CyberWire Daily - Apparent ransomware disrupts Italian vaccine scheduling system. Cyberespionage compromised Southeast Asian telcos. RAT and phishing in the wild. Cybercriminals explain themselves.
Episode Date: August 3, 2021An apparent ransomware attack hits Italy’s online vaccine-scheduling service. A Chinese cyberespionage campaign hits Southeast Asian telcos enroute to high-value targets. Some strategic context for ...Beijing’s espionage. FatalRAT is spreading by Telegram. Crafty phishing spoofs SharePoint. Joe Carrigan has thoughts on HP's latest Threat Insights Report. Our guest is Marc Gaffan of Hysolate who reveals the “Enterprise Security Paradox”. Plus, Conversations with BlackMatter, and a look at the inside of ransomware negotiations. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/148 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An apparent ransomware attack hits Italy's online vaccine scheduling service.
A Chinese cyber espionage campaign hits Southeast Asian telcos en route to high-value targets.
Some strategic context for Beijing's espionage.
Fatal rat is spreading by telegram.
Crafty phishing spoofs SharePoint.
Joe Kerrigan has thoughts on HP's latest Threat Insights report.
Our guest is Mark Gaffin of
Hycelate, who reveals the enterprise security paradox, plus conversations with Black Matter
and a look at the inside of ransomware negotiations.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 3rd, 2021.
A cyber attack on Sunday took down COVID-19 scheduling capabilities in the Italian region of Lazio. CNN reports that local authorities say they'd received a general, non-specific ransom
demand. Accounts are confusing, but it appears that the incident was a ransomware attack.
Sources told CNN that the attackers used a CryptoLocker malware
that encrypted the data on the system,
but that's not necessarily CryptoLocker with a capital C,
and the story is still developing.
ZDNet says that officials describe the attack
as both of a criminal nature and terrorism,
which aren't, of course, strictly speaking, mutually exclusive.
Italian authorities have offered assurances that those who've already scheduled their
vaccination should expect to be able to receive it on schedule. Criminal willingness to hit
healthcare administration systems should be borne in mind when evaluating the pious and
high-minded Robin Hoodisms of the promised restraint so many of these gangs are offering nowadays.
We'll return to this later.
Security firm Cyber Reason this morning described a major cyber espionage campaign
against Southeast Asian telecommunications providers in five unnamed countries.
The researchers identified three clusters of activity run by SoftCell,
Nacon, and possibly Emissary Panda. Cyber Reason says, quote, based on our analysis,
we assess that the goal of the attackers behind these intrusions was to gain and maintain
continuous access to telecommunications providers and to facilitate cyber espionage by collecting sensitive information,
compromising high-profile business assets such as the billing servers that contain call detail
record data, as well as key network components such as domain controllers, web servers, and
Microsoft Exchange servers. A quick disclaimer, Microsoft is a sponsor of the Cyber Wire.
Compromising the telecommunications firms was a means to an end and not an end in itself.
The operators exploited Microsoft Exchange vulnerabilities against telcos
with a view to facilitating espionage against other high-value targets.
Quote, these targets are likely to include corporations, political figures,
government officials, law enforcement agencies, political activists, and dissident factions of interest to the Chinese government.
The approach, the tactics, techniques, and procedures employed resembled the operation the Chinese government-sponsored threat group Hafnium used in an operation Microsoft and the U.S. government called out earlier this year.
Operation Microsoft, and the U.S. government called out earlier this year.
A webinar this morning, hosted by Recorded Futures Record,
featured a conversation with one of the company's insect group researchers who specializes in China.
In addition to pointing out the value of open-source intelligence, the conversation was interesting for the perspective it offered on the national strategy which China's espionage programs serve. The Chinese Communist Party exhibits an affinity for progressive authoritarian
regimes, Venezuela presenting a western hemispheric example. Furtherance of economic and political
dominance are the overarching goals, and these play out in what the insect group characterized
as colonialist ways,
countering that national strategy would require effective Western competition,
and that competition will have to offer value.
