The CyberWire Daily Podcast 11.15.21
Ep 1459 | 11.15.21

Official online channels hijacked in separate US, Philippine incidents. Update on MosesStaff, a ransomware group interested in politics, not profit. Costco breach. Ryuk money-laundering case.


Dave Bittner: Exploitation of a configuration error in the FBI's Law Enforcement Enterprise Portal enables hackers to send bogus warning emails. The Philippine Office of Civil Defense Twitter account was briefly hijacked. Update on Iranian politically motivated threat group Moses Staff. Discount retailer Costco discloses a point-of-sale skimmer incident. Dinah Davis from Arctic Wolf tracks zero-days. Rick "the toolman" Howard drops by the studio. And the U.S. seeks extradition of a Russian altcoin baron on charges of laundering Ryuk's money.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 15, 2021. 

Dave Bittner: Messages that looked as if they were from the FBI early Saturday morning weren't. That is, they came from the bureau's Law Enforcement Enterprise Portal, known as LEEP, a platform used to communicate with the FBI's partners in state and local law enforcement, but they were, in fact, sent by hackers, not by the FBI. 

Dave Bittner: The bureau issued a terse preliminary statement later Saturday, updated on Sunday. It's short enough to quote in full. 

Dave Bittner: Quote, "the FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI-operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI's corporate email service. No actor was able to access or compromise any data or PII on the FBI's network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails and confirmed the integrity of our networks," end quote. 

Dave Bittner: Twitter threads from both Spamhaus and Kevin Beaumont provided an interesting early account as the emails appeared. The emails originated from FBI servers. Their headers show an origin verified by the Domain Keys Identified Mail system. Spamhaus reproduced the headers. The sending IP address and the from lines look legitimate because they are. 

Dave Bittner: There's no obvious criminal motive beyond, perhaps, the malign lulz of perhaps disrupting networks that were shut down as a precaution or of darkening counsel by eroding confidence in FBI warnings. Or it may be the simple coup-counting one sees among cases of arrested development who like to show the grown-ups that they're not so smart. But we shall see. 

Dave Bittner: The bogus warning read as follows. 

Dave Bittner: Quote, "our intelligence monitoring indicated exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fast flux technologies which he proxies through multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang The Dark Overlord. We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC. As we are dependent on some of his intelligence research, we cannot interfere physically within four hours, which could be enough time to cause severe damage to your infrastructure. Stay safe," end quote. 

Dave Bittner: And it's signed, U.S. Department of Homeland Security, Cyber Threat Detection and Analysis, Network Analysis Group. 

Dave Bittner: KrebsOnSecurity calls out poor coding on the FBI's Criminal Justice Information Services portal, a service used for sharing law enforcement information. The hacker who counted coup, who goes by the hacker name Pompompurin, told KrebsOnSecurity that he did what he did to show up poor security practices at the FBI. And, indeed, the bureau has some digital egg on its virtual face. 

Dave Bittner: There's also a gratuitous and facially ridiculous shot at Vinny Troia, founder of security firms NightLion and Shadowbyte, asserting that he's a known associate of the Dark Overlord criminal actor. 

Dave Bittner: BleepingComputer points out that Troia has long been the object of taunts and defamation from some of the lulzsters over at RaidForums. They typically warn Mr. Troia when they're about to mess with him, and they did so this time as well. Troia retweeted their message - quote, "@vinnytroia, you're about to get lit up today - spam attack involving your name," end quote. A stupid prank. And, by the way, good hunting, FBI. Troia, by the way, says he intends to blog Mr. Pompompurin's real name tomorrow. 

Dave Bittner: The Twitter account of the Philippines' Office of Civil Defense was briefly hijacked early Sunday and used to churn out unusual messages having nothing to do with civil defense or disaster preparation, the Manila Inquirer reports. The tweets mostly involved celebrity-themed Bitcoin speculation. 

