The CyberWire Daily Podcast 11.4.21
Ep 1453 | 11.4.21

Britain’s Labour Party sustains a “data incident.” CERT-FR describes a new affiliate gang, Lockean. US, Russian intelligence chiefs discuss cybersecurity. Gas is flowing in Iran again. Start-ups honored.


Dave Bittner: Britain's Labour Party is affected by a ransomware incident a third-party provider sustained. ANSSI identifies a new ransomware affiliate gang, Lockean. Notes on how and why BlackMatter and REvil went on the lam. Russo-American talks discussed cybercrime and cybersecurity. Iran's gas stations are fully back in business following the cyber sabotage they sustained. Kevin Magee from Microsoft has highlights from their 2021 Digital Defense Report. Our guest is Ofer Ben-Noon of Talon Cyber Security addressing browser vulnerabilities. And DataTribe has announced the winners of its fourth annual Cybersecurity Startup Challenge.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Thursday, November 4, 2021. 

Dave Bittner: Britain's Labour Party has disclosed that it's been affected by what it characterizes as a data incident. The incident affected Labour through a third party that managed data on behalf of the party. The third party, unnamed by Labour, notified its client on October 29 that a significant quantity of party data had been rendered inaccessible on their systems. That description suggests a ransomware attack, although the party's statement doesn't characterize it as such. 

Dave Bittner: Computing describes the information as having been stolen. But beyond the usual cautions one would expect a ransomware victim to extend to the individuals affected - be alert for social engineering, use multifactor authentication and report suspicious activity - the grounds for thinking data were taken are a matter of a priori probability. Data theft has become the norm in ransomware attacks, and it's prudent to assume that it's a possibility here. 

Dave Bittner: Labour says it brought in outside expertise and reported the incident to the appropriate authorities - the National Crime Agency, the National Cyber Security Centre and the Information Commissioner's Office. Investigation is in progress, but Labour says that only its provider's systems were affected, not the party's own data systems. The Labour Party's statement adds, quote, "we understand that the data includes information provided to the Party by its members, registered and affiliated supporters and other individuals who have provided their information to the Party. The full scope and impact of the incident is being urgently investigated," end quote. 

Dave Bittner: The Guardian reports that this is the second third-party breach Labour has sustained over the past year and a half. The party was one of the victims of the Blackbaud compromise. It's also unclear if Labour was itself the intended target of the attack. The principal intended victim may have been that unnamed provider of data services. 

Dave Bittner: CERT-FR, the French national CERT operated under the direction of ANSSI, has identified a new ransomware gang, Lockean, that's recently infested French companies in what CERT-FR characterizes as big-game hunting. Lockean is connected with several ransomware-as-a-service operations, including DoppelPaymer, Maze, ProLock, Egregor and Sodinokibi. 

Dave Bittner: The investigation began when ANSSI took up a series of six QakBot investigations that began in 2020 and continued into 2021. Four of them shared a common QakBot naming convention. Five of the attacks involved deployment of Cobalt Strike, and four of those spoofed Akamai and Azure domains. In three of the incidents, the Rclone exfiltration tool was used. 

Dave Bittner: These commonalities led ANSSI to believe that the incidents were the work of a single threat actor and that the signs also seemed consistent with reports by security firms Intrinsec and The DFIR Report. Subsequent investigation convinced ANSSI that this was so. They've named the threat actor Lockean, and ANSSI's full report contains extensive information on the gang's tactics, techniques and procedures. 

Dave Bittner: Lockean appears to be an affiliate, a user of tools provided by other gangs in the C2C underground market. The Record points out that Lockean is the second big affiliate gang to be identified. The FBI described another such group, OnePercent, back in August. 

Dave Bittner: More has emerged on the events surrounding REvil's announced retirement. The Washington Post reports that U.S. Cyber Command and an unnamed foreign government took action against REvil in a coordinated operation. The foreign government gained access to REvil's servers this summer. In October, Cyber Command hijacked the Russophone gang's traffic, effectively denying access to the group's website. 

Dave Bittner: The experience apparently put the fear of Fort Meade into the gang's members, who took the better part of valor and dispersed, scampered, vamoosed. Until they're in custody, of course, there's the possibility that they could reform, either by getting the band back together, by starting fresh, perhaps independently, or by joining another established gang. 

Dave Bittner: U.S. Cyber Command is understandably reticent about sharing details. But according to CNN, U.S. Cyber Command head General Nakasone yesterday said his command had for the past three months been engaged in a surge against ransomware operators. General Nakasone said, quote, "while I won't comment on specific operations, I will say that we've made a lot of progress. I'm pleased with the progress we've made, and we've got a lot more to do," end quote. 

Dave Bittner: ZDNet says the other major gang to recently close up shop, BlackMatter, has seen its affiliates migrate to a competitor, LockBit. BlackMatter, itself generally regarded as a rebranding of the DarkSide, said its decision to shut down was prompted by recent events. ZDNet speculates that those events included, not only the action against REvil, but also the Europol-coordinated roundup of 12 high-profile individuals involved in spreading ransomware, including LockerGoga, MetaCortex (ph) and Dharma. 

