban Stories. Weirdly, Facebook's name's not even on the glasses. Is Facebook not cool enough, or will it make people more aware that the glasses are smart glasses, not just typical Ray-Bans, and cause more kerfuffle? 

Carole Theriault: So basically, you've got these Ray-Ban frames, and they feature two front-facing cameras for capturing video and photos. And they sync with a companion camera roll app called Facebook View. Yes, you need to have a Facebook account in order to use these. Now, in Facebook View, this is where clips can be edited and shared to other apps on your phone. 

Carole Theriault: There's a physical button on the glasses for recording. Or you can say, hey, Facebook, take a video. And that way, you can control these Ray-Bans hands free. And, of course, you can also use the speakers that are inside the glasses to listen to music or a podcast. And perhaps most importantly, they're not dorky, like some have been in the past - Google. 

Carole Theriault: So I haven't tried these Facebook Ray-Ban Stories glasses yet, but a reporter at The Verge did. And they wrote, after testing a pair of Ray-Ban Stories for the past week, I'm impressed with the build quality and how well they work. Initial pairing was easy, and syncing footage from the glasses back to the View app only took a few seconds through a Wi-Fi connection the glasses initiate. However, Mashable were not fans. They claim that this is just an expensive toy for influencers seemingly designed to make Facebook look cool again. 

Carole Theriault: Well, it's going to take a while for me to think that these are anywhere close to being cool. I don't like that there's a camera on the glasses. I also don't like that the camera is so small as to feel virtually camouflaged into the frame. Again, that might be a cool decision. And I guess you have to ask yourself if you think it's cool that people can take pictures of you whenever you're in a public or non-public place without your consent. I mean, they're all at it - Facebook, Google, Amazon, Snapchat. Call me cynical, but I see two main motivators here, both moneymakers - data collection and targeted ad generation. I just wish I knew who out there wants to be on the receiving end of yet more targeted ads. I certainly don't. This was Carole Theriault for the CyberWire. 

Dave Bittner: And joining me once again is Andrea Little Limbago. She is vice president of research and analysis at Interos. Andrea, it's always great to have you back. I wanted to touch today on something that I know you are tracking, and that is how various governments around the world put their finger on the scale when it comes to internet access in their countries. What can you share with us today? 

Andrea Little Limbago: It's something that I have been watching for a while, and I still - it's one of the things I want to continue to elevate because there is this big movement towards privacy that we hear about a lot as far as federal privacy regulations. And that's phenomenal. We hear almost, you know, anecdotally and through narratives are what different governments across the globe are doing. And so I've worked on a recent research project that I'll continue to expand on basically quantifying, you know, how much governments are intervening for government access on one end and then individual data protection and privacy on the other. 

Andrea Little Limbago: And it really is - you know, there's good news and bad news along those lines. It's not only important for those of us that are online right now, but, you know, as more and more people - as the rest of the globe and the next billion people come online in the very near future, we need to think about what those implications are, especially as they're coming online oftentimes in countries where the government is either impeding an access or really doing a lot of manipulation as far as what is accessible and what those implications may be. So I do think that, you know, as we look ahead, as more and more folks do come online, it's going to really important to figure out under what systems and regimes they're going to be having that internet access. 

Dave Bittner: Yeah. I saw an example yesterday - and forgive me, I don't recall exactly which country it was. Maybe you have it top of mind. But it was a nation where they were saying that they're moving towards having all of their internet traffic run through one central place, and that place is run by the government. And they're going to be both analyzing and filtering what their citizens have access to. 

Andrea Little Limbago: Yes, that is one of the - you know, if you think, like, the tool in the tool belt of the techno-dictators, one of them is basically creating a man in the middle means for all data flowing in and out. And that - so they can monitor it. And you know, it's something that - Kazakhstan was - had explored it about three different times by requiring certificates to be on their computers. More recently, Mauritius was one in Africa. It's another one that basically was trying to do something very similar to what Kazakhstan had talked about. And we're seeing that more and more. And it's always under the auspices of, oh, it's for national security, or it's to make sure that we're not seeing - that, you know, violent content or in some cases, you know, content that is disrespectful of the government, you know, is not allowed through. But really, what it does open up is just enormous surveillance and means for, you know, for manipulation, for censorship. It's really - it's a means for information control and controlling the narrative of what goes on within that country. And so that is one of the many different trends that we're seeing leaning towards the area of government intervention. 

Andrea Little Limbago: When you think about that, when those governments have access to it, you know, a lot of times, those governments aren't the only ones that maintain that access. And there was a good example from earlier this summer where Cambodia was having a contact tracing app. And almost like a tit for tat, you know, as far as relationships with China, China wanted access to that data. And so China was going to provide some carrot, and in return, Cambodia would give the access that they have through their government contact tracing app and give that data abroad. 

Andrea Little Limbago: And so with governments having so much access to data, it's not unimaginable, and it's not unprecedented at this point where other countries are going to demand access to that data as well. And so, you know, what stays - you know, what happens locally is not going to stay locally, as well, when it comes to that kind of access. So you know, very disconcerting, you know, the notion of the splinternet and all these different internets popping up, but absolutely, you know, one person's experience online is going to be very different, depending on where they are in the world and depending on these various kinds of regulations. 

Andrea Little Limbago: And I would say, on the positive side, there are over a hundred countries now that do have data privacy laws. And so they have more - they've proposed them and are very close to getting enacted. And so I think that - you know, we have these two trends that are going on. And that's where we need to think about, even as a security community, what role we can play to help push it towards the - you know, push it towards the edge of, you know, individual data protection and data rights and security and away from government access to that data. 

Dave Bittner: When a nation does this and puts in place this sort of filtering and monitoring, to what degree are the citizens successful in finding workarounds? 

Andrea Little Limbago: Yeah, so it varies. And you know, what's interesting is even in some - there are new cases. If you broaden the umbrella of citizens to also being some of the hacktivists going on, you see what's going on in Belarus, where some of the government data (laughter) itself was, you know, exposed and released. And so there are ways that citizens are pushing back and just in a very significantly based on where they are and what they're up against. You know, what's going to work in some countries, you know, probably wouldn't work in, say, Hong Kong that has a much different environment. But still, citizens are finding ways to work around. And that's, again, where we'll see some innovation occur. And so that's great. But it'd be great if they didn't have to innovate in those areas. They could, you know, instead have the access, have the data protected - protections that they need. But they're - for sure, we are seeing a sort of an uptick in creativity in how to circumvent them. But still, at the end of the day, you know, it's very hard, you know, with minimal resources, to do so. 

Dave Bittner: Right, Right. Absolutely. All right. Well, interesting stuff as always. Andrea Little Limbago, thanks for joining us. 

Andrea Little Limbago: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.