Podcasts
CyberWire Daily
Ep 1652
The CyberWire Daily Podcast 8.30.22
Ep 1652 | 8.30.22

Cyberespionage around the South China Sea. Oktapus and the Twilio compromise. Notes from Russia’s hybrid war. And the LockBit gang looks beyond double extortion.

Show Notes
Transcript

Dave Bittner: Cyberespionage around the South China Sea. Oktapus and the Twilio compromise. Montenegro works to recover from a Russian cyber offensive. A big Russian streaming platform sustains a data leak. Ann Johnson of the "Afternoon Cyber Tea" podcast speaks with Dave DeWalt of NightDragon and Jay Leek of both SYN Ventures and ClearSky Security about cyber capital investment. Mr. Security Answer Person John Pescatore examines the allure of the health care industry for ransomware operators, and the LockBit gang looks beyond double extortion.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 30, 2022. 

Cyberespionage around the South China Sea.

Dave Bittner: Proofpoint, this morning,  released a report on a cyberespionage campaign against nations with regional interests centered on, but not confined to, the South China Sea. The researchers call the responsible threat group TA423, or Red Ladon, and say that it shows an overlap with APT40, a Chinese government unit also known as Leviathan that operates from Hainan. Red Ladon has a close interest in the Australian government and in anyone's wind turbines in the South China Sea. Proofpoint says, beginning on 12 April 2022 and continuing through mid-June 2022, Proofpoint identified several waves of a phishing campaign, resulting in the execution of the ScanBox reconnaissance framework, in part based on intelligence shared by PwC Threat Intelligence related to ongoing ScanBox activity. The phishing campaign involved URLs delivered in phishing emails, which redirected victims to a malicious website posing as an Australian news media outlet. The phishing campaign has been long-running, and the cyberespionage serves Beijing's long-range economic interests. 

Oktapus and the Twilio compromise.

Dave Bittner: Threatpost offers an update on the Oktapus phishing campaign, in which Okta identity credentials and multi-factor authentication codes were obtained from employees at Twilio and Cloudflare and then used in subsequent attempts on more than 130 companies. WIRED looks at the campaign, which it sees as likely to be one of the more successful and long-running criminal efforts in recent memory, and frames it as a cautionary tale for the business-to-business supply chain, writing, phishing has been an inveterate and consequential threat for years, playing a role in many impactful breaches around the world, including Russia's attack on the Democratic National Committee in 2016. in 2016. But if the next phase of the trend is phishing-fueled supply chain attacks, the scale of the collateral damage will magnify in an unprecedented way. 

Ukraine begins its counteroffensive in the Kherson zone.

Dave Bittner: The long-anticipated Ukrainian counteroffensive toward Kherson, near the Black Sea coast, began overnight, and it's been marked by attempts at persuasion on both sides. Ukrainian President Zelenskyy said in his nightly address yesterday, if they want to survive, it's time for the Russian military to run away. Ukraine is taking back its own. While intense fighting and breakthroughs into Russian-held positions have been reported, Ukrainian officials have cautioned against premature optimism, predicting a long, protracted struggle. For its part, official Russia says the Ukrainian offensive has already failed. Kremlin mouthpiece Dmitry Peskov said, the special military operation continues. It continues methodically and in coordination with all current plans. All objectives will be fulfilled.

Montenegro works to recover from Russian cyber offensive.

Dave Bittner: Given the kinetic action on the ground, Russian cyberattacks have recently seemed more aimed at punishing nations sympathetic to Ukraine than they've been directed against Ukrainian networks proper. The cyberattack against Montenegrin infrastructure, for example, which the government has attributed to Russia, appears to have been both extensive and consequential. BleepingComputer writes, targets include electricity and water supply systems, transportation systems, online portals that citizens use to access various state services and more. Power plants have switched to manual operations, and many government IT services have been taken offline to contain the effects of the attack. The country's minister of public administration was at pains to reassure citizens that their data was safe, stating, although certain services are currently temporarily disabled for security reasons, the security of the accounts of citizens and business entities and their data is not in any way endangered. 

