CyberWire Daily - Cyber Espionage, again. Patched SolarWinds yet? Patch Tuesday. The international conference on ransomware has begun. Booter customers get a warning. A disgruntled insider alters aircraft records.
Episode Date: October 13, 2021A Chinese-speaking APT is distributing the MysterySnail RAT in what appears to be a cyberespionage campaign. Some users still haven’t patched vulnerable SolarWinds instances. Notes on yesterday’s ...Patch Tuesday. The US-convened international ransomware conference kicked off today, and Russia wasn’t invited. Former users of a criminal booter service get a stern warning letter from the Dutch police. Caleb Barlow reacts to a recent ransomware tragedy. Our guest is Rob Gurzeev of CyCognito on the security issues with subsidiaries. And a Florida woman is charged with altering aircraft records. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/197 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A Chinese-speaking APT is distributing the mystery snail rat in what appears to be cyber espionage campaigns.
Some users still haven't patched vulnerable SolarWinds instances.
Notes on yesterday's Patch Tuesday.
The U.S. convened international ransomware conference kicked off today and Russia wasn't invited.
Former users of a criminal booter service get a stern warning letter from the Dutch
police. Caleb Barlow reacts to a recent ransomware tragedy. Our guest is Rob Gerzeev of Psycognito
on the security issues with subsidiaries. And a Florida woman is charged with altering aircraft From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, October 13th, 2021. Security firm Kaspersky discusses an activity cluster they're calling Mystery Snail,
in which they connect to the Chinese-speaking APT Iron Husky, a group that's been active since 2012.
Mystery Snail exploits a Windows Zero Day to install a remote-access
Trojan. It's a cyber espionage campaign, the company's researchers say.
Besides finding the Zero Day in the wild, we analyzed the malware payload used along with
the Zero Day exploit and found that variants of the malware were detected in widespread
espionage campaigns against IT companies,
military and defense contractors, and diplomatic entities, end quote.
With all the attention last year's SolarWinds exploitation received, one would think that
users would have applied the appropriate patches and mitigations. But Randori's 2021 attack surface report finds that one in 15
organizational users are still running a version that's either undergoing active exploitation or
is at least, in their words, highly tempting to attackers. Randori's CTO David Wolpoff said in
the release announcing the study, quote, I'd wager the remaining vulnerable SolarWinds
instances are there because of ignorance, not negligence, end quote. He thinks that the
complexity of the current workplace, whether remote in the traditional office or in some hybrid of
both, have made it difficult for organizations to accurately assess their risk, and in particular to prioritize their patching.
Attackers can take advantage of relatively low-rated risks, and Wolpoff's general advice
is to get deeper into the attacker's mindset, apply attacker's logic to their security program,
and get one step ahead. Yesterday was October's Patch Tuesday, and the Zero Day Initiative summarizes six Adobe and 71 Microsoft security updates.
Three of the problems that Microsoft patched, and Microsoft is a CyberWire sponsor, are rated critical by Redmond.
One of these involves Microsoft Word. The other two are remote code execution issues in Windows Hyper-V.
Adobe patch Reader, Acrobat, Commerce, and Kinect. Apple has new versions of iOS, that's version 15.0.2,
and iPadOS, also 15.0.2. They address a vulnerability, CVE-2021-3883, currently being exploited in the wild.
If unpatched, Bleeping Computer writes,
the vulnerability could be used for either staging malware or stealing information from affected devices.
A proof-of-concept exploit has been published that was developed by reverse-engineering Apple's fix.
As usual, Krebs on Security has a good, useful summary of the month's patches.
One of his observations is worth noting,
especially given what Randori said about the importance of not overlooking
the less highly-rated vulnerabilities.
Krebs on Security thinks that the highly-rated but still less-than-critical fixes
are among the most interesting of
the Microsoft patches. The ones that lend themselves to exploitation for privilege
exploitation are, according to Krebs, particularly worth attention.
The Biden administration's promised high-level conference on ransomware kicked off today.
Special sessions, the Washington Post reports,
will address resilience, virtual currencies, law enforcement disruptions, and diplomacy.
The U.S. engaged some 30 countries who will be attending the two days of meetings.
