CyberWire Daily - DarkSide still more-or-less dark. Updates on Colonial Pipeline and HSE ransomware attacks. CNA said to have paid $40 million in ransom. Cyber privateers and cyber mercenaries.
Episode Date: May 21, 2021The US remains officially mum on whether it took down DarkSide, but it still looks as if the ransomware gang absconded on its own. Colonial Pipeline now faces legal fallout from its ransomware inciden...t. Speculation about how states might handle cyber privateering. Conti’s attack on HSE is described as “catastrophic.” Russia says it was hit by foreign cyber mercenaries last year. Craig Williams from Cisco Talos explains Discord abuses. Our guest is Jon Ford from Mandiant on their M-Trends 2021 report. And CNA pays cyber extortionists $40 million. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/98 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. remains officially mum on whether it took down DarkSide,
but it still looks as if the ransomware gang absconded on its own.
Colonial Pipeline now faces legal fallout from its ransomware incident.
Speculation about how states might handle cyber-privateering.
Conti's attack on HSC is described as catastrophic.
Russia says it was hit by foreign cyber-mercenaries last year.
Craig Williams from Cisco Talos explains Discord abuses.
Our guest is John Ford from Mandiant on their M-Trends 2021 report.
And CNA pays cyber extortionists $40 million.
From the CyberWire studios at DataTribe, I'm Dave Bittner with it took down DarkSide infrastructure, The Hill reports,
but it still looks as if the U.S. did not do so.
The anonymous officials who talked to The Washington Post earlier this week still have the last word, for now.
If DarkSide was clobbered by law enforcement, they didn't come from Washington, Langley, or Fort Meade, say the anonymize.
CIO Insight has a distillation of lessons organizations might learn from the Colonial Pipeline incident.
Those lessons are organized under eight headings. They include phishing.
headings. They include phishing. Many, if not most, ransomware attacks find their way in through phishing attacks, and so a workforce prepared to recognize and defend against this form of
social engineering is vital to resilience. Backups. You need to prepare secure, regular
offline backups and check them often for signs of compromise. Air gaps. Don't connect what doesn't
need to be connected. Don't pay the ransom, this is a tougher call,
but in general it would be better for everyone
if the financial incentive for ransomware gangs were driven down.
Segmentation, make it difficult for ransomware to propagate across the enterprise.
Zero trust security, enforce proper validation and authorization.
Digital transformation, by all means, modernize,
but don't open fresh attack surfaces
when formerly manual systems and operations are automated
or brought into the network.
And last but not least, patches.
Keep systems up to date.
Far more attacks use known exploits than they do zero days.
CSO Insight also sees crisis as opportunity. Boards and
C-suites are likely to be disposed to listen to advice, provide resources, and to be unusually
willing to invest in better security. Bloomberg Law reports that a proposed class action suit
against Colonial Pipeline has been filed in the U.S. Federal Court for the Northern
District of Georgia. Such actions have become practically routine for high-profile cyber
incidents. The plaintiffs allege, in part, quote, as a result of the defendant's failure to properly
secure the Colonial Pipeline's critical infrastructure, leaving it subjected to
potential ransomware attacks like the one that took place on May 7, 2021, there have been catastrophic effects for consumers and other end-users of
gasoline up and down the East Coast. MIT Technical Review speculates that Russia's
toleration, at the very least, of ransomware operators, has at this point gone too far and may force the U.S.
toward retaliation against Moscow. Retired U.S. Admiral James Stavridis, a former Supreme Allied
Commander Europe, writes that such retaliation might draw lessons from the history of privateering
and the suppression of privacy, but that above all it should be a cooperative action with allies.
He writes, quote,
While there is no hard public evidence that the government of Russia is benefiting financially,
multiple sources, including the U.S. Treasury Department,
indicate that it is affording protection to hacking organizations that steal from and disrupt the West.
If true, the rules appear simple.
Don't attack any Russian or Russian-aligned nations,
but otherwise the cyber seas are open for hunting.