Dave Bittner: The Record reports that France has responded to requests for assistance by sending a team from the National Agency for the Security of Information Systems to assist Montenegro with recovery efforts. Montenegro's defense minister blamed Russia, suggesting that only Russia had a motive to hit government IT systems. Other Eastern European states deemed enemies of Russia have recently sustained cyberattacks - mostly nuisance-level DDoS campaigns - in recent weeks. Targets have included networks in Moldova, Slovenia, Bulgaria and Albania. The effects of the attack against Montenegro seem more serious than most of what's been so far seen in Russia's hybrid war. One wonders why they haven't done as much to Ukraine itself and can only conclude that Russian cyber works best against less thoroughly prepared and defended targets. In fairness to Russia, that would be true of anyone else's cyber as well. 

Russian streaming platform sustains a data leak.

Dave Bittner: The Record reports that the Russian streaming service START, which supplies content to users in at least 174 countries, disclosed Sunday that it had sustained a data leak. How serious that leak was, START hasn't said, but the Russian Telegram channel Information Leaks, which published screenshots purporting to be proof of hack, says the leak amounted to 72 gigabytes and included data on 44 million customers. According to the Record, the leaked information includes usernames, email addresses, hashed passwords, IP addresses, users' countries of registration, subscription start and end dates, and the last login to the service. Most of the affected users are thought to be in Russia, but substantial minorities are from Kazakhstan, China and Ukraine. Those responsible for the incident claim they got the information from an exposed MongoDB database. 

Gang looks beyond double extortion.

Dave Bittner: And finally, the operators of LockBit ransomware are considering a move beyond double extortion to triple extortion. Double extortion is, of course, encryption of the victim's data coupled with a threat to release the data publicly. Triple extortion adds a DDoS attack. SC Media reports that a LockBit hood posted a help wanted notice in a dark web forum, stating, I am looking for DDoSers in the team. Most likely now, we will attack targets and provide triple extortion - encryption plus data leak plus DDoS - because I have felt the power of DDoS and how it invigorates and makes life more interesting. 

Dave Bittner: So dudes and dudettes, LockBit wants you, but please resist the temptation. You can do better working in a nice government job. Be a good guy and not a cheap goon. Working for LockBit is the in real life equivalent of the Al Pacino character sawing the tops off of parking meters in "Donnie Brasco." Have you seen "Donnie Brasco?" Good flick. Stream it from somewhere - somewhere other than START. 

Computer-generated Voice #1: Mister. 

Computer-generated Voice #2: Security. 

Computer-generated Voice #3: Answer. 

Computer-generated Voice #4: Person. 

Computer-generated Voice #1: Mister. 

Computer-generated Voice #2: Security. 

Computer-generated Voice #3: Answer. 

Computer-generated Voice #4: Person. 

John Pescatore: Hi, I'm John Pescatore, Mr. Security Answer Person. Our question for today's episode - it seems like every breach we see in the news these days is against health care. Have attackers abandoned going after good old retail targets, or is it just the ongoing pandemic causing the press to focus on all health care-related bad news? 

John Pescatore: Well, that's a timely question. First, let me dazzle you with some data courtesy of the Identity Theft Resource Center. In the U.S. during the first half of 2022, we've seen 161 public breaches in the health care sector, compared to only 31 in retail, predicting about 320 and 62, respectively, for full-year 2022. The pandemic years of 2020 and 2021 showed similar ratios - 330 health care breaches versus 102 in retail during 2021 and 306 to 53 in 2020. But health care actually had more breaches overall in 2019 - 525 - which was before COVID. The ITRC numbers didn't show retail before 2020, but there were likely a similar number of retail breaches as in following years. 