Simply offering better security won't cut it.
Price tends to trump security, especially in the developing world. The discussion also offered some interesting perspective on what counts as smart city technology
from the point of view of both Beijing and its customers, especially customers in Africa.
If you thought it meant efficient management of power grids, energy consumption in buildings,
nicely synchronized traffic lights, as we admit we more or less did, well, you thought wrong.
Smart city technology means automated
street surveillance with facial recognition, comprehensive interception of communications
traffic, and censorship tech. These are attractive to authoritarian governments of all stripes,
including Inter-Elia, the progressive authoritarians the Chinese Communist Party
finds simpatico. And best of all, in the customer's eyes,
all that technology of social control has been proven in China itself.
AT&T Alien Labs has published a report on Fatal Rat,
which, as its name suggests, is a remote-access trojan.
Fatal Rat has recently spread through Telegram.
Its capabilities include evasion, system persistence, key logging, collection of system information,
and exfiltrating data via encrypted command and control channels.
Alien Labs says it's collected a range of Fatal Rat samples over the last few months.
Activity dipped a bit during July, but the researchers don't intend to relax their vigilance yet.
Microsoft warns of an unusually crafty phishing campaign currently in progress.
The emails use legitimate-looking original sender email addresses,
spoofed display sender addresses that contain the target usernames and domains,
and display names that mimic legitimate services to try and slip through
email filters. ZDNet reports that, quote, the phishing group is using Microsoft SharePoint
in the display name to entice victims to click the link. The email poses as a file share request
to access bogus staff reports, bonuses, price books, and other content hosted in a supposed It also contains a link that navigates to the phishing page and plenty of Microsoft branding.
End quote.
Security firm Recorded Future talked with someone claiming to represent Black Matter,
the presumptive ransomware successor to Areval and DarkSide.
presumptive ransomware successor to Areval and Darkseid. The Black Matter spokesperson represents his gang as having learned from Areval, Darkseid, and for that matter Lockbit, but doesn't claim to
be any or all of these groups rebranded or reconstituted. It's just a matter of learning
from the best, says they. Black Matter attributes its predecessor's occultation to the geopolitical situation.
Quote,
Yes, we believe that to a large extent their exit from the market was associated with the geopolitical situation on the world stage.
First of all, this is the fear of the United States and its planning of offensive cyber operations,
as well as a bilateral working group on cyber extortion.
We are monitoring the political situation as well as receiving bilateral working group on cyber extortion. We are monitoring the political situation
as well as receiving information from other sources.
When designing our infrastructure,
we took into account all these factors
and we can say that we can withstand
the offensive cyber capabilities of the United States.
For how long? Time will tell.
For now, we are focusing on long-term work.
We also moderate the targets and will not allow our project to be used to encrypt critical infrastructure,
which will attract unwanted attention to us.
End quote.
The gang is hiring.
They want only experienced, capable coders.
Script kiddies need not apply.
They also say it's fairly easy to set up an affiliate program.
So why do they do what they do? They're just hardworking patriots and family men.
The rep said, quote, we believe in our motherland, we love our families, and we earn money for our
children, end quote. They don't deny that their business is destructive, but at least it's a
creative destruction.
Quote, if we look deeper, as a result of these problems, new technologies are developed and created. If everything was good everywhere, there would be no room for new development.
End quote. In extenuation and mitigation, the spokesperson claims that the gang doesn't harm
individuals, only companies that can afford to pay
and have the ability to restore their data. At least they don't go full Robin Hood. Their
restraint is a matter of calculated ROI and marketing, especially marketing designed to
keep them out of law enforcement's crosshairs. Bear in mind that these are reports of criminals,
not generally truth-tellers.
The Daily Beast has an interesting account of some negotiations between ransomware gangs and their victims.
If you've wondered, as we have, why you should credit a gang's assurances that they'll delete the data they stole from you,
apparently the answer rests on the hope that self-interest will move the gang to do so.
