CyberWire Daily - Cyberespionage follows South Asian conflict. LockBit’s $50 million demand. Insider risk. Trend Micro warns unpatched Apex is under attack. PrintNightmare persists. Google and Apple on privacy.
Episode Date: August 13, 2021ReverseRat is back and better, and it’s sniffing at Afghanistan. LockBit wants $50 million from Accenture. When employees leave, do they take your data with them? (Survey, or rather, telemetry, says... yes.) Unpatched Apex One instances are under active attack. PrintNightmare continues to resist patching. Google bans SafeGraph. Apple explains what’s up with iCloud privacy. Caleb Barlow wonders if ransomware payments financing criminal infrastructure in Russia. Our guest is Oliver Rochford from Securonix on the notion of cyberwar. And the SynAck ransomware gang rebrands. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/156 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Reverse Rad is back and better, and it's sniffing at Afghanistan.
Lockabit wants $50 million from Accenture.
When employees leave, do they take your data with them?
Unpatched Apex One instances are under active attack.
Print Nightmare continues to resist patching.
Google bans SafeGraph.
Apple explains what's up with iCloud privacy.
Caleb Barlow wonders if ransomware payments are financing criminal infrastructure in Russia.
Our guest is Oliver Rochford from Securonics on the notion of cyber war.
And the CINAC ransomware gang rebrands.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 13th, 2021. Lumen's Black Lotus Labs report that ReverseRat, which is, as its name implies, a remote-access Trojan,
is out in an evolved version that has added functionality such as taking remote photos via webcams
and retrieving files on USB devices inserted into the compromised machines.
ReverseRat 2.0 is believed to be operated by a threat actor in Pakistan,
and its principal targets have been government and energy organizations in South Asia,
especially Afghanistan,
but with a smaller number of other attacks observed in India, Iran, and Jordan.
The ongoing turmoil in Pakistan's neighbor suggests an obvious reason
for making collection against Afghanistan a priority.
The present campaign appears to have begun on June 28.
ReverseRat 2.0 is currently accompanied by a more evasive version of the pre-bought HTA loader,
designed in particular to avoid detection by Kaspersky and QuickHeal security products.
by Kaspersky and QuickHeal security products.
Lotus Labs has also identified another agent, Night Fury,
that replaced the Alicor rat previously used in tandem with earlier versions of ReverseRat.
The infection mechanism has usually been a phishing email,
baited with a PDF file that misrepresents itself as the agenda for a United Nations meeting on organized crime.
Seibel has found communications from LockBit in which the gang claims to have taken more than six terabytes of data from Accenture and in which they demand $50 million in ransom. LockBit also
claims they obtained access from a rogue insider who's still employed by the company. While Seibel notes that LockBit
has been advertising for corrupt insiders willing to betray their organization's trust,
the firm thinks that in this case the gang's claims are unlikely to be true. Accenture hasn't
issued any significant statements about the incident beyond its early reports of having
contained it with minimal damage. LockBit has indeed followed
through with its threat to release some of the stolen data, but as Security Week observes,
the material released so far, at least, does not appear particularly sensitive.
Code 42's analysis of security trends in the first half of 2021 finds that insider risks are
surging during what the firm calls the Great Resignation,
employee churn the current seller's labor market is generating.
So people are leaving their place of employment.
So what?
Well, according to Code 42, here's what.
When they leave, the company information often leaves with them.
This trend in the labor market is reinforced by two other trends,
increased data portability and more widespread remote work. Anonymized telemetry from 700,000
endpoints running Code42 tools in the first half of 2021 have shown a strong correlation between
data exposure and employee departure. Code 42 notes two other trends that
suggest a greater insider risk, more exposure of source code, and more data incidents involving
removable media like USB drives. Both of these suggest that people within organizations are the
source of the exposure. Correlation with employee turnover is unlikely to be a matter of mere accident,
so think about off-boarding and take some time to help people understand
that proprietary material isn't necessarily their property.
Trend Micro says that it's seen signs of threat actors attempting to exploit two vulnerabilities
in the company's Apex One security products.
Trend Micro addressed the flaws with Apex One security products. Trend Micro addressed the
flaws with patches issued on July 28. The company has said, quote, Trend Micro has observed an
active attempt of exploitation against two of these vulnerabilities in the wild in a very
limited number of instances. And we have been in contact with these customers already. All
customers are strongly encouraged to update to the latest versions as soon as possible.
The Windows vulnerability known as Print Nightmare
is proving surprisingly resistant to the fixes that have been applied.