John Pescatore: The bottom line? Retail breaches are definitely down from years ago, but health care breaches are really not up. Press attention has been magnified because of the continuing pandemic. More importantly, the lower level of successful retail breaches does not mean that attackers aren't still going after retail. I think retail has gotten better - a lot better - at protecting itself. From 2007 to 2015 or so, retail breaches dominated the news, as Target, TJX, Hannaford, Home Depot and others had breaches that compromised close to 200 million retail customers. Retail, much like health care, has a complicated mix of IT and distributed devices, and credit card data is a lucrative target. No coincidence that, over that same period, the Payment Card Industry Data Security Standards program evolved from PCI 1.0 to PCI 3.1, moving from focusing mostly on reducing risk for the card brands and emphasizing actually protecting cardholders' data. 

John Pescatore: The retail industry has long dealt with loss prevention from a shrinkage point of view - employee theft and shoplifting - as their major security risk because it was a 3% impact on their bottom line - 1.5% due to the actual loss of inventory and 1.5% of revenue being spent on loss prevention to keep shrinkage to 1.5%. That level of security spending didn't work very well when the big brick-and-mortar retailers first grafted on online selling and internet access to in-person sales, and Target was really the first one to feel the pain. After that incident, the retail sector finally started to move on addressing a lot of basic security hygiene issues, along with big improvements on authentication of customers and encryption of sensitive data. 

John Pescatore: I credit much of this progress to what in the Mr. Security Answer Person dictionary is defined as the Target effect. The Target effect - one - something that is produced by using a bullseye as your corporate logo. Example usage - if both your company's name and its logo invite attacks, you might want to avoid the Target effect by at least paying attention to basic security hygiene. Two - a mental or emotional impression produced by the rapid resignation of both the CIO and the CEO, as in - the Target effect has many CISOs wondering if getting LinkedIn requests from the CEO and the CIO is really a good thing. Three - impact of an incident that causes boards of directors to see that compliance does not equate to meaningful reduction in liability. Example - the $500,000 fine from the card brands is a lot smaller than the 300 million in hard costs when we neglected to protect our 70 million customers. 

John Pescatore: In 2015, Anthem, Inc. had a medical data records breach that was about the same size as Target's and cost Anthem, who ended up changing their name, about as much. But there is no health care industry-driven data security standards regime - only creaky, largely-toothless, slow-to-change, government-driven HIPAA. Even more importantly, the Anthem CEO and CIO were not fired. To my knowledge, there were no firings after Anthem's humongous breach. Avoiding the Target effect should be the goal for every vertical. Each industry has unique, hard-to-solve problems, but one truth has spanned all verticals. The cost of dealing with a breach almost invariably exceeds how much it would have cost to avoid, or at least greatly mitigate, the successful attack. To sum it up, attackers will go after anything lucrative and vulnerable. The best way to not be next year's clickbait headline is to be way less vulnerable. That's a much better choice than no longer being a lucrative target. 

Computer-generated Voice #1: Mister. 

Computer-generated Voice #2: Security. 

Computer-generated Voice #3: Answer. 

Computer-generated Voice #4: Person. 

John Pescatore: Thanks for listening. I'm John Pescatore, Mr. Security Answer Person. 

Computer-generated Voice #1: Mister. 

Computer-generated Voice #2: Security. 

Computer-generated Voice #3: Answer. 

Computer-generated Voice #4: Person. 

Dave Bittner: Mr. Security Answer Person with John Pescatore airs the last Tuesday of each month right here on the CyberWire. Send your questions for Mr. Security Answer Person to questions@thecyberwire.com. 

Dave Bittner: Ann Johnson is corporate vice president for security, compliance and identity at Microsoft and host of the "Afternoon Cyber Tea" podcast right here on the CyberWire network. She recently spoke with Dave DeWalt of NightDragon and Jay Leek of both SYN Ventures and Clear Sky Security about what's influencing cyber capital investment. 

Ann Johnson: You know, it's an interesting time. We talked about that. In the last few years, we've seen venture capital investment in cyber really balloon, and now, experts are reporting economic slowdown. And we're starting to see some signs of slowdown throughout the world, and then it's impacting the venture capital world. So if you could talk to us about the last few years and actually what you're seeing now and how quickly things are changing. Dave, let's start with you. 

