CyberWire Daily - DarkSide: absconding, rebranding, or retiring to a life of penitence? (Probably the first two.) Israeli airstrikes said to target Hamas cyber ops centers. Apps behaving badly. Notes on phishbait.
Episode Date: May 20, 2021Did DarkSide really see the light and shut down, with a sincere promise of reform and restitution, or is the gang just rebranding? Researchers look at DarkSide ransomware and find complexity and sophi...stication. Israel says airstrikes in Gaza were intended to take out Hamas cyber ops facilities. Poor practices seem to have exposed data of millions of Android app users. Phishing from call centers and cloud services. David Dufour from Webroot looks at hacker psychology. Our guest is Rob Price from Snow Software on Shadow IT. And who dunnit to SolarWinds? Not the intern. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/97 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Did DarkSide really see the light and shut down
with a sincere promise of reform and restitution, or is the gang just rebranding?
Researchers look at DarkSide ransomware and find complexity and sophistication.
Israel says airstrikes in Gaza were intended to take out Hamas cyber ops facilities.
Poor practices seem to have exposed data of millions of Android app users.
Phishing from call centers and cloud services.
David DeFore from WebRoot looks at hacker psychology.
Our guest is Rob Price from Snow Software on Shadow IT.
And who'd done it to SolarWinds?
Not the intern.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 20th, 2021.
There had been a disturbance in the ransomware underworld that began last week with claims by DarkSide that its infrastructure and funds had been seized or otherwise disrupted.
The gang promised to issue decryptors to all of its victims and to meet its financial obligations to its affiliates by May 23rd.
Some other gangs also appear to have pulled in their horns, but it was unclear exactly what had happened to DarkSide.
The gang's statements prompted speculation last Thursday that it had been taken offline by U.S. law enforcement action,
but the Washington Post reported yesterday four U.S. officials have quietly denied that any U.S. military, law enforcement, or other agency did anything of the kind.
Various DarkSide affiliates have been complaining that the ransomware-as-a-service gang stiffed them of shares of ransom it owed them,
which makes it appear likely that DarkSide simply absconded on the plausible pretext
that it was being rousted by the law.
Now I hear you say it's only May 20th.
Maybe they'll have ponied up by Sunday,
as promised. Well, okay, but I wouldn't build too many hopes on that promise.
Many observers expected the gang to rebrand and resurface, but whatever the eventual fate of Darkseid proper is, RiskIQ finds that a number of its affiliates are still going strong, and in principle, at least,
capable of deploying malware, so it's by no means a good time to let your guard down.
As far as the temporary eclipse of other ransomware gangs, posting of stolen data to
name-and-shame sites, for example, fell off significantly last week. That seems to have been a temporary pause.
Citing work by Recorded Future, Reuters says that rates of ransomware activity have now returned to near-normal levels.
Zozomi Networks has released its study of DarkSide's methods.
The malware begins by collecting information about its targets.
It systematically bypasses potential victims in Russia and some
other former Soviet republics. It selects victims' files for encryption, and it's apparently choosy
about those it picks. The malware uses self-encryption and dynamic API resolution to
avoid detection, and it disables known backup solutions it finds in place in target networks.
Its use of symmetric and asymmetric encryption is notably more sophisticated
than was found in early ransomware strains
and makes it less likely that the victim will be able to break the encryption on their own.
DarkSide has also thrown up some recent variants that show enhanced capabilities.
Fortinet researchers found that the ransomware is now capable
of detecting and compromising partitioned hard drives.
The U.S. Congress continues to deliberate legislation
intended to protect critical infrastructure from cyber attack.
Hearings on Tuesday took testimony from senior military leaders
responsible for cyber operations, the U.S. Naval Institute writes,
and The Hill reports that Energy Secretary Granholm yesterday told the House Energy and
Commerce Committee that she favored applying the same security standards the power grid faces
to pipelines. Secretary Granholm stated, quote,
If we had the standards in place, would this particular ransomware attack have been able to happen?
You know, I'm not 100% sure.
I do know that having good cyber hygiene on the private side, as well as on the public side, is a critical basic defense.