The Hill and others note that Russia wasn't invited because the current ransomware surge is
generally regarded as driven by Russian-inspired or the very least Russian-tolerated gangs,
privateers, as Cisco's Talos Group aptly called them back in May.
We observe that while all five of the eyes, several NATO members and other close U.S. allies are taking part,
it's not just Russia that hasn't been allowed through the velvet rope.
China, North Korea, and Iran aren't on the list either. Maybe next time. Or not. Frank discussions
of malefactors and their ways proceed more easily when the alleged malefactors themselves
aren't parties to the conversation. Those are often better handled one-on-one.
to the conversation. Those are often better handled one-on-one.
As much of the coverage surrounding the International Ransomware Conference has tended to focus on the role state sponsors or enablers of cybercrime play, the degree of
commodification and the extent of division of labor now observed in the criminal-to-criminal
market remains striking. A note this morning from Atlas VPN expresses the
current state of the C2C market in monetary terms. Some of the more damaging services go for between
about $60 and $500. The return on investment can clearly be very high indeed.
One criminal service that's attracted recent attention is the Booter, a service used to conduct distributed denial-of-service attacks.
One of those Booter services was MindSearch.rip, which Dutch police took down back in July.
Authorities in the Netherlands, of course, noted who was registered with MindSearch, and they've placed the customers on notice.
The record quotes that notice recently received in the official physical mail by 29 Dutch nationals,
quote, we have registered you in our system and you will now receive a final warning.
If similar incidents occur in the future, we will prosecute. In that case, take into account
a conviction, criminal record,
and the loss of your computer and or laptop. Read and heed former MindSearch customers.
And finally, a chilling story emerged this week from the U.S. state of Florida.
Police have taken a Brevard County woman into custody on charges of accessing a flight training school's system to alter information on 12 aircraft, local broadcast news outlet WESH reports.
The most disturbing change was to alter the status of some planes that required maintenance to airworthy.
The flight school, Melbourne Flight Training, and remember that's Melbourne, Florida,
not Melbourne, Victoria, they say that's an obvious flight safety problem. They detected and corrected the corrupted records before anyone was injured. It's not only a flight safety story,
but an insider threat and off-boarding story as well. The woman who's facing charges, Lauren Lide, age 26, and we note,
of course, those accused of crimes are entitled to the presumption of innocence,
had been flight operations manager at MFT until she resigned in November 2019,
on the same day her father was fired from his own job as director of maintenance at the company.
The apparent motive was the classic
motive of the disgruntled insider, revenge for perceived ill-treatment.
Ms. Lide is said by her father to have been miserable at MFT and eager to leave.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Third-party risk.
You've got it.
You know you've got it.
And the challenge is calibrating your response and investment to mitigating that risk. Part of that is considering your subsidiaries, organizations connected to yours, but with a certain degree of autonomy for themselves.
Rob Gorzeev is CEO and co-founder of Psycognito, a company focused on attack surface management
and protection. Maybe let's spend 30 seconds on this piece of history. So security testing today
is really based in general on vulnerability scanners and penetration testing services.
testing services. And these technologies and services were designed in the 90s,
20 plus years ago, when companies had just two servers connected to the internet and the rest of the IT assets were connected only to the intranet and were not exposed to the internet.
So back then, life was relatively easy,
and these vulnerability scanners and pen testing services
were actually very efficient and very effective
when you had to deal with just a few machines
that you need to really test.
Problem is that over the last 10 years,
companies moved to the cloud,
and in general, now companies have thousands of networks,
and in some cases, millions of assets connected to the internet.
And the other problem is all of these legacy scanners
and pen testing services and anything that is related to them requires either deployment or at least
knowledge and input on what's going to be tested. Now, say you are the global CISO of this Fortune
100 or 500 company. You may not even know about the 50 or 100 subsidiaries that you have in your company, and you definitely don't have direct access to their assets.
So, one, they might be using a completely different security stack than you, and you don't have access to their security stack for various reasons.
Two, your scanning and pen testing services are irrelevant or cannot be applied there.
So you want to protect them.
Your company and your CFO knows that the conglomerate will be affected by them getting breached.
conglomerate will be affected by them getting breached. In many cases, they have assets that have access to your network, to the enterprise
network and the enterprise data.