Dave Dewalt: Yeah, and I mean, that's a great question, right? I mean, it's kind of the question of the day. You know, I start out and talk a little bit about what I call cyber super cycles - kind of a mouthful, but in the 20 years or so that I've been, you know, sort of monitoring this market segment, you can almost track the cyber industry by the threat cycle. So I call them cyber super cycles because whenever you see a highly elevated threat environment, you typically - right behind the highly elevated threat environment, you see highly elevated spending environment. Customers spend more, many more threats, and ultimately behind the spending cycle comes the investment cycle. 

Ann Johnson: Before we look ahead for a second, can we go all the way back a couple of years? Tell me, as investors, you know, what your thesis was. What made a company attractive to you? Why did you choose to invest in some companies versus others? What type of criteria were you looking at? 

Dave Dewalt: Yeah, I can start, Ann. You know, I'm investing, you know, pretty heavily since 2012. And NightDragon, this is our 10th anniversary here of investing - I think 41 companies now total, you know, probably not near the breadth that Jay has, but, you know, we've looking at - largely, I look for, at least in the cyber markets, a major threat problem that has yet to be solved. That's one of the reasons I became CEO of FireEye. I mean, at the time - 2012 window - FireEye was a 10 million revenue company, and nobody really heard of an APT. Well, they had, but not by much at that point. But advanced persistent threats became a new vector of attack, especially in which ways that the attacks were coming in. And I was looking for technology that could solve a major threat problem. My largest thesis with NightDragon has been all around that. Where are the biggest threats and risks in the world, and what commercial defense can meet that threat in a way that we could hyperscale it with growth capital to kind of meet the valuation opportunity that's out there? 

Ann Johnson: So what advice do you have for founders that are starting this journey? What can they show you when they're doing their, you know, their VC pitch, the shuffle around to try to get dollars? And is it that - and how does someone - and I'm going to ask a little pointy question - how does someone that doesn't have that proven track record - right? - they're a first-time founder or a first-time CEO - how do they actually convince, you know, the firms to invest? Jay, why don't we start this one with you? 

Jay Leek: Yeah. So I mean - for me, it's, are they coachable? Are they giving you lip service to any kind of advice that you may have? Doesn't mean they have to take the advice, but the best first-time founders I've ever worked with, they'll go and actively seek advice from Dave. They'll seek it from me, even though they probably shouldn't talk to me because I'll probably give them bad advice. They'll seek it from, you know, 10 other people, you know, and then they'll bring all that in. They'll synthesize it, make it their own, and come up with the right direction to go, right? And to me, that's like a quality that it's hard to learn that. You know, you can learn it, but it's also - it's in your DNA, you know. But it can break out. Like, I have - we have backed true introvert CEOs that know they're introverts. And so they wake up every day to try to be an extrovert. And they work really hard. They're never going to be your go-to-market CEO, but they can become damn good leaders and build great companies if they surround themself with the next level that can actually compensate for that. 

Dave Bittner: That is Ann Johnson from Microsoft. She is the host of the "Afternoon Cyber Tea" podcast. You can find that right here on the CyberWire network. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by SpyCloud
Sponsored by SpyCloud

SpyCloud protects consumers, employees, suppliers, and citizens from the dangers of compromised identity. Its solutions make breached information actionable to prevent fraud— enabling a proactive, automated response that negates the value of stolen data before it can be used to cause harm. Learn more.

Sponsored by Drata
Sponsored by Drata

Drata is the world’s most advanced compliance automation platform with the mission to help companies earn and keep the trust of their customers, partners, and prospects. Drata helps companies streamline their compliance through continuous, automated control monitoring and evidence collection. Learn more.

Sponsored by Barracuda
Sponsored by Barracuda

More than 200,000 global customers trust Barracuda to safeguard their employees, data, and applications from a wide range of threats. Barracuda provides easy, comprehensive and affordable solutions for email protection, application and cloud security, network security and data protection. Learn More.