Microsoft released a warning at midweek
after this month's Patch Tuesday
which addressed this family of vulnerabilities,
saying that a remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged
file operations. An attacker who successfully exploited this vulnerability could run arbitrary
code with system privileges. An attacker could then install programs, view, change, or delete data,
or create new accounts with full user rights.
There's no new patch yet, although Redmond is working on it. Microsoft says that the workaround
for this vulnerability is stopping and disabling the print spooler service. And, of course, since
the perfect can often be the enemy of the good, users should also apply the fix Microsoft published
this Tuesday and not wait for a complete solution to print nightmare.
Microsoft, we point out in full disclosure, is a CyberWire sponsor.
Two privacy stories of interest come out of Silicon Valley.
We'll take Mountain View first and then move on over to Cupertino.
Google has banned Safegraph, a data location firm, from its ecosystem,
which means that developers must remove any of SafeGraph's code from their apps
if they wish to continue to distribute their software in Google's store. The move is part
of the company's larger effort against location data collection firms that seek to get app
developers to include data harvesting code, the better to collect
information for sale to companies and governments. As Vice reports, quote, Safegraph collected at
least some of its location data by having app developers embed the company's code or software
development kit into their own apps. Those apps would then track the physical location of their
users, which Safegraph would repackage and then sell to other parties.
Google confirmed to Motherboard it told app developers in early June
they had seven days to remove Safegraph's SDK from their apps.
If they didn't do this, Google told Motherboard the apps may face enforcement.
This can mean removal from the Play Store itself.
End quote.
face enforcement. This can mean removal from the Play Store itself, end quote.
And over in Cupertino, Apple continues its attempts to explain why its recent child protection measures don't amount to an abandonment of the company's commitment to privacy.
So, they suggest out Cupertino way that what we have here is a failure to communicate.
In a Wall Street Journal exclusive this morning by
reporters Joanna Stern and Tim Higgins, Apple's Senior Vice President of Software Engineering,
Craig Federici, explained how the company intended to preserve privacy while enforcing measures
against child exploitation. Part of the confusion, Federici attributed to the essential simultaneous
announcement of two distinct tools. One of them
identifies known, and the emphasis should firmly be on known, explicit images of children uploaded
to the iCloud storage service. The other tool gives parents more powerful ways of keeping tabs
on the images their children share through text messages. The simultaneous launch probably led many to conflate the two
and to envision them as amounting to a single infusion
of privacy-threatening functionality into the Apple ecosystem.
Federighi told the Journal,
It's really clear a lot of messages got jumbled pretty badly
in terms of how things were understood.
We wish that this would have come out a little more clearly for everyone
because we feel very positive and strongly about what we're doing.
End quote.
Federighi says the new tools don't amount to a digital panopticon.
He said people's iCloud storage isn't going to be continuously monitored
and rummaged for whatever content Apple might find objectionable.
Instead, Apple will be notified when a certain
threshold is reached in terms of the number of images uploaded, and only then will it look.
The images are specifically identified and appear in a database of known child exploitation pictures.
The ultimate guarantor of privacy for the new system, Apple says, will be the multiple levels
of audit the company has put in place.
So it's not a backdoor and doesn't involve intrusion into a user's device.
I think in no way is this a backdoor. I don't understand.
I really don't understand that characterization. Imagine someone was scanning images in the cloud.
Well, who knows what's being scanned for?
In our case, the database is shipped on device.
People can see and it's a single image across all countries.
We ship the same software in China with the same database as we ship in America, as we
ship in Europe.
If someone were to come to Apple, Apple would say no.
But let's say you aren't confident.
You don't want to just rely on Apple saying no. You want to be sure that Apple couldn't get away with it if we said yes. Well, that was
the bar we set for ourselves in releasing this kind of system. There are multiple levels of
auditability. And so we're making sure that you don't have to trust any one entity or even any
one country as far as what images are part of this process.
And of course, go to the Wall Street Journal to read and listen to the whole thing.
And finally, there's been another transition in the ransomware subsector of the criminal
marketplace. The record reports that the gang formerly known as SYNAC has released decryption
keys for ransomware it used between July 2017 and the early part of this year. It's not, however,
a sign that the SYNAC operators have grown a conscience. They've simply rebranded as e-comita,
are retiring their old code, and are moving on to new ransomware-as-a-service products
they hope will enable them to gain a healthy share of the C2C market.
Although SYNAC is one of the older ransomware gangs out there,
they've badly lagged several of their younger competitors,
like that gang formerly known as R-Evil you may have seen in the news lately.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
There's active discussion in cybersecurity over the appropriate use of terms like cyberwar and cyberweapons.
When and under what circumstances, if any, these are the right words to use.
And if not, then what are better options?
