CyberWire Daily - A look at some threats to ICS endpoints. EternalBlue remains a problem. US preparing attribution of the Microsoft Exchange Server hack. DoubleVPN seized. An arrest in the Gozi case.
Episode Date: June 30, 2021A report on threats to industrial control systems is out, and it focuses on ransomware, coinjacking, and legacy malware. EternalBlue remains a problem. The US is preparing a formal attribution in the ...case of the Microsoft Exchange Server campaign. An international police operation has taken down DoubleVPN, and the authorities seem pretty pleased with their work. Joe Carrigan examines vulnerabilities in systems from Dell. Our guest is Vikram Thakur from Symantec on Multi-Factor Authentication evasion. And the guy who allegedly provided the Gozi banking malware with its bulletproof hosting has been collared in Bogota. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/125 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A report on threats to industrial control systems is out,
and it focuses on ransomware, coinjacking, and legacy malware.
EternalBlue remains a problem.
The U.S. is preparing a formal attribution in the case of the Microsoft Exchange server campaign.
An international police operation has taken down DoubleVPN,
and the authorities seem pretty pleased with their work.
Joe Kerrigan examines vulnerabilities in systems from Dell.
Our guest is Vikram Thakur from Symantec on multi-factor authentication evasion.
And the guy who allegedly provided the Gozi banking malware with its bulletproof hosting
has been collared in Bogota.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 30th, 2021.
Trend Micro this morning released a study of ransomware's growing infestation of industrial control systems.
Rayak, Nephilim, Sodinokibi, and Lockbit variants accounted for a majority of the incidents Trend Micro investigated. The researchers wrote, quote,
of the incidents Trend Micro investigated. The researchers wrote, quote, ransomware in ICS could lead to loss of view and control of physical processes, since such attacks encrypt a variety
of files, including image and configuration files, that are necessary for rendering the interface.
This in turn leads to loss of revenue due to disrupted operations. Victims could also lose money from extortion schemes,
as more ransomware operators also threaten to publicize stolen data.
End quote.
Their report led with ransomware, which seems right,
given the current prominence that particular kind of threat has now,
but they also discussed coin miners.
These can have a bad effect on the operation of ICS endpoints,
rendering them slow and unresponsive, particularly when those endpoints are running old operating
systems or have limited CPU capacity. Both of these conditions are common enough in ICS
environments. Trend Micro also discusses the effect legacy malware like Configure can continue to have on industrial control systems.
A lot of that legacy malware is propagated via removable media.
Industrial countries are infected in different ways and at different rates.
China is the leading sufferer of legacy malware.
The U.S. has to put up with the highest rates of ransomware infections.
And India is the unfortunate leader in the tally of coin-jacking victims.
Trend Micro's recommendations will surprise few, but they're good advice nonetheless.
Patch systems with security updates.
A lot of the infestations they observed found their way in through eternal blue exploits. There are fixes for that.
Implement micro-segmentation
in the network or use virtual patching technologies. Restrict network shares and
enforce strong username and password combinations. Use intrusion detection systems and intrusion
prevention systems. Install anti-malware solutions. These are particularly useful
in controlling legacy malware. Set up USB scanning
kiosks and get people to use them before they plug removable media into a network. Apply the
principle of least privilege. Consider regional differences in security awareness and implementation.
This is especially important for multinationals. And identify and audit systems with low risk tolerance.
Also this morning, GuardiCorps issued an update on the Indexinus SMB worm,
also known as NSA Buff Miner.
The worm has been in use since 2019 and recently has been most active
against targets in the healthcare, hospitality, education, and telecommunications
sectors. The victims use SMB servers vulnerable to EternalBlue, and the campaign makes massive
use of Equation Group Exploit Kit that includes both the EternalBlue exploit and the double
Pulsar backdoor. The U.S. government expects to issue a formal attribution of Microsoft Exchange server hacks
in the coming weeks, Deputy National Security Advisor for Cyber Ann Neuberger said yesterday,
The Hill reports.
Microsoft announced the discovery of that campaign back in March, and Redmond was quick
to attribute the hostile activity to Hafnium, a Chinese government-run threat actor.
Neither Neuberger nor other U.S.
officials have tipped their hand on attribution, but if you're betting on form, there's a pretty
good chance Microsoft has this one right. Straight up, it was the Chinese services.
DoubleVPN, a service based in Russia that catered to cybercriminals by helping them obscure both their physical location and originating IP address,
was taken down yesterday in an international law enforcement operation, Leaping Computer Reports.
