The CyberWire Daily Podcast 3.14.23
Ep 1779 | 3.14.23

Silicon Valley Bank as phishbait. An “attack superhighway.” Unauthorized software in the workplace. YoroTrooper, a new cyberespionage threat actor. Hacktivists game, too. How crime pays.


Dave Bittner: Expect phishing, BEC scams and other social engineering to use Silicon Valley Bank lures. An attack superhighway. Unauthorized software in the workplace. A new cyber-espionage group emerges. Squad up, but not in real life. Ben Yelin unpacks the FBI director's recent admission of purchasing location data. Ann Johnson from "Afternoon Cyber Tea" speaks with Jason Barnett from HCA Healthcare about cyber resilience. And not that you'd consider a life of crime, but what are the gangs paying cybercriminals nowadays?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 14, 2023.

Expect phishing, BEC scams, and other social engineering to use SVB lures.

Dave Bittner: Security experts are warning that cyber criminals are gearing up to take advantage of the disruption surrounding the collapse and shutdown of Silicon Valley Bank. Johannes Ullrich from the SANS Institute is tracking a spike in newly registered SVB-related domains. It's not clear how many of these domains were created by scammers, but Ullrich expects to see business email compromise attacks taking advantage of the situation for at least three reasons. First, it involves a lot of money. Second, urgency - many companies and individuals employed by companies have questions about how to pay urgent bills. Will my employer be able to make payroll? Is there anything I need to do right now? And third, uncertainty - for many, it isn't clear how to communicate with SVB, what website to use or what emails to expect or where they might come from. Times are unsettled. The failure has spread into surprising corners of the tech economy, and people are worried. The crooks know that. 

An "attack superhighway."

Dave Bittner: Akamai Technologies this morning released its State of the Internet report, titled, "Attack Superhighway: Analyzing Malicious Traffic in DNS," detailing the global spread of malware. Researchers report that about 10- to 16% of organizations have shown potential signs of a breach last year. Key findings of the Akamai report include that 26% of affected devices have attempted to reach out to known initial access brokers C2 domains, including Emotet-related domains. Attackers are also reporting using the QSnatch botnet to abuse network-attached storage devices, with 36% of devices affected linked to QSnatch-affiliated C2 domains. The targeting by threat actors of home networks seeks out computers, cell phones and IoT devices, as mobile malware and IoT botnets have been significantly observed. 

Unauthorized software in the workplace.

Dave Bittner: Devo Technology this morning released a study they commissioned from Wakefield Research. It details unauthorized use by security professionals of artificial intelligence tools. The study found that IT security professionals are increasingly dissatisfied with their company's adoption of automation in Security Operations Centers. Ninety-six percent of IT security pros admit to knowing that someone in their organization is using external unauthorized AI tools, with a surprising 80% admitting to the use of those tools themselves. These pros report the use of these unauthorized AI tools because 96% report dissatisfaction with their organization's implementation of automation in the SOC. Forty-two percent of respondents expressed a concern over a limited scalability and flexibility currently within their organization's implemented solutions, while 39% reference financial issues such as high costs. These unauthorized tools are reportedly appealing to respondents because of better user interfaces, more specializations and more efficiency. 

A new cyberespionage group emerges.

Dave Bittner: Researchers at Cisco Talos have identified a new threat actor and a new cluster of activity in Eastern Europe and the former Soviet Union. They're calling the group YoroTrooper. And while it appears to be a Russophone group, Cisco Talos thinks the evidence is too ambiguous for clear attribution. 

Dave Bittner: The threat actors, for example, may speak Russian, and there are snippets of the Cyrillic alphabet in some of their implants, but this simply shows linguistic familiarity and doesn't necessarily mean that they're either based in Russia or are Russian nationals. Some of the targets are also Russian speakers, and the victimology, for the most part, consists of countries in the Commonwealth of Independent States, those former Soviet republics that remain on speaking terms with Russia. Attribution remains unclear, but the group will bear watching, especially while fighting continues in Ukraine. 

Squad up (but not IRL).

Dave Bittner: BleepingComputer reports that the Ukrainian game developer GSC Game World, whose S.T.A.L.K.E.R. 2: Heart of Chernobyl has been widely anticipated, has come under cyberattack by Russian hacktivists who claimed to have stolen game-specific material - storylines, images and so on - which they threaten to release unless their demands are met. The hacktivists on the VK channel write that they want GSC to change its attitude towards players from Belarus and Russia, lift the ban on a player who's been booted from the game's Discord channel and permit Russian localization for S.T.A.L.K.E.R. 2. 

Dave Bittner: In short, they're saying don't ruin people's enjoyment of the game due to politics. And of course, by politics they mean Russia's invasion of Ukraine. And a first-person shooter in real life shouldn't interfere with, well, a first-person shooter. The publication Games Industry reports that GSC Game World is hanging tough. GSC states, we've been enduring constant cyberattacks for more than a year now. We've faced blackmail, acts of aggression, hacks, attempts to hurt players and fans and efforts to damage the development process or the reputation of our company. We are a Ukrainian company, and like most Ukrainians, we have experienced many things that are much more terrifying - destroyed houses, ruined lives and the deaths of our loved ones. Attempts to blackmail or intimidate us are completely futile. This may be a case of actual spontaneous hacktivism. Sure, it's patriotic in the Russian sense of the term, but this particular crew may be freelancers who want their games, as opposed to semi-disciplined auxiliaries of the intelligence and security organs. 