But that's a huge gap in both technology and process that cannot be solved, simply put,
with the legacy technologies.
So again, we wanted to highlight that.
And of course, when we talk to customers, we recommend what's the better way to deal with that.
So what are your recommendations then?
How can organizations do a better job of addressing this?
your recommendations then? How can organizations do a better job of addressing this?
Yeah. So in general, when it comes to attack surface protection, protecting your thousands or millions of assets that are exposed to the internet, our approach is actually very simple,
Very simple, very logical.
And my co-founder, Dima,
when I told him the first time about what I want to do, this company, he said,
Rob, there's no way that it hasn't been done already
because it's so basic and logical in a sense.
Very complex on the tech side side but so logical and simple so we say
instead of running this vulnerability scanning internally that have to be based on known
ip ranges and known domains and so do pen testing services we say let's do what attackers do
We say, let's do what attackers do.
Let's build a technology that doesn't require anything from the enterprise.
Not deployment, not input, not configuration, and not even inclusion listing within some firewalls.
And let's automate the reconnaissance process that we drove, by the way, in our previous lives. of this company, then map the millions of assets they have exposed, and then run an automated risk
assessment on all of those things to find what are the top 10 security gaps that are super attractive
and are related to important assets, the way attackers can understand them externally, that generate 90% of the risk.
We believe that logically, that's the only way to solve this problem.
The industry hasn't done it so far.
And when you look at the data that these researchers gathered in research, it's clear that they're
looking for such a solution.
For example, they're saying that it can take weeks and months to remediate something,
and that what's missing for them is actionable data with low false positives.
And the reason they're saying this is because the only current solution for
this subsidiary or third-party risk by the way is based on super basic analysis of ip ranges
registered on this other company's name and de facto basic port scanning. So the current offerings
miss 50 or 70% of the actual risk.
And then based on what we hear from customers,
have 70% of false positives,
meaning they are wrong most of the time.
And if you're familiar with the domain,
why port scanning cannot forecast
what's vulnerable, then that's very clear. And yeah, and that's why we thought it's worthwhile
to portray this and help CISOs and CIOs. And today, by the way, even CFOs and some board members think about the problem of subsidiary risk in more specific terms.
And I think that the data tells a very clear story about it.
That's Rob Gorzeev from Psycognito.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And I'm pleased to welcome back to the show our CyberWire contributor,
Caleb Barlow. Caleb, it's always great to have you back. You know, we had this
recent tragic story about a ransomware incident affecting a healthcare organization and a loss
of life, a youngster, a child who did not get treatment they needed and died as a result of
that. I know, you know, healthcare is an area you have a lot of experience in, and I wanted to
check in with you to get your insights on this incident. Well, Dave, let me first say how my
heart goes out to the families involved in this horrible incident. And to quickly summarize what
happened, an expectant mother heads to the hospital as it's time to deliver her baby.
She is unaware at the time that the hospital has been impacted by a ransomware incident
and for the last eight days may have been unable to access most hospital systems, including
medical records, and many of the systems that monitor patient status.
Now, for anyone out there listening that may be unfamiliar with labor and delivery department,
expectant mothers, well, they naturally arrive any time, day or night.
And after an initial assessment, they're moved into a delivery room where you may wait for a few minutes or hours for the baby to come.
And these rooms are comfortable, but they're also really sophisticated with equipment at the ready, state-of-the-art monitoring systems, not only for the vital signs of, let's say, mom, but also for the unborn baby.
And in this case, particularly a fetal heartbeat.
particularly a fetal heartbeat. So at the nurse's station, you know, you always see the nurse's station in a hospital. The nurses can kind of quickly glance up, look at a monitor, see all
the patients, all the fetal heartbeats. And one of the things they're looking for is any degradation
in the fetal heartbeat could be a rapid indicator of a fetus in distress due to any number of
potential problems during delivery. So this system wasn't working, Dave.
And in this alleged incident,
the umbilical cord became wrapped around the baby's neck.
The fetal heartbeat clearly indicated in advance
that the baby was in distress.
And the doctors were even texting each other
that had they realized this,
they would have immediately moved the mother
into a C-section and, you know,
potentially saved the child.
Right.