As its name suggests, DoubleVPN double-encrypted, at least, data that transited its service.
The takedown notice on what's left of DoubleVPN.com says,
quote, On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained
access to the servers of DoubleVPN and seized personal information, logs, and statistics kept
by DoubleVPN about all of its customers. DoubleVPN's owners failed to provide the services
they promised.
International law enforcement continues to work collectively
against facilitators of cybercrime,
wherever and however it is committed.
The investigation regarding customer data of this network will continue.
End quote.
Britain's NCA, which credited the Netherlands with leading the effort,
tweeted that WVPN was advertised action as extremely significant, adding that not only have we successfully effected the takedown of WVPN,
but it is the first time law enforcement has been able to take direct action
against a criminal enabling service of this type.
Europol, in particular, isn't just tweeting, it's crowing large over the operation,
with a hand emoji waving in triumph that, quote,
the golden age of criminal VPNs is over.
And in another law enforcement action, Colombian authorities have arrested the alleged distributor
of the Gozi virus, The Washington Post reports.
Mihaly Ionut Ponescu was taken into custody as he was passing through the airport in Bogota.
Leonid Ponescu was taken into custody as he was passing through the airport in Bogota.
He faces the prospect of extradition to New York,
where U.S. authorities intend to try him for computer intrusion and bank fraud.
Gozi infected computers in at least eight countries,
the United States, Germany, Finland, and the United Kingdom among them,
and both individuals and organizations were affected. Mr. Ponescu is the
third person the U.S. has pursued for their roles in Gozi. Nikita Kuzmin, a Russian national and
creator of the Gozi virus, was arrested in the U.S. in November 2010. He took a guilty plea in
May of 2011. Denis Kalovskis, who went by the hacker name Miami, a Latvian national who improved Gozi's
code, was arrested in Latvia, and in January 2016, he was sentenced in the U.S. to the 21 months he'd
served while awaiting trial. Mr. Ponescu's alleged role in the criminal activity was different from
those played by Mr. Kuzmin and Klovskis.
They coded. He provided the bulletproof hosting service used to distribute Gozi and other malware.
Mr. Ponescu, who went by the hacker name Virus, was arrested in 2012 by Romanian authorities but
was able to escape extradition to the U.S. His luck ran out this week. A pro tip to those on the lam,
plan your vacations with the possibility of extradition in mind.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Recent high-profile incidents like SolarWinds and the Microsoft Exchange server attacks
have highlighted the fact that in response to multi-factor authentication establishing itself as a basic security standard,
adversaries are pivoting to methods capable of bypassing it.
Vikram Thakkar is technical director at Symantec, and he offers these insights.
Over the past, I want to say, at least 10 years,
we've been seeing attackers trying to go after different types of high value accounts,
different types of information that might be stored in organizations, which are of extremely
high value, but they've been protected using multi-factor authentication, which just means
that, hey, even after you get onto the network or even after you gain access to an account, you still need that little second token or you need that second password in order to gain access to the information that you need.
And so what have we seen from the attackers then?
How have they adjusted their methods to try to get around this?
So we've seen a variety of techniques that
attackers have used in the past, and I can go back 10 years. In fact, in 2011, in the month of March,
we probably saw one of the biggest attacks on this two-factor authentication, probably till date,
on this two-factor authentication probably till date,
where the attacker, what they wanted to do was they wanted to gain access
to some very critical defense-related information
in the Western world,
but they realized that the organizations
were using a two-factor authentication mechanism
which was provided by a company called RSA. So the attackers then
said, well, instead of us trying to somehow circumvent the two-factor authentication,
why don't we go and hack into RSA and try to see if we can somehow steal some secrets from there
that'll help us enable getting into the defense information that they truly wanted to and they were successful they hacked into rsa it's a public uh piece of
information that you can see from 2011 they got in they were able to steal secrets uh related to
the two-factor authentication and then make use of it in order to get the data that they wanted. So that's been going on for at least 10 years.
The latest attempts that we see is somehow the attackers are getting onto the servers
that are managing two-factor authentication,
or they're managing a service that they truly want to get access to.
And that machine itself may not be guarded by
two-factor authentication. So as an example, while people might have two-factor authentication
enabled on their email accounts, the attackers found a way to not bother going after email
accounts as much as they just went and hacked into the email server itself.
So they get into a network
and they found a vulnerability
which enabled them to get onto the email server.
And once on there,
they found a way to just access any user's mailbox
without even requiring the two-factor authentication.