Dave Bittner: Check Point this morning released an update on the Iranian threat group MosesStaff. Hacktivist or government-directed, Moses Staff operates like a ransomware gang, but its motive appears to be purely political. It seeks to damage Israeli companies by stealing data, encrypting the victim's files with DiskCryptor and then releasing the data online. MosesStaff issues no ransom demands and explains its program as, quote, "fighting against the resistance and exposing the crimes of the Zionists in the occupied territories," end quote. 

Dave Bittner: The large U.S. discount retailer Costco warned customers last week that it had found a credit card skimmer in one of its Chicago-area warehouses and that customers should be alert to the possibility of credit card fraud. Warehouse in Costco's usage means store. The company is commonly described as a warehouse club. ZDNet reports that some Costco customers had complained of fraudulent pay card charges shortly before the skimmer was found. 

Dave Bittner: The U.S. is seeking the extradition of Denis Dubnikov, a Russian altcoin entrepreneur who founded EggChange and Crypto Coyote, on charges of allegedly laundering money on behalf of the Ryuk ransomware gang, the Wall Street Journal reports. Mr. Dubnikov was vacationing in Mexico, where on November 3 authorities seized him and put him on a flight to Amsterdam, where he's currently being held by Dutch authorities on a U.S. warrant. 

Dave Bittner: It's the first arrest the U.S. has sought in cases involving Ryuk. Much of the comment on Ryuk - and CNN's is representative - have mentioned Ryuk's involvement in attacks on health care facilities. Mr. Dubnikov is, of course, fighting extradition and denies involvement in money laundering. He intends to plead not guilty because, his attorney Arkady Bukh says, "because he had no knowledge of someone engaging in criminal activity," end quote. 

Dave Bittner: Sputnik reflects the outrage of Russian cryptocurrency traders and presumably their licit, semi-illicit and illicit customers with a headline that says Mr. Dubnikov was practically kidnapped by the FBI in Mexico. The semi-official Russian outlet quotes the aforementioned Mr. Bukh as their source for the kidnapping angle. Quote, "Dubnikov was detained in Mexico but expelled because Mexico doesn't have such an ideal extradition policy as the Netherlands. They have bought a ticket. In other words, they have in fact kidnapped him and sent him to the Netherlands because extradition from the Netherlands is in fact guaranteed. He is in fact held in jail in the Netherlands. He is accused of money laundering and may face up to 20 years in jail. We expect his extradition to the United States," end quote. 

Dave Bittner: They're thinking of cutting their extradition fight short, however, and just fighting the charges in the U.S., the attorney added. Quote, "so far, we do not agree to extradition, but we will probably give our consent later because the Netherlands is a country where the fight against extradition is statistically meaningless. We are studying. Maybe it is worth agreeing to a quick extradition and sorting it out here," end quote. 

Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, always great to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So for this week's "CSOP" episode, you are launching a new series called Rick the Tool Man. 

Rick Howard: Damn sure. 

Dave Bittner: I thought that was interesting. Yeah. Well, what caught my eye in the notes that you sent over was the obvious similarity to how that sounded in my head compared to one of my favorite '90s TV shows, "Home Improvement." 


Dave Bittner: Are you going to humor me and tell me that's what you were going for here? 

Rick Howard: Well, you got it exactly right, Dave. That's what I was going for. And... 

Dave Bittner: OK. 

Rick Howard: Right. The guy that starred in that show was Tim Allen, and he's one of my favorite comics and actors and who, by the way, starred in "Galaxy Quest," you know... 

Dave Bittner: Yes. 

Rick Howard: ...A perennial nerd favorite. 

Dave Bittner: Yeah, yeah. 

Rick Howard: And he played Buzz Lightyear. 

Dave Bittner: Buzz Lightyear. Yeah. 

Rick Howard: Buzz Lightyear, man. Come on. 

Dave Bittner: Right, right. Sure. 

Rick Howard: So in this '90s TV show, he plays a guy who runs a local public television show that's kind of modeled after the real-world PBS long-running TV show called "This Old House." 

Dave Bittner: Right. 

Rick Howard: You remember watching "This Old House"? 

Dave Bittner: Absolutely. Yeah, yeah. 

Rick Howard: And so his nickname on the show is Tim the Tool Man. So I thought I would borrow that little thing for this new series. 

