CyberWire Daily - Downloading cracked software. [Research Saturday]
Episode Date: September 30, 2023David Liebenberg from Cisco Talos joins to discussing Talos' discovery of cracked Microsoft Windows software being downloaded by enterprise users across the globe. Downloading and running this comprom...ised software not only serves as an entry point for threat actors, but can serve as a gateway to access control systems and establish backdoors. Talos identified additional malware, including RATs, on endpoints running this cracked software, which allows an attacker to gain unauthorized remote access to the compromised system, providing the attacker with various capabilities, such as controlling the system, capturing screenshots, recording keystrokes and exfiltrating sensitive information. This research article was not published by Cisco Talos' team. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
So through some of our regular Ukraine work monitoring, we have a task force that we have
set up looking at specific Ukrainian customers who are sensitive based on what kind of company they are
and, of course, where they're located.
And through this regular monitoring, we discovered this trend.
And once we found it on one victim,
we found it on a bunch of different victims,
first in Ukraine, then all over the world.
That's David Liebenberg. a bunch of different victims, first in Ukraine, then all over the world.
That's David Liebenberg. He's head of strategic analysis at Cisco Talos.
Today, we're discussing their discovery of cracked Microsoft Windows software being downloaded by enterprise users around the world.
So, that's how we came across it. We didn't realize how prevalent it was when we first encountered it.
Well, let's dig into some of the details here.
I mean, we're talking about folks having cracked versions of Microsoft Windows installed on their systems.
Is this an intentional choice by the organization to take
this route? So it's an open question, right? Why are we seeing so much of this? I think there's
a lot of reasons for it. Partly you can think of poor hygiene, poor security training, not
talking about the risks of these things. But there could also be
time pressures. There could be management issues. There could be, hey, I need this done.
Oh, but that license is too expensive. Figure it out. Whatever the reason is, there's some sort of
forces at work that are causing organizations all across the globe in all different industries,
employees at these organizations are downloading and leveraging these crack tools.
What exactly is going on with this in terms of, are they downloading a version of Microsoft
Windows that has already been cracked? Or are they downloading a tool that will allow them to
bypass the installation routines
on Microsoft Windows? How does it work? So universally, what we'll see is the
cracktivator aspect of it, which is, I have to credit that neologism with James Nutblund on my
team because it's such a great name. So you'll always see that sort of activation software cracked.
And usually we'll see that with a cracked or pirated version
of whatever legitimate software it's trying to activate as well.
But you could use that cracked activation software
with, say, a trial version or something like that.
But typically, yeah, you're going to see both the activation software
and the product being pirated or modified and then torrented and downloaded.
Well, you mentioned torrenting. I mean, is that the primary pathway that people get their hands on these things?
That's what we've seen. And, you know, for an advanced actor, right, that can do research and do recon and set the stage,
they can figure out are there particular torrents that are used in a particular geography?
Are there particular tools that are especially important in a particular industry?
And they can target specific torrents and specific software that way.
Well, beyond this being not the right thing to do
and the legal elements of running cracked software,
what are some of the other dangers that come into play here?
Yeah, so beyond just the illegality of pirating that software,
there's two major risks that come from it.
So first, if you're using this cracked
version, you're not going to get the regular security updates, you're not going to get the
patches, you're going to be at risk from a vulnerability angle. What we've seen even more
concerningly is that these adversaries are bundling these cracked activators with malware.
And these aren't, you know, just miners and nuisance malware like that.
They're putting rats in there, powerful remote access Trojans that they can then use to download
second stage malware, to get credentials, escalate privileges, move laterally, and just
get a head start into your traditional apocalyptic attack chain.
So while it might seem kind of harmless,
in fact, torrenting and downloading these cracked software
can lead to really serious security issues.
And to be clear here,
if I download one of these cracktivators,
as you all call them,
and let's say a copy of Windows, the copy of Windows will work,
despite the fact that I'm having this other stuff installed over top of it.
Yes, exactly. And they're going to do whatever they can to remain silent.
So you think, hey, I'm just using this free Windows.
This is awesome
well in the background they've modified your windows defender they've modified uh you know
your firewall they've made changes to you know your defenses so that they can operate more clearly
uh they're maintaining network connections since these activators have to be rechecked periodically. So they're going to have access that way.
So, you know, there's going to be potentially a lot of malicious activity
going on in the background while you're writing your Word document.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
you mentioned that this came to your attention in part because of the work that you all are doing in ukraine do do you think this ties into the conflicts there absolutely i do think that
there are apts and advanced actors involved in that conflict who know that this is a potential means of entry.
So we have observed that there are advanced actors.
There's open source reporting of advanced actors
using this to target organizations
in sensitive areas like that.
So it's an easy way for an APT to just kind of get
a head start and get in there and then launch the rest of their attack chain.
What are your recommendations then for organizations to protect themselves against this?
I think first and foremost, there needs to be very strong and emphatic awareness campaign.
Whatever you want to call it, there has to be robust training and instructions not to
do this, the risks that could be involved, the sheer scale and scope of the problem.
Just really drilling it into employees and perhaps to the next level of management all
the way up that this is an
incredibly serious issue. It's not just about the illegality, as we mentioned, against the
legitimate software, but also all these security issues that could happen. Beyond that, you want
to do all the traditional things that can limit harm once an adversary has entered. So you want to make sure that you're
segmenting your network. So when this happens, they don't move to the ICS. They don't move to
the more sensitive areas. You have that blocked off. You want to make sure you have multi-factor
authentication. You want to have regular monitoring and logging. And as I always say,
get an IR plan in place. Make sure you are not putting out, trying to plan how to put out the fire while the fire is raging.
While you all have been digging into this, are there other apps or operating systems besides Windows that seem to be targeted here?
So Windows is the one we looked at primarily, but I have to assume that there is going to be a rich landscape
of these kind of cracktivators for a whole suite of different software used for different industries
and different geographies. So there was a European Biomolecular Research Institute,
a bleeping computer wrote about this. And a student downloaded some pirated
statistics software, and through that, Ryuk happened. It's not just Windows, and it's not just
rats or miners or APT. This could be ransomware. This could be truly any threat that you could
think of could be bundled with these things. You know, it strikes me, David, that there's a cultural component here
as well in that, and we talk about shadow IT, and if the IT department says to someone, you know,
no, you can't have that copy of Adobe Photoshop, and, you know, the employee says, well, I need that to do my work, that could lead them
in this direction. Exactly. I think that plays a huge part in this, is these kind of pressures
that'll come through the business and through employment where there's going to be this kind
of conflict between what would be secure and what would be expedient or what will just help me keep
my job, right? I mean, you see that as a factor in so many different kinds of attacks,
like a phishing