So that's just an example
of how these attackers are trying to go around
the requirement for two-factor authentication.
But it doesn't take away from the fact that two-factor authentication
is extremely useful, and it is efficient, and it does the job,
because it's forcing the attackers to try really, really hard.
And the attackers have realized that they cannot seem to somehow crack into that method
of two-factor authentication.
So it's forcing them to go around it and try to find weaknesses in the systems
that might be using two-factor authentication.
That's Vikram Thakkar from Symantec.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full
suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
So some interesting research from the folks over at Eclipsium caught my eye.
They have discovered some vulnerabilities that are affecting some
Dell computers. Correct. What's going on here? It's affecting 129 models of Dell computers. That's
a lot of computers. It goes back very far. These are vulnerabilities in the BIOS.
And BIOS stands for Basic Input Output System, I believe, if my memory serves.
It's been around a long time.
It's been around.
Yeah.
It's the very first thing.
When you turn on, I don't even know if, actually, nowadays, you don't even see it,
but when you used to turn on your computers, you'd see the BIOS come online very quickly.
Right.
It's essentially an embedded system in your computer that starts everything up.
Yeah.
Right?
But it's still just software.
And Dell has this product called BIOS Connect that allows a computer in BIOS
to call phone home to Dell for support purposes.
So like to get firmware updates and things like that.
Exactly, or if you've lost your operating system
and you can't get it to boot or something's missing,
you can actually still get this thing
to connect to the Dell servers in BIOS
because that's always going to be there.
Okay, sounds like a good thing in theory. Yeah, it is a good thing in theory. connect to the Dell servers in BIOS because that's always going to be there.
Okay. Sounds like a good thing in theory.
Yeah, it is a good thing in theory. It would be a great thing in theory if it was done right. Yeah.
But what's happened here is the first vulnerability that Eclipsium found is a
problem with TLS certificates. And TLS is transport layer security. It's how the internet works.
But this software is written in C code, right, at a very low level. So getting that TLS handshake
correct is important. And Dell didn't do that here. In fact, this system, if you have a privileged
network attacker on the network,
and they can intercept like a DNS call out to the Google DNS server of 8888. I'm getting too
technical. They can intercept the communication, right? And then impersonate Dell and hand back
any readily available, freely available TLS certificate, and the software in the BIOS will accept that and say, okay, you're Dell.
Oh.
Right?
So any certificate at all, the software says we're good here.
As long as it's not self-signed.
It has to be from a certificate authority that's in the – but those are not hard to come by.
I see.
You can actually get one anywhere.
Yeah.
get one anywhere.
Yeah.
So if you're on the network, if the malicious actor is on the network, they can intercept the traffic, they can feed back some bogus certificate, and the service on the computer
will then trust the attacker.
And then the attacker can exploit one of three buffer overflow vulnerabilities that were
also found in the software.
That was your uncle.
Right.
Exactly.
And that allows arbitrary code execution.
There's even one that allows arbitrary code execution in BIOS.
So they could completely replace the BIOS of your machine and...
Bob's really your uncle.
Yeah, Bob's really your uncle.
Now you're hosed, right?
Right.
I mean, it may be to the point where you might have to just throw the motherboard away, right?
Wow.
It's, you know, because you can never trust it again.
Yeah.
So where are we with this?
Dell has responded?
Dell has responded.
Eclipsium is not releasing all the technical details until DEF CON, which is in August.
They're going to do demos and put everything out there.
Dell has already patched two of the vulnerabilities, and they say they're going to patch the other two in July.
So it's time to update your BIOS.
But one of the things that Ecclesium says is update your BIOS manually.
Right.
Right.
Don't trust the tool.
Right.
Yeah.
Oh, how ironic.
Yeah, and verify the hashes that are available on a Dell site.
So go out to Dell, download the patches, verify the hashes.
That's a lot easier to do now on Windows machines with PowerShell.
You can just Google how to verify hashes.
You don't have to download a tool anymore like you used to.
And you can then run the BIOS update application from the operating system,
and that will update the BIOS.
Okay.
So it's pretty easy to do.
Just get it done, and get it done before August,
because once this stuff is disclosed to DEF CON, it's going to be out there in the wild.
Right.
So go check out to see if you have a Dell machine.
Go check out to see if it's vulnerable to this.
And if so, put your plan into action.
That's right.
All right.
All right.
Well, Joe Kerrigan, thanks for joining us.
My pleasure. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
security teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.