FireEye's Dave Wong told the Daily Beast,
I think the reality is nobody trusts a criminal,
but what you're trusting is their greed,
and that if an organization like Conti expects people to pay them in the future,
they're going to follow through with what they said they're going to do.
But it still makes you nervous.
It certainly would.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Mark Gaffin is CEO at HySolate, a provider of isolated virtual environment workspace technology. His team recently published research outlining what they describe as the enterprise security paradox,
what they describe as the enterprise security paradox, the notion that enterprise leaders want both an increase in IT freedom and more IT restrictions placed on employees.
The main thing that stood out to us is this paradox. Essentially, when we interviewed both
IT and security professionals, 87% of the audience essentially said to us that they need to increase IT freedom
for employees working from anywhere. So almost nine out of 10 IT or security professionals
believe that more freedom is required. But on the flip side of that, 79% told us that they also need more IT restrictions to be imposed on employees, which essentially are contradicting metrics.
What was even more important, or not even more important, but this dissonance was even more pronounced within the security community.
So we interviewed both IT folks and security folks.
Within the security segment, it was even more pronounced.
96% of security professionals said to us
that we need to increase employee IT freedom.
And 90% of them told us
that we need to also impose more restrictions,
which is really trying to eat your cake and have a tooth.
So what do you take away from this? I mean, how do we solve the tension that we see here in these
survey results? So that's a very good question. Obviously, this is quite a paradox or a dissonance
and the way we've been able to essentially resolve it is, you know, this is essentially the holy grail
from a security perspective.
You know, security professionals are typically the ones
in an organization that are imposing more hurdles
or restricting employees from doing certain things.
Security is an unnecessary evil, but it's required.
It's required today more than ever.
And at the end of the day,
many employees in an organization are feeling some of the pains of the security restrictions.
I mean, security is a challenge everywhere. We've changed our model of employment to an extent that
so many people are working now remotely. Everyone's concerned about levels of productivity.
It's definitely under a magnifying glass.
And therefore, the question about how much is IT inhibiting productivity is definitely a significant question that lots of security and IT guys are trying to address these days.
And so what are your recommendations for folks who are trying to strike the right balance
here?
Yeah, so there's different approaches that organizations can take. And I think one of
the biggest challenges that we're facing is the fact that we're using one device today,
so typically our laptop, to do different types of activities. We use the same device to browse
the web, potentially to do even some personal browsing. We use the same device to open up emails, to access
corporate systems. Some of these could be sensitive systems. These could have access to sensitive data.
We're mixing essentially a very broad bag or a mixed bag of activities in the same environment.
What typically you would like to do is compartmentalize the environments you have on
your PC into different areas. And you can say the environments you have on your PC into different
areas. And you could say, from this area on your PC, from this isolated environment on your PC,
this is where you touch all the most sensitive tasks. These could be productions environments
in an IT shop. This could be the financial systems in a bank. These could be the sensitive data rooms in a financial institution
or in a law firm or in an accounting company. And you use another environment or another zone
or operating system on your device to do the other things, the more riskier things like browse the
web and maybe open up email attachments, essentially splitting up your device into
multiple components in which you can optimize the security and the functionality in each of those environments
and really strike the right balance between A, giving people what they need in terms of
capabilities so that they can do all the things that they do.
But on the other hand, they're not compromising security because they're doing the right types
of activities in the right types of environments with the right appropriate or the appropriate security measures in each of those areas on their endpoint.
You know, I think one thing that we're seeing as well is the amount of frustration that's building within, you know, within large enterprises around the challenges that employees are seeing.
around the challenges that employees are seeing.
And I think that one of the agendas now within CIOs and even CISOs, the security chiefs, is how do we alleviate some of that frustration?
That's Mark Gaffin from Hycelate.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And joining me once again is Joe Kerrigan. He's from the Johns Hopkins
University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting report came from the folks over at HP.
Yep.
It was their latest version of their Threat Insights report,
and there's some pretty remarkable stuff in here.
Let's go through this together, Joe.
Right.