Dave Bittner: All right. Well, I'm sold. Say no more. 


Dave Bittner: I don't know what your series is about, but I definitely enjoyed that show. 

Rick Howard: I know, right? So here's the idea, OK? It's that security executives manage teams of security practitioners. And these practitioners all have a toolbox of their favorite tools they use to keep the organization safe - everything from hardware and software products like firewalls, intrusion detection systems and endpoint protection systems but also things like frameworks and compliance standards like the NIST Cybersecurity Framework and, you know, the U.S. fed rent program. 

Rick Howard: So these security executives don't necessarily have to know how to turn the wrenches on these tools. And in fact, I've been personally told in previous jobs to keep my hands out of there because of the high probability that I would screw something up. I'm not saying that I ever did that, but I'm not not saying that. You know, I'm just going to plead the fifth here. 

Dave Bittner: Sure, sure. Got it. Got it. So if this Rick the Tool Man series is not about turning the wrenches and the dials on these tools, what exactly is it about? 

Rick Howard: Well, I think it goes without saying that it's tough to lead an organization if you don't understand what it's capable of. And that's some combination of the skill sets on your teams and the tools that they are using. So as a security executive, you should have a pretty good understanding of how the tools in the toolbox can be applied to your organization. And for this week's first show, we're going to talk about the MITRE attack framework, what it is and how you should be thinking about it at the strategic level so that you can direct your teams tactically in their day-to-day operations. 

Dave Bittner: All right. Well, it is "CSO Perspectives." It is part of CyberWire Pro. You can find that on our website, Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Dinah Davis. She is VP of R&D operations at Arctic Wolf, also the founder and editor in chief at Code Like a Girl. Dinah, it is always great to have you back. You know, we're coming towards that time, towards the end of 2021, and I thought it'd be a great time to check in with you on where we are in 2021, sort of taking stock when it came to zero-days. What can you share with us? 

Dinah Davis: Yeah, this one was really interesting. I saw this article pop up on the MIT Technology Review in the past week, and so far in 2021, we have more than doubled the amount of zero-days that were found in 2020. And the interesting thing is the article also links to a Google Doc that has all of the zero-days that they have been tracking since about 2014, and it seems to have been doubling, you know, every year for a while now. So the question is, like, why? Why has it doubled this year? 

Dave Bittner: Are we just looking more, you know? Do - are we better at looking, or are they actually being spun up? 

Dinah Davis: I think it's, like, a mix of all of those things. You know, there's more hacking tools available today than there were before, so people are, you know, digging and finding more zero-days. But also, like, there's governments that are, like, really sponsoring that and throwing money at that because those zero-days are key for them in their spying, espionage ways. And so even this year, China is suspected of at least nine of the zero-days of having originated with them. 

Dave Bittner: What about the market for these? I mean, people are buying and selling them. That's active as well. 

Dinah Davis: Yeah. I mean, not everybody can throw all their money towards people to try and find them, right? There's lots of these ransomware gangs out there that, you know, want access to these zero-days but don't necessarily have the skills or the tool sets to create them. So they're buying them, and that's making the market even hotter, right? It's capitalism at its best (laughter), I guess. 

Dave Bittner: Right, right. 

Dinah Davis: And then, you know, finally, I think we're getting better at detecting them, right? Organizations and groups, we're spending more money looking for them as well and protecting ourselves from them. And because of that and because more groups are working together, we're getting better at detecting more of the sophisticated attacks. Like, more minds together is always better, right? A bunch of smart people in a room together are going to find more than one person on their lonesome. And then I think the pandemic's had an effect on this as well, where a lot of security researchers and stuff were, you know, bored at home. 

Dave Bittner: (Laughter). 

Dinah Davis: And they were able to do a little bit more digging and find those zero-days. And I think also, the question really does remain - are there actually way more, or are we finding more? 

Dave Bittner: Yeah. 

Dinah Davis: I think the jury's out on that one. 

Dave Bittner: Yeah. Interesting. All right. Well, Dinah Davis, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at 

Dave Bittner: The CyberWire is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.