And for entities that provide service to the public like that, especially critical services like energy,
I think it's an important consideration for this committee, for sure.
End quote. She suggested that the Federal Energy Regulatory Commission cybersecurity guidelines for the power grid might serve as a useful initial model for pipeline regulation.
The record reports that two Israeli airstrikes against targets in Gaza were intended to hit Hamas cyber operations centers.
against targets in Gaza were intended to hit Hamas cyber operation centers.
A strike on May 14th is said to have hit what Israeli Air Force sources call a cyber equipment storage site in the northern Gaza Strip
belonging to Hamas military intelligence.
The record adds that the site was apparently also serving as a data center.
The building also housed civilian media offices, NPR and others reported
at the time, among them offices of the Associated Press and Al Jazeera, who say they were unaware of
the Hamas presence and that media personnel narrowly escaped being killed in the strike.
Yesterday's strike targeted what the Israeli Air Force described as a
hideout apartment that was used by the terror operatives for offensive cyber activity against Israeli targets.
Researchers at Checkpoint say their examination of 23 Android applications found 13 apps that exposed data of more than 100 million users. The problem lies in the developers' misconfiguration of such cloud
services as real-time database, notification managers, and storage. The report finds that
among the more common poor practices was the embedding of push notification and cloud storage
keys in the apps themselves. Palo Alto Network's Unit 42 has found that the controllers of Bazaar Loader, malware that backdoors infected Windows hosts,
is now using trial subscription Fishbait to direct victims to a call center that walks them through the process of installing the loader.
They're calling the operation Bazaar Call.
Inky describes an ongoing criminal campaign that uses phishing to induce the victims to give up their email credentials.
The phish bait is a bogus RFP, and the emails originate from compromised accounts that are generally known to the recipients.
They were staged from the cloud-based content sharing system, Adobe Spark.
Proofpoint is also seeing abuse of cloud content sharing services. In this case, the
platforms affected are from Microsoft and Google. This approach, the company notes, lends an
appearance of legitimacy to criminal phishing attempts. And finally, at RSA, SolarWinds CEO
Ramakrishna updated what's known about the compromise of SolarWinds' Orion platform.
CyberScoop reports that, among other comments,
he retracted earlier claims that the incident arose from an intern's carelessness.
So the intern, it turns out, didn't do it.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
It is probably not off-base to say that The Shadow, cast by Shadow IT, grew longer in the past year,
thanks to the shift to remote work and to co-mingling of home networks and devices with business functions.
Rob Price is Global Solutions Consultant at Snow Software,
and he joins us with his thoughts on shadow IT.
Personally, I would define shadow IT as something that has not been adopted as a corporate standard or been ratified by, let's say, internal IT. To me, shadow IT is what occurs when an individual or a business
unit seek technology capability to aid
them in their day-to-day roles and improve their productivity
that may not have been vetted by the core IT
organization within an end-user environment, within a computer environment.
Is it fair to say that much of the time
when folks resort to using shadow IT
that they have good intentions in mind, that they're just trying to get their work done?
Absolutely. That is fundamentally correct.
And over the years, I've seen it adopted
or used in multiple different ways where finance organizations have put data loss prevention systems in place and, you know, tied people to their desks and folks email home spreadsheets to their private accounts so they can work on them in their own time before sending it back prior to Monday morning. And being able to see those types of
activities, shadow IT itself, isn't just about new applications. It's about working practices
that take data outside of the security boundaries of an organization.
How much of this comes down to communications?
In other words, the IT folks taking a collaborative approach to this
rather than viewing it as something that could even be adversarial.
I think this is a fundamental shift in working practices
and how organizations need to interoperate.
working practices and how organizations need to interoperate.
You know, traditionally, IT has been, let's call it, you know,
an underfunded area of business.
Very seldom do we ever see IT budgets, you know,
running higher than an organization needs them to.
And I think by the nature of our traditional insular IT folks, it's easier sometimes for them to say no than it is to say yes.
And we need to turn IT from what I would call a service unit within businesses into a much more positive, proactive business unit. So we should be looking at and encouraging IT to be at the forefront of advancement within the organization, not as a cost center that's a drag on budgets.