So, you know, so what we have here
is a ransomware incident that is allegedly causal.
And I think there's a lot of things
we can learn from this, Dave.
Well, I mean, let's dig into it.
What could have been done in this situation?
So, you know, nurses, physicians, pilots, ship captains, they're
all trained to work in less than ideal conditions. Like, you know, a pilot knows their job is to get
the plane on the ground no matter what. In a similar way, a doctor knows how to treat a patient
the best they can when resources are not always available. You know, if the power goes out,
they're going to still keep treating patients. But the difference here is the hospital allegedly
knew that they had a ransomware incident.
So they knew they were in a degraded state of care.
What that means is maybe mom had a choice of which hospital she went to if she knew.
So there's that, you know, and I'm not a lawyer.
We're not providing legal advice here.
But there is an elevated level of potential caution of should you still be delivering services if you're in a degraded state or should you at least be communicating that?
And I think that plays not only to healthcare, but anybody that's got a life safety system that may be involved.
This might have been a manufacturing environment where when that manufacturing environment is hit with a ransomware incident, maybe they can keep making parts, but maybe not all the safety systems work in the same way, right?
Or a building is impacted.
Do the fire alarms potentially work in all the same way?
We've got to think as security professionals now about, based on what's happened, has a life safety system potentially been degraded?
And that's not something that's in most runbooks today.
Yeah, I mean, it strikes me that if my wife and I were headed to labor and delivery and
we got notice that the hospital had no electricity, chances are we would reroute somewhere else.
And now you got me thinking, is ransomware similar to having no power?
I think it is when we have expectations of what the standard of care is going to be
when we go to the hospital. And the reality here is allegedly that standard of care was degraded
because the monitoring systems weren't working. Now, think of this from a security professional perspective.
Do you even have an inventory of what you need to worry about? Now, let me throw one other thing
out there of, you know, kind of pivot this upside down and backwards. I ran a immersive exercise
with a hospital fairly recently. And, you know, I presented with them with a ransomware incident,
but with a twist. What I did in the ransomware incident was
that rather than locking up the systems, the adversary had changed five medical records.
And I demonstrated, you know, the adversary demonstrated the hospital two of the records
that had changed. And there were things like allergies and, you know, medications, critical
things that would have affected patient care. And basically the ransom was, hey, pay me a million dollars
if you want to know what the other three records are
that have changed.
This caused an amazing set of dialogues
to occur in this exercise.
And, you know, I just dove in.
I had no idea how they were going to deal with this.
They got into a debate of, hey, on one hand,
we can't trust our electronic healthcare records,
so do we shut down?
Because the last thing we want to do is treat somebody improperly. But that was weighed with
the same issue of, if we shut the hospital down, then we know we're delaying care for patients that
rely on us in the area we live in, and therefore we may hurt people there as well because we're
no longer available.
And it created quite the discussion of what are we going to do.
These types of decisions, these types of discussions, these types of tradeoffs, they've got to happen in advance before the incident occurs.
Yeah, and I think back to the mother in labor and delivery. And I can imagine a hospital knowing it's in a degraded
state and perhaps bringing in more nurses so that they're in the room with a, instead of relying on
the nurse's station, that you have folks in each labor and delivery room, right? So a possible
mitigation there. But also communicate, communicate, communicate, right? Today, people are hit with
their ransomware incidents. Of course, bad guys don't
want to communicate it often because they don't want law enforcement involved. It's embarrassing,
but it's also a life safety issue. And I would argue it's a life safety issue, in this case,
not only for who you're treating, but also your employees. If they don't understand the breadth
of what's going on, they can't make those trade-off decisions to say, hey, because this monitor's not working,
I'm going to change nurses' rounds
and they're going to come around every five minutes
and check the fetal heartbeat.
Like, there were probably ways to mitigate this,
which of course would have required more staff
or maybe you take on less patients.
But again, that kind of failure mode effect analysis,
that's got to be done ahead of time.
You're not going to figure that out
while you're in the middle of an incident.
Yeah.
All right.
Well, Caleb Barlow, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester,
Brandon Karp, Puru Prakash,
Justin Sabe, Tim Nodar,
Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe,
Chris Russell, John Petrick,
Jennifer Ivan, Rick Howard,
Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you.