Joining me to help unpack this is Oliver Rochford, Senior Director and Security Subject Matter Expert at Securonics.
So, I think there are two definitions of that term, right?
There's an international legal definition, which belongs to the realm of policy and actual warfare, which we're definitely not hitting.
If you look at the kind of statement that was given out today by the UK, the US, the EU, they were very careful to call it systematic cyber sabotage. And that's because how can you have a cyber war without
an actual war? You know, there's been no war declaration. And more importantly, this whole
issue is being confused just pure and simply by the fact that, of course, there's this mix between
civilian and between essentially what's military, government, and public infrastructure.
And so that's confusing the issue for sure.
But if we think in terms of describing offensive actions within the realm of cyber, I think it's an apt term.
It's one which we can use.
And where do you suppose things are headed?
What do you suppose – I don't know.
Is it possible to imagine a future state of equilibrium here?
So the future state, or the solution to this, it's not going to be technological.
In reality, almost every nation state is a glass cannon.
We can successfully attack, we can successfully defend.
The attack surface is mixed civilian and government, and so we can't even defend it sufficiently.
Barring some kind of light year forward jump in terms of AI, which, to be honest, I don't see coming right now, we're improving iteratively, the solution is going to be based on agreements.
And that is purely and simply because there's a lot at stake here.
Right now, it's just a little bit of competitiveness.
because there's a lot at stake here.
Right now, it's just a little bit of competitiveness.
But going forward, it's about whether we're going to have the same going forward the next 50 years
as we've had the last 50 years,
where we have been very open about sharing innovation and technology.
And I believe that's the biggest thing at stake here,
that if we don't agree on solving this
outside of the technological sphere,
everyone is going to go back into a mode of protectionism and not
sharing their IP.
Is there an area here that
has you particularly concerned?
Is there any area that
you feel isn't getting the
proper attention it deserves?
So right now, I think that
our attempts
to deal with this are unevenly distributed.
The weakest link is going to essentially jeopardize everybody.
So I'd like to see us share more of these approaches,
definitely in Europe with the US, I would say worldwide,
in terms of how we can avoid confrontation.
I don't think anyone can win in the long term out of that.
This is something where once we stop sharing all of the information, especially if we want AI to
work with, it's about huge amounts of data sharing. Going it alone is probably not going to be a
valid way, even for a giant like China. I think one thing which is very important to keep in mind with this entire thing around cyber war is that it's very visible.
So what I mean by that is we're reporting on it.
There are a whole lot of parties who only have partial information.
So I think there's a lot of misinformation in this.
I think there's also a lot of exaggeration in terms of what can actually happen.
At the same time, the true
impact of this, I'm not sure if it's being reported on well. We're always looking at these anecdotes
and incidents of things which have happened. We're looking at Iran, Israel, because that's
about the only hot cyber war we have in the moment. We had Ukraine, Russia, which I think
would qualify to a certain degree. But we're always trying to look in the rearview mirror.
This is not how it's going to work. Right now, there's this cat and mouse game going on of people building up arsenals, of all parties building up arsenals, all of them laying
back doors, all of them laying logic bombs. And there is no cyber war independent of kinetic war.
The truth is that we're going to see the first cyber war in the first couple of minutes in the
next big kinetic war. And it's just going to be a part of the whole, but it's going to be very decisive. I think that
if you can disable the infrastructure of your opponent, you don't need to throw a bomb or shoot
a single shot. It's done, isn't it? That's Oliver Rochford from Securonics.
There's a lot more to this conversation. If you want to hear the full interview,
head on over to CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And I'm pleased to be joined once again by Caleb Barlow.
He is the CEO at Synergist Tech.
Caleb, we are seeing, I would say it's fair to say, a ramping up of ransomware payments.
I hadn't noticed, Dave, really?
We had JBS, I think it was $11 million.
Colonial Pipeline, legend has it, was $5 million.
What happens on the other side of this?
When that money is being invested on the other side, what's your take on that?
Well, you know, Dave, I had one of those moments
where I was thinking about silly things and I'm like, what could you do with that kind of money
in Moscow? And, you know, this wasn't some in-depth research, but I got to tell you,
it's pretty interesting. So, you know, take the case of Colonial Pipeline, right? So the Justice
Department got $2.3 million back. Thought is that was probably – came back from one of the affiliate payments is at least the kind of prevailing idea.
It's probably the case.
But what can you do with a few million dollars in Moscow?
Well, I don't know about you, Dave, but if you're kind of a cool bad guy, like the first thing I'm going to do if I get that kind of haul is buy a car, right?
Yeah.
So a Lamborghini, if you want the Lambo, Dave,
and I think you would look good in a Lambo
with the top down.