Well, a lot of bullet points in here that are worth noting. First,
and the biggest one,
is cyber criminal collaboration
is opening the door to bigger attacks against
victims. What they're talking about
here is there is a lot more collaboration
between these
groups of actors. And some of these organized
crime organizations are becoming much
more powerful, and they are more
readily affiliating themselves with low-level organized crime organizations are becoming much more powerful and they are more readily
affiliating themselves with low-level actors. So what that's doing is it's raising the threat
level for everybody. So now these low-level actors have tools that are really sophisticated
thanks to these criminal organizations. So the organized crime is getting even more organized.
Right. And growing. I mean, it's not anything we wouldn't expect,
but it is happening and that's important to note.
There's one thing that says information stealers
are actually being used to deliver more malware.
So once you have a backdoor inside of somebody's system,
people are selling that access.
And then other people are, once they buy that access,
are installing more bad stuff on your network.
So the volume of stuff they're putting on a system when they have the opportunity is going up.
Yeah, absolutely. And there's more people with that opportunity. Once you're compromised,
it looks like, you're compromised multiple times. It's a bad situation. There is a VBS campaign,
Visual Basic Script, that is targeting business executives. So it's a multi-phase campaign
that uses malicious zip attachments named after the executives it's targeting. And it employs a
stealthy downloader before using legitimate sysadmin tools to just live off the land.
And then the final thing in the notable threats section is that there's this resume-themed attack that makes use of an old Microsoft exploit or vulnerability that's out there.
People are sending in resumes to HR departments, and these malicious documents, these resumes are malicious, and they're installing a remote access Trojan to gain backdoor access to the affected computers. Yeah. One of the things that caught my eye was they pointed out when it
comes to email phishing lures, that phishing lures mentioning COVID-19 made up less than 1%,
dropping by 77% from the end of 2020 to 2021. Well, we're not thinking about COVID-19 anymore,
Dave. That's why. It's not top of mind. We've moved on to the next big thing.
Exactly. And right now they're focusing on business transactions, which is, you can read
this as business as usual, right? Rest assured, when the next crisis happens, those will become
the key phishing lures, whatever it is. Other interesting stats are that 75% of malware that
HP detected was delivered via email and the other 25% via some internet download.
I think it's interesting that 75% is delivered via email.
I don't know how you motivate people
to go to the web browsers.
They really don't, to get the download,
but I imagine a good portion of that is also email,
but there's also other, you know,
there's a myriad of ways you can convince people
to go to a website.
Right.
And I don't know how, or or if HP tracked that during this study.
But it's amazing to me that 75% of malware is still coming through email.
Yeah.
It's also, email's terrible.
We need a new solution.
It works, right?
Right.
And they use email because it works.
Right, exactly.
Yeah.
And we use it because it works.
Yeah.
The most common types of malicious attachments that are sent, archive files, about 29%.
And then spreadsheets and documents, followed by executable files at 19%.
Unusual archive types, such as JAR files, which is a Java archive file, are being used to avoid scanning tools.
Interesting.
which is a Java archive file, are being used to avoid scanning tools.
Interesting.
I suppose one of the things with making use of unusual archive file types is that even for some of these legacy types,
the utilities that open them have the utility to do that.
For convenience, they will open the old stuff, right?
Even if they're not top of mind for the scanning tools.
Let me help you with that.
Yeah, right.
Exactly.
Wow.
Here's an interesting statistic.
This report states that 34% of the malware captured in the first half of 2021 was new malware, previously unknown.
And that's a small drop from last year, or the second half of last year.
known. And that's a small drop from last year, or the second half of last year. But what that says is that about every six months, one third of the malicious software is new.
There's a constant rotation of this stuff and it's being developed all the time.
Yeah. Yeah. A real churn there.
Yep.
All right. Well, it's an interesting report. Again, this is from HP's Wolf Security team.
It's their Threat Insights report.
Joe Kerrigan, thanks for joining us.
It's my pleasure.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Trey Hester, Elliot Peltzman, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.