Although it's uncertain if the Kremlin was involved,
the ransomware attack on the East Coast pipeline system
by Russian-based hackers known as DarkSide seems to fit this pattern.
End quote.
He advises more naming and shaming, sharing of evidence with
allies, and, where possible, seizure of the cyber privateer's assets. And he thinks retaliation
against the Russian state might well be a justifiable step, quote. Finally, if the U.S.
has appropriate evidence to show Russian government collusion with cyber criminals,
it needs to respond in kind at the national level. It could, for example, intrude on Russian End quote. U.S. capabilities should remain unused and in a war reserve mode, but more prosaic tools could certainly be deployed.
End quote.
If Russian official sources are to be believed,
some such retaliation may have already taken place,
but it would have been retaliation against earlier Russian operations,
not the more recent ransomware or supply chain compromise incidents.
not the more recent ransomware or supply chain compromise incidents.
TASS is still authorized to declare that in the SVR's view,
the U.S. and the U.K. may well have been behind the SolarWinds compromise,
but this opinion seems to have few takers, at least in the five eyes.
There's a new report, however, this one described by The Record,
in which Rostelecom Solar, the cyber unit of telecom company Rostelecom, and the FSB's National Coordination Center for Computer Incidents,
describe a 2020 campaign against Russian cyberspace that they assess as the work of
cyber mercenaries pursuing the interests of a foreign state. The effort is said to have involved social engineering,
a protracted reconnaissance phase,
and introduction of malware specifically designed
to evade detection or blocking by Kaspersky products.
It's possible that there was such a campaign
against Russian government targets.
Russian sources don't identify the foreign government
that may have hired and dispatched the mercenaries,
but it could be any number of adversaries or competitors.
The charges may also amount to a two-coqueway response to U.S. attribution of the SolarWinds compromise to Russia.
The BBC describes the ransomware attack on Ireland's HSE as catastrophic.
the ransomware attack on Ireland's HSE as catastrophic.
Sleeping Computer reports that the Conti gang has given HSE a free decryptor,
but still threatens to sell or publish stolen information
if they're not paid.
The affected organization is evaluating its decryption options.
Finally, the 4 million plus ransom colonial pipeline
paid DarkSide seems big enough,
but it's practically chicken feed when compared to a payment Bloomberg reports CNA Financial made back in March.
The Chicago-based insurance firm, seventh-largest commercial insurer in the U.S.,
is said to have paid $40 million to the gang that extorted it.
Which gang got the money is unclear.
$40 million to the gang that extorted it.
Which gang got the money is unclear.
The ransomware strain employed was Phoenix Locker, a variant of Hades,
and Hades was developed by the Russian criminal threat actor Evil Corp.
But CNA says it paid Phoenix.
The distinction, if it can be maintained, isn't an idle one.
Evil Corp is under U.S. sanction.
Phoenix, formally, is not.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1, dollars off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
John Ford is Managing Director of Global Government Services and Insider Threat
Security Solutions at Mandiant, and prior to that, he enjoyed a distinguished career with the FBI.
He joins us with insights from Mandiant's 2021 M-Trends report,
a view from the front lines.
Well, let's dig into our main topic of discussion today,
which is this most recent Mandiant M-Trends report.
This is the 2021 report. Before we dig in here,
I mean, this report has quite a pedigree going back over a decade now.
Yes, it does. It is one of the signature reports that we put out each year and really starts
showing the trends of what types of activity has really been taken over the years.
And also, I think what's more interesting for us, I mean, it talks about the Bauer families,
the types of malicious activities that are occurring.
But what I think is even more interesting is where it shows dwell time is very important to us
because it really shows that time of where the detection has really been lowering year over year.
And we're getting better and better at detecting those incidents.
And I'm not talking about just we as Mandiant,
but I'm talking about we as in companies and governments.
They're getting much better at detecting these much quicker.
It's remarkable this ongoing and, I suppose,
continuing trend of the professionalization of these organizations.
It seems like year after year, in many ways, they're upping their game.
They are upping their game.
And it's not just a closed organization, as most would think.