Yeah, I can't disagree with you there.
Okay, about a quarter million US.
If you're more of a Porsche guy,
that's more of $100,000 US.
Sure, sure.
But in some cases, interestingly enough,
the prices for these new cars
are actually cheaper than here in the US.
Now, the second thing we need to do, Dave, we got to throw a party, right? I mean, I'm thinking booze, drugs, you know, men, women,
whatever you're into, you know, let's say that runs, I mean, let's say it's another 100K,
right? I mean, we need a blowout party, right? So we bought the house. Oh, well, we need a house
now, right? I mean, where are we
going to throw the party? I don't know about you, but I'm not going to rent a place. We need a
fun house. So let's just buy the darn thing. And luxury homes in Moscow aren't actually all that
expensive. I think we need a place with a pool. What do you think? Yeah, of course.
Okay. So that's another quarter mil. So we bought the car the house the party um but you know let's get back to
business dave we we yeah you know i mean this is a business right um we can have some fun but we
need more developers and engineers for the next attack so let's say we spent the 250 on cars
because we got you the lambo another 250 on on a fun house, 100K on our party.
Well, that's only 600K. So in the case of JBS, we had 11 million in total. Well, about half of that
goes to the affiliate. We kind of know that, right? So we got to pay off the people that
helped us get there. Sure. Fair is fair. Fair is fair. So let's just say to use round numbers,
that leaves us with a cool five mil off of this to put in engineers, development needs, future tax, office space, whatever. Well, you can get
a software engineer in Moscow for under 20,000 US dollars a year. But I don't know about you,
Dave, but I'm not hiring average people. Well, you got to spend money to make money, right,
Caleb? Yeah. We want a fun culture, right? I don't know, we want a fun culture, right?
So let's just assume we're going to pay them double that. We're going to pay 40,000 US a year.
So double the prevailing. Office full of Aeron chairs. Oh, gotta have Aeron chairs. And we
didn't include that in the budget. We may need to add that. We need some snacks, foosball.
So that $5 million funds a team of 125 developers for an entire year.
Wow.
One attack.
That's a lot of foosball.
That's a lot of foosball.
So the point here, Dave, is when you pay a ransom of that size, and I'm not picking on anybody that's paid a ransom before, but this is the problem.
When you pay a ransom of that size, you are literally the series B round venture capitalist for the next
attack that's targeting the entire sector, right? You are literally the venture capitalist for the
bad guys when you pay a ransom of that size. Okay, so that's the reality. Does that put you
on either side of the equation when it comes to paying or not? I mean, it's a tough thing to figure out, right?
Well, it is a tough thing to figure out. And historically, we've been deferring this risk
to cyber insurance. And, you know, we've all gotten drunk on cyber insurance, right? I mean,
that market took off like crazy. You and I have talked actually pretty recently about
how cyber insurance is tightening up. And, you know, they're trying not to pay. In some cases,
the Treasury Department stepping in and actually blocking some of those payments by sanctioning ransomware operators.
So unfortunately, that risk is now coming back on us. And I think the real thing that we've got
to think about as a society is maybe we need to change the economics for the bad guys and just
stop paying the ransoms. It's going to be painful, particularly the first round time we do it.
But if we stop paying the ransom,
we stop the venture capital,
you can't hire the 125 developers,
buy the Lambo, buy the Funhaus,
or throw the party.
All of a sudden, it's not cool anymore.
And why do it?
Yeah, yeah, yeah.
And there'll be good deals to be had
on slightly used Lambos, right?
There will.
And how cool would that be?
It would be.
I mean, I can see the used car operator,
I can see the used car dealer in Moscow
after we banned ransomware payments,
go, oh, well, you know,
these are all, these are a great deal.
These are all former ransomware operators.
We can get you a great deal on a used Lambo.
I think it was Alan Liska from Recorded Future who made the point that if you want to try
to track some of these folks down, track the purchases of exotic cars, that there's more
than a dotted line between those two things.
So I think you're onto something.
Absolutely.
So look, I mean, here's the point.
This is a little fun, but the point here is, in all seriousness, what do you think you're funding when you pay a ransom of that size? And is there a better way? And maybe the better way is just to change the answer for everybody and change the economics for the bad guys.
All right. Food for thought. Caleb Barlow, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Don't forget to check out this weekend's episode of Research Saturday in my conversation with Lee Christensen and Will Schroeder from SpecterOps.
We're discussing their research on abusing Active Directory certificate services.
That's Research Saturday.
Check it out.
Our amazing CyberWire team is
Elliot Peltzman,
Trey Hester,
Puru Prakash,
Justin Sabey,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Vilecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here next week. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.