And that's a really, really big shift in organizational culture, not, well, I mean,
global culture. We need to turn the IT folks into the forefront, I think, of our businesses.
Really make them a business enabler.
Yeah, absolutely, and celebrate their capabilities.
Not, you know, from where I started, pulling boxes of paper out the back of a line printer,
you might as well have put me in a cupboard.
And these guys really need to be, you know, have a seat at the top table.
Let's empower our CIOs.
You know, what can technology do for the business?
Let's be on the front foot and take the advantage.
And, you know, the more we see it in today's day and world, it's, you know,
cloud-first strategy is one thing, but actually that just means somebody else's hardware.
What do we really do and how do we empower these people to be thought leaders,
not fulfill services that somebody else is already requesting?
That's Rob Price from Snow Software.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
And joining me once again is David DeFore.
He's the Vice President of Engineering and Cybersecurity at WebRoot.
David, great to have you back.
Great to be back, David.
I know today you wanted to touch on something interesting here. It's comparing hacker psychology with vaccine-related threats.
Thread that needle for me. Where do those two things cross over? Well, I mean, hackers are
expert in vaccine distribution. You probably didn't realize that. No, actually, they probably
would be pretty good at it if we could
get them to do the right thing, not the wrong thing. But seriously, around the psychology here,
about a year ago, when we started really picking up steam on the coronavirus, COVID, we saw massive
amounts of negatively branded warning sites saying, you need to submit information here, we need to get your social
security number here to protect yourself, et cetera, et cetera. Really negative push on these
malicious sites that were stood up specifically around COVID because malicious actors, the hackers,
they take advantage of whatever the psychological mood is. And so the interesting thing, which I'm about to reinforce is, and this is good news, David,
everybody should feel great.
They've shifted to a really positive mood now about enter your information here to get
the vaccine.
Give us your credit card and we'll put you on a vaccine list, things like that.
So what's interesting is the world went negative,
so did they.
As we've gone positive,
they're actually becoming more positive as well.
Just so I make sure that I'm following you here,
the case that you're making is
that we should be grateful that the bad guy,
the scammers have switched from using fear
as their method to get you to click,
and now they're using hope as their method to click.
So somehow, I mean, I suppose,
so we're saying that's more than a lateral move?
Well, I mean, fundamentally,
if your information is going to be stolen,
wouldn't you want to feel good about it
instead of bad about it?
I see.
All right.
Well, thank you very much. David DeFore, Vice President of Engineering.
All right.
Well, I'm going to give you some more rope to hang yourself here, David.
I think the message is a good one that the scammers absolutely scammers absolutely follow uh whatever is in the public
eye right so whatever the media is pushing and whatever buttons they can push on people they do
that and that's what they're doing here that that is exactly right and and honestly if if i was
someone i'm i'm an engineer so i'm not hugely interested in psychology. But if I was interested in psychology, this would be a fascinating topic because they truly shift their attack surface.
And by attack surface, the way they stand up and they socialize, they shift it based on the mood because based on society's mood, people are more liable to click into something.
You know, when you're worried about getting a virus, you're going to give your information to someone who's going to tell you
about it. When you're excited about getting the vaccine because maybe it's going to help you,
you're more liable to give your information. So they're very, very good at tracking this
psychological, you know, footprint of what people are feeling and then standing up attack surfaces
that take advantage of that. That's really the point here. Yeah. And I suppose too, I mean, they
have so much real-time information coming in when they're, especially when they're doing these kind
of spray and pray operations, you know, they can track which emails are working. Is hope working
more than fear this week? Well, let's head in that direction. Yeah, that's exactly right. I mean, think of it in a real business case. Think of it
as the website marketing where you're standing up a product and you maybe have three or four
mechanisms for trying to position that product and you're tracking which one sells better.
That's the same thing they're doing. They're standing up three, four, five things, seeing which ones are trending better in terms of stealing information,
and then they go all in on that based on the success. Yeah. All right. Well, David DeFore,
thanks for joining us. Hey, great being here, David. Thank you. in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.