What are gangs paying cyber criminals, nowadays?

Dave Bittner: And finally, how well does crime pay nowadays? Not that you're in that particular job market, but it's worth keeping an eye on. IBM's Security Intelligence takes a quick look at the cyber underworld and finds that the criminal labor market resembles the legitimate labor market in a number of respects. A criminal career can be well compensated, with some gangs offering around $240,000 a year to applicants looking for a career betraying trust, exploiting their fellow human beings, preying on the innocent and gullible and so on. To get hired, you have to pass certain screens. Test assignments account for the majority of the hiring decision, your CV and portfolio for just over a third and, finally, the interview itself. Benefits often include flexible hours, the possibility of remote work, paid sick leave and - our favorite - a welcoming work environment. We hesitate to think of what might count in this context as a welcoming work environment - maybe snacks and games in the office. We'd imagine there'd be a lot of potluck meals. Maybe everybody signs a birthday card, stuff like that. Foosball and Aeron chairs seem so dot-com boomer-ish. At any rate, we'll pass. Thanks. 

Dave Bittner: Coming up after the break, Ben Yelin unpacks the FBI director's recent admission of purchasing location data. Ann Johnson from "Afternoon Cyber Tea" speaks with Jason Barnett from HCA Healthcare about cyber resilience. 

Dave Bittner: Ann Johnson is a senior executive at Microsoft and host of the "Afternoon Cyber Tea" podcast. In a recent episode, she spoke with Jason Barnett from HCA Healthcare about cyber resilience. Here's an excerpt from that conversation. 


Ann Johnson: On today's episode of "Afternoon Cyber Tea," I'm going to have a really important conversation about cybersecurity in the health care industry with chief security officer of HCA Healthcare, Jason Barnett. Jason has spent more than 20 years in the technology field with a primary focus on security operations, threat detection and response. As the chief security officer of HCA Healthcare, Jason leads a team and programs for cybersecurity, privacy, identity engagement, business resolutions and physical security. Welcome to "Afternoon Cyber Tea," Jason. I'm thrilled to have you on the program today. 

Jason Barnett: Likewise, Ann. I'm very happy to be here. Thank you for having me today. 

Ann Johnson: So starting at the industry level, Jason, I would love to get your point of view on some of the challenges leaders in health care are facing when it comes to cyber. What's unique about the challenges? Have they mostly stayed the same over the past few years, or are they evolving? 

Jason Barnett: They're absolutely evolving, and the impact is increasing as well. I mentioned earlier, you know, as the average - as our adversaries mature and evolve, their reach has gotten broader. And as a result, more areas of the business are impacted. So no longer are the days that somebody clicks on something and it affects the local PC that a user is operating on. Today if somebody clicks on the wrong thing, you can have an operational incident across an entire enterprise, affecting all of your applications, affecting all lines of business, and you find yourself in a position of having to reassemble that. So I think that's consistent from industry to industry in terms of what the impacts are. 

Jason Barnett: Oftentimes, health care is reputed as being behind the technology curve or the immature industries on the technology curve. To whatever degree that's a correct statement, regardless of what side of that argument you fall on, health care is becoming more dependent on technology, both in terms of how care is delivered. Technology is used in how decisions are made. Technology is used more heavily in processing payments and claims. It's touching every aspect of the health care business. So as I mentioned, as the adversary has evolved, their impact has expanded. It's forced us to expand as a security team, but at the same time understand each component of our business so that we can have a good conversation. 

Ann Johnson: I'd love to paint a picture of HCA for our audience. HCA is a leading health network. And as I mentioned, you have 180 hospitals. You have 1,200 plus care sites in 20 states in the U.S. as well as in the U.K. And you have more than 260,000 employees or associates, who are all focused on your commitment to delivering health and also to improving human life. This size, this scale - the complexity is simply astounding. There aren't a lot of organizations that are at this scale. So how do you start, and how do you lead a security program, and how do you focus at such scale? 

Jason Barnett: It's a big question. I believe that no security program can be successful if it's enclosed unto itself. No security group by itself can effectively secure an organization. Rather, what they accomplish is because of the partnerships that they've effectively built across the company. Our organization has several hundred people in it, but even on their best days they can't accomplish what they're able to accomplish without the partnerships that they've built across the company. My security program, our security organization here, is not a part of the IT organization, but we have an amazing working partnership with that organization. And I can give you an easy example of how that partnership has paid off. 

Jason Barnett: In the early years, most of our threat and vulnerability management work was all due to poor hygiene of systems - systems maintenance, systems management, poor change management. As we've worked with our IT organization, as they have had goals to grow and improve uptimes and manage availability, we've also been able to influence how they patch, how they maintain systems, how they operate systems, how they follow change control, how they tend to asset management and how all of those things that, at one point, were a lower priority, improve the overall security posture of the company. 