It's not just a group of people in a room somewhere doing this.
It's very disparate.
And they've actually made their business efficiencies as well.
So they have groups that only design the ransomware.
They have the groups that are only doing the targeting.
They have the groups that only get into the systems and exfil the data.
And they have other groups that are managing the data and handling the extortion.
And from that perspective, yes, they have professionalized their ability to
become very efficient at what they're doing, but also target in a much more precise way
to get the most money. These criminals are trying to get the most money that they can, quite frankly.
Well, I mean, let's go through some of the other details in the report. What are some of the things
that stand out to you?
From a malware perspective, what we're discovering when we're doing our instant response is that the majority of those have not been seen before.
So that becomes a very interesting point for us because that's one of the key detectors that most organizations look. How can I block known malware, malware that's out there based upon whatever indicators those organizations use? But we're seeing more
and more custom malware that's out there that is
much harder to detect. And so when we're doing our instant responses,
we're seeing that the majority has not been seen before. And so
for us, that makes it, you know, we're starting to have to detect based upon
behaviors as opposed to detect based upon signature.
And I suppose, I mean, we have to mention that, of course, as everybody knows, 2020 was not your typical year.
Thanks to COVID-19, a lot of things shifted around.
They did. They did.
And one of the things that we first saw start moving around, too, was also insider threats.
When they work from home began in 2020 for us and they started seeing more people going home, also people started reacting to what will the economy be tomorrow, right?
And what does this mean?
We started seeing layoffs occur.
And from when we started seeing those occur as well,
then that became a challenge for organizations.
And one of the, you know, the first series that we started seeing of attacks
were when layoffs occur, that there were still back doors that were left by the
employees in the organizations, and they were destroying their data that would make the company
profitable and destroying their backups. And so that was one of the first things that we started
to see. Did you see any interesting trends or movements
when it comes to the particular industries
that were being targeted here?
Have they shifted who they're going after?
So from an insider perspective,
we did see that one of the biggest things
that started happening was
there was an accelerated opportunity for research around COVID, right?
How can, who could come to market with the COVID vaccine?
Right after that is what we saw,
saw a shift in where it started becoming much more in an espionage
perspective.
There were still many businesses that were going to continue moving forward
and their research was key. the Thousand Talents Program or other talents programs that are done by the countries to
identify individuals who could bring that information to them so they could be first
to market and essentially try to reduce that development curve on the research and development
side and try to have something to go to market faster with.
That's John Ford from Mandiant.
There's a lot more to this conversation. If you
want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And joining me once again is Craig Williams.
He's the director of Talos Outreach at Cisco.
Craig, always great to have you back.
Over on the Talos blog, you guys posted some interesting research here.
It's titled Cheating the Cheater,
How Adversaries are Using Backdoored Video Game Cheat Engines and Modding Tools.
What's going on here, Craig?
Well, you know, after work, sometimes I like to continue conducting my research by playing video games with people who work for me
and other management with Intel.
Call of Duty is a big one, Rainbow Six Siege,
fun games like that.
So as part of our research,
if we call it that, can I expense the software?
I was going to say, that's what you tell your bosses anyway.
Oh, they play.
Seriously though, video games are played by everyone. They're played by people by everyone, right? They're played by people in the security space.
They're played by executives in the security space.
They're played by just about everyone now.
These aren't for teenagers,
although teenagers do play, children play.
So video games have become as ubiquitous
as TV 10 or 15 years ago.
And I think it's important to realize that
when you're talking about video games now,
you're talking about the new form of medium.
It's as popular as the newspaper
when our parents were kids.
And so because of that,
if you can have an advantage in a video game,
it makes it a lot more fun to most people.
Or at least a huge percentage.
So are we using the euphemistic word advantage there, Craig?
What advantage is it of which you speak, my friend?
I did air quotes, I promise.
But so what happens here is people will use the allure of cheating
to draw people into making poor security choices.
It's no different than people who send out
get-rich-quick scams, and similar to
the Nigerian Prince email,
just a little bit more of a attractive package
targeting a little bit smarter user.
So what they'll do is they'll send out sheets
with different lures saying,
hey, favorite video game of the week,
if you'd like to have an aimbot and never miss again,
download this attachment.
Or if you would like to have infinite gold,
download this attachment.
And so obviously for most users,
they'll see that right away and think that's not true.
But where it gets a little bit more complicated
is either users who don't care,
or what if the tool is real,
it's just also been modified to include a piece of malware.
Right, right. So what are you seeing here?
What are some of the specific cases?
Well, in the blog we put out on the Talos Intelligence blog,
we've got some modding tools with how-to videos
and other sorts of social lures, And we've got some cheats.
The example we go through in the specific blog is a visual basic obfuscated loader.
It's really an interesting thing to reverse.
We go through all the different steps in the blog post and kind of walk people through
how complicated and how obfuscated this is. And the reason I mention that is because
it's a great example of how complex
this scene has become.
It's no longer little lazy exploits.
Now we're seeing time and effort put into making these evasive
and making them more convincing and making them hard to analyze
and hard to unpack.
And again, the reason they do this is to trick security analysis tools,
to prevent analysis, to make it more difficult to figure out what the software is actually doing.
And so to that end, in the blog post, we walked folks through the entire sample
in painstaking detail. Holger was nice enough to take screenshots of just about
every step to show people exactly what these modding tools are doing and how the malware is
getting its hooks into their system. So, I mean, other than the obvious lesson that, you know,
cheaters never win and you shouldn't cheat at games. You're a bad person if you do that.
The security thing is obvious here that, as you say,
they're taking advantage of people's desire to get something for nothing
and you might end up with more than you bargained for.
Well, exactly.
And I think there's a massive number of people
in the computer security community
who got into computer security
learning to cheat at video games
and learning to mod video games.
It's a natural stepping stone
to understanding how the games work,
how things work, which leads people
right into computer security.
It's kind of ironic.
I think this type of lure is incredibly
attractive to people interested in computer security. It's kind of funny. It's a lure of lure is incredibly attractive to people interested in computer
security. So it's kind of funny, right? It's a lure that works on a lot of people, but it also
probably attracts the people the actors don't want. Well, yeah, but isn't that interesting?
Because on the one side, you're right. I could see there being a comfort level that, you know,
this is something I'm familiar with. This feels like home. This takes me back. Because also, I think in the old days,
a lot of these things were passed around in the days before there was malware. People weren't
thinking about that kind of thing. They weren't thinking to do that kind of thing. So there may
be a false sense of security for some of the old timers when it comes to that, even if it's
subconscious. But then I think your point's a good one,
that if you're a bad guy,
the last group you want to attract
are security professionals, right?
Well, and I think that's why they went through
pretty great lengths to make sure
that the code was obfuscated and hard to analyze.
But I think the other point that's well made here
is that, as you sort of said at the outset,
that there are people from all walks of life playing these games.
So it's not like these are just, you know,
script kiddies going after kids in their pocket change.
There are some pretty big targets out there that make this worth their time.
Absolutely.
And that's why we wanted to make sure and remind everyone,
anyone associated with our blog,
that you should never download cheats or game mods
gently. You should always give them the proper inspection,
make sure they're from a trusted source, point your security software
at it and let them scan it and make sure that they can process the files.
I wouldn't even run video games, period,
on my important systems.
You should have a system for gaming.
Well, it's a fascinating blog post.
And for those of you out there who are sort of learning how to do a lot of this stuff,
it's a great step-by-step that really takes you through the process that you and your team went through
to sort of reverse this and figure out what was going on.
So there's something for everyone here.
So I encourage you to check it out.
It's over on the Talus Intelligence blog.
Craig Williams, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's edition of Research Saturday and my conversation with Joe Slowith from Domain Tools.
We're discussing COVID-19 phishing with a side of cobalt strike.
That's Research Saturday. Check it out. The Cyber Wire podcast is proudly produced in
Maryland out of the startup studios of DataTribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.