Dave Bittner: Reuters has confirmed that this week's high-level Russo-American talks in Moscow touched upon the activities of Russian gangs and privateers. U.S. Director of Central Intelligence Burns spoke with SVR Chief Sergey Naryshkin. He also talked with Nikolai Patrushev, secretary to Russia's Security Council and former head of the FSB. Any cooperation between the two countries remains a long-term work in progress, but it will be interesting to watch the aftermath of the conversations. 

Dave Bittner: Iran's fuel stations have recovered from the cyber sabotage they sustained more than a week ago, SecurityWeek reports. Tehran's investigation is apparently still in progress. There's been no recent update to informal statements by officials blaming Israel and the United States for the attack. 

Dave Bittner: And finally, DataTribe held its fourth annual cybersecurity startup challenge yesterday, and we're pleased to announce the results. Grey Market Labs, a secure virtual enclave deployment platform; ContraForce, a security orchestration platform; and QuickCode, a data labeling technology for machine learning data sets, were the three finalists. And each came into the finals having already been awarded $20,000. ContraForce and QuickCode were named the winners, each receiving a $2 million investment, double what the competition had originally planned to award. 

Dave Bittner: DataTribe is a global cyber foundry based in Maryland. It supports early-stage companies and runs the annual competition, quote, "to identify and curate pre-series A, seed high-technology startups with a vision to disrupt cybersecurity and data science," end quote. 

Dave Bittner: Full disclosure - the CyberWire is a DataTribe portfolio company. The judges of the competition were Bob Ackerman - founder, AllegisCyber, co-founder DataTribe; Shamla Naidoo - head of cloud security, Netskope, former global CISO, IBM; Navin Maharaj - director, Koch Disruptive Technologies; Ron Gula, president and co-founder, Gula Tech Adventures and co-founder of Tenable; and Arno Van Der Walt, CISO of Marriott International. 

Dave Bittner: It was good to get together for an in-person pitch event after so many months of relative isolation. Those who attended received a special preview of the CyberWire's upcoming miniseries "Hacking Humans Goes to the Movies." Watch for it on our website. Congratulations to all the companies who competed, and especially to the three finalists - Grey Market Labs, ContraForce, QuickCode and, of course, the two winners, ContraForce and QuickCode. 

Dave Bittner: Think about how much of your day-to-day computing experience happens through your browser. As more and more services migrate to the cloud, it's likely you're making use of your browser to access those services. So what about the security of the browser itself? Ofer Ben-Noon is co-founder and CEO of Talon Cyber Security. 

Ofer Ben-Noon: Over the last three years, pretty much the No. 1 vulnerable application in terms of CVE is browser. And the No. 2 most exploited application is the browser - exploited in the wild, I mean. So that has led us to the understanding that, A, we need to secure a lot more the browser and, two, it's the best focal point to secure the new distributed and hybrid workforce, which is becoming more and more SaaS-oriented, obviously. 

Ofer Ben-Noon: So the focus is not on capabilities around protecting the browser, but for example, also capabilities around data-leakage prevention and out of some capabilities about network monitoring, and how do you reduce the chances that employees will browse from the first place to websites that contains vulnerabilities and, by that, obviously reduce the chances that the malware will get compromised, and also identifying shadow SaaS where data is then leaking outside of the organization. So while browser security is a very key component of the story, it does not end there. So the scope is a bit bigger. 

Dave Bittner: It strikes me that, you know, while folks do have choices when it comes to the browser they want to use, I mean, at their core, there are only a couple of places where people build their browsers, and it seems to me that most of them these days are using Chromium as their source. What is your take on that? 

Ofer Ben-Noon: I think the part of the reason that Chromium is becoming so focal and core is that building a browser is a very complex task in terms of the usability, in terms of the user experience and in terms of the amount of edge cases that they need pretty much to be able to resolve. And I think that this type of a consolidation play, which got pretty much its tempo when Microsoft have migrated from Internet Explorer to Edge, was what really made Chromium so popular. We have two of the biggest software organizations in the world maintaining one code or one core for code. This brings a unique advantage for Chromium over every other alternative as a browser. 

Dave Bittner: And so what are your recommendations for organizations looking to secure folks who are using those browsers for so many things? 

Ofer Ben-Noon: So there are a few things here. First one, which is the core of everything, is to make sure that a browser which is not patched to the latest version may not access the critical resources of the organization. And here, it means two things. The first one is to make sure that, indeed, at every single moment, we are tracking what endpoints and specifically, in this case, what browser is having the access to the organization resources. 

Ofer Ben-Noon: And then there is everything that is complementary around it, which is extensions. Are we monitoring all of the extensions of the browser? So even if the browser is not at all compromised but a malware extension is on the browser - and only a couple of months ago, there were tens of millions of instances of a malware extension over Chrome. That's a big thing, obviously. 

Ofer Ben-Noon: And the third layer would be the added security that you can implement on top of the browser. Now, this comes in multiple flavors. The first one would be to make sure that we need control to which websites - hopefully not malware websites - our employees are able to access. That also helps in terms of reducing the amount of potential phishing that they are going to be exposed to, the amount of drive-by download attacks that they will be exposed to. And the fourth layer is really protecting the browser itself. 

Dave Bittner: That's Ofer Ben-Noon from Talon Cybersecurity. 

Dave Bittner: And I'm pleased to be joined once again by Kevin Magee. He is the chief security officer at Microsoft Canada. Kevin, you and your colleagues recently released the 2021 version of your digital defense report, and a lot of interesting stuff in there. I wanted to check in with you and see what some of the highlights for you were in the new report. 

Kevin Magee: Thanks for having me back, Dave. Really pleased to be here again. This year's reports are a second report. It's 120 pages, so it's not a light read, but it's chock full of details. Really covers five major focus areas - the state of cybercrime, nation state threats, supply chain and IoT security, hybrid workforce and then disinformation. 

Kevin Magee: This is really not a report that sort of you really have to be a deep technical person to read, even though there is quite a bit of technical details in there. In fact, it's really a report that I'm recommending you give to your CEO, your CFO or your board because it does a great job of providing a lot of technical depth and detail but with context and visual diagrams and whatnot that can really help explain some of the major threats we're facing to these business decision-makers. 

Dave Bittner: What are some of the actual highlights for you? I mean, are there any things that stood out for you as really deserving attention? 

Kevin Magee: I think one of the neat things was just the numbers initially from the Microsoft perspective. We're basing this report on 24 trillion security signals. That's up from 8 trillion we saw last year. So we're seeing exponential growth in the number of security signals for data points we're able to pull from - 9 billion blocked endpoint threats, 31 billion identity threats, 32 billion email threats. The numbers are pretty mindboggling. So it's very... 

Dave Bittner: And you're talking about real numbers, right? 

Kevin Magee: Yeah. It starts to bring out incredible patterns that we may not have been able to see before. So I guess the two major things that really jumped out at me was, one, just how cybercrime is now becoming a national security threat. And we're not just seeing that in the data and in the TTP threat actors are using, but we're also seeing that move into our user discussions and also policy discussions across the globe as well. 

Kevin Magee: And then also, from a technical perspective, attacks on machine learning models were of really interest to me. And it's an area that I don't have a lot of background in, but it's becoming an emerging threat vector for attackers to leverage. 

Dave Bittner: Well, let's dig into both of those one at a time because I think they are both interesting and worthy of discussion. And when it comes to national security, I'm curious. You know, the conversations that you're having with the folks you speak to - is there a growing expectation that the nations themselves step up and do more to defend organizations here or even - I don't know - moving towards more partnership on that realm? 

Kevin Magee: I think so. I mean, we've moved well beyond the point where criminal gangs are just doing, you know, virtual smash and grabs, and we're starting to see coordinated attacks. We're starting to see an emerging almost cybercrime industrial complex where there's, you know, integrated supply chain specializations and whatnot. So organized cybercrime in itself is becoming a major problem. 

Kevin Magee: But a lot of the attacks are based on critical infrastructure - hospitals, power grids and whatnot. It's not just businesses that are being attacked. And we're also seeing the overlap more and more with cybercriminal gangs and potential nation-state actors using cybercrime techniques or proxies for attacks as well. 

Kevin Magee: I think we started to see in the policy documents for governments this idea of persistent engagement or, you know, defend forward start to prop up the last couple of years. But it was quietly inserted into some of these strategic documents. More and more, we're having an open discussion now that this is - cybercrime is not just a financial crime. It is a potential national security threat. And I'm very pleased to see that we're having more policy discussions or more open discussions about it at that level. 

Dave Bittner: Let's talk about what you mentioned there about attacks on machine learning. What exactly is going on there? 

Kevin Magee: Yeah. This is an area where I was really interested in reading because it was something I really didn't know quite a bit about, and I had a chance to reach out to my colleagues in the data side of the house as well. We've identified four major attacks on machine learning models. One is the invasion attack, which - think about causing a misclassification of data. For example, if you had a self-driving car and you turned a stop sign into something different so that it was confused, that would be an example of an invasion attack. A poison attack could be an attack that contaminates the training face of the machine learning. So you can actually insert something into the model as it's being developed to get the answer that you want as the attacker to come out the other end for whatever reason. 

Kevin Magee: Then there's a membership inference. So as part of the machine learning, it ingests a lot of data as it's learning. An attacker could tease out information like the individual's health information or whatnot out of the model and extract that from the model or flat-out model stealing. We see attackers now looking at stealing the proprietary algorithms, which may be for day trading or whatnot as well. And these algorithms have intellectual property value. So that's another attack vector. 

Dave Bittner: All right. Well, Kevin Magee from Microsoft - the report is the 2021 Digital Defense Report. Thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.