Dave Bittner: That's Ann Johnson from "Afternoon Cyber Tea," along with her guest, Jason Barnett from HCA Healthcare. The "Afternoon Cyber Tea" podcast is part of the CyberWire Network. You can find it wherever you find your podcasts. 

Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security, and also my co-host over on the "Caveat" podcast. Ben, welcome back. 

Ben Yelin: Good to be with you, Dave. 

Dave Bittner: This article from WIRED caught my eye. It's an article written by Dell Cameron. And it's titled, "The FBI Just Admitted It Bought U.S. Location Data." What's going on here, Ben? 

Ben Yelin: There was a Senate hearing recently in which the head of the Federal Bureau of Investigation, Christopher Wray, testified, and he was asked directly by U.S. Senator Ron Wyden, who was a digital privacy advocate, whether the FBI has purchased U.S. phone geolocation information and other U.S. location information from private companies. And Mr. Wray, in giving kind of a Bill Clinton-esque answer... 


Ben Yelin: ...Said that the - and I'll try to explain that in a moment... 

Dave Bittner: (Laughter). 

Ben Yelin: ...He said that the agency has done so in the past as part of a pilot program for national security. But to his knowledge, it is not something that the FBI currently does. They go through, in his words, a court-approved process. Now, whether that means that they are obtaining warrants to get this location-based information or some other judicial process like an administrative subpoena, that's unclear. But I guess what Chris Wray was saying here - and the parlance of Bill Clinton was, it depends on what the meaning of is is... 

Dave Bittner: Yeah (laughter). 

Ben Yelin: ...Because it's unclear whether the bureau is still collecting this data. The reason that this is relevant is that there was a 2018 U.S. Supreme Court decision, Carpenter v. United States, which held that the government needed to obtain a warrant if it was to collect location data - so historical cell site location information. There's a question as to whether that Supreme Court decision extends to data that is purchased from private companies because, in that case, it's not the government compelling companies to hand over data under some sort of legal penalty. It is simply giving certain private entities money so that they can have access to that data. And now we know for the first time - it's no longer just a rumor - that the FBI has at least done that in the past. So I think that's what was particularly eye-opening about this hearing. 

Dave Bittner: Huh. Yeah, it reminds me of - I have friends with security clearances, you know? I remember when the Snowden revelations came out, and, you know, you and I and everyone else were reading about things in The New York Times, right? And our friends with security clearances were not allowed to read those things in The New York Times because technically they were still classified. 

Ben Yelin: Right. Right. 

Dave Bittner: Right? So it's like one of those weird workarounds that seems nonsensical, but here we are. 

Ben Yelin: Yeah. I mean, I think that's a pretty good metaphor for what's going on here. I think the question is - are senators and members of Congress going to use their powers to try and get more information about the extent of this practice? From whom were they purchasing the data? Was this just for a national security pilot program, or has this been done more broadly? And then, beyond the FBI, which other federal agencies are similarly purchasing privately held location data? 'Cause there have been allegations that agencies from the Department of Homeland Security to the Department of Treasury have been engaged in this practice, so I think there might be bipartisan support in Congress to look into this question a little more fully. And now they have the ammunition since Director Wray has admitted under oath that this is something that the FBI has done in the past. 

Ben Yelin: There is a policy attorney at Demand Progress, a nonprofit focused on these issues - national security and privacy reform - says that the FBI needs to be more forthcoming. The public needs to know who gave the go-ahead for this purchase, why and what other agencies have done or are trying to do the same? In terms of future congressional action, there have been bills introduced, I think, in every session of Congress, going back a decade or so, to prohibit this type of data purchasing, but that legislation has thus far not succeeded. So I think it would start with an investigation. And then, over the long term, if there's something that - if this is something that Congress really finds objectionable, they can ban this practice. And I think that's something that we would have to look out for in the future. 

Dave Bittner: Is law enforcement saying, why tie our hands with this sort of thing? I mean, if this information is being gathered, and the - you know, the local burger joint down the street can buy location data for marketing purposes, why can't we use it for law enforcement? I guess part of the response would be that the burger joint down the street doesn't have people with guns. 

Ben Yelin: Right. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: They can't lock - the burger joint can't lock you up, Hamburglar notwithstanding. 

Dave Bittner: Right. Right (laughter). 

Ben Yelin: I mean, I do think that's - it's a reasonable point for these federal agencies to make, is that... 

Dave Bittner: Yeah. 

Ben Yelin: ...This is data that is available on the open market. It's not like, you know, they're going on the dark web to steal this data somewhere. I mean, it's - if you have money, you can have it. 

Dave Bittner: Yeah. 

Ben Yelin: And so why, as a federal agency, can we not purchase this data? I think the reason would be that, just as you say, they are a government with guns and enforcement power and the ability to lock people up. And so the consequences of them obtaining this data is much more severe than any private company, and that's where Congress could really step in and say it's not advantageous from a policy perspective to allow federal agencies to have this authority. 

Dave Bittner: Yeah. All right. Well, again, the article is from WIRED, written by Dell Cameron. It's titled, "The FBI Just Admitted It Bought U.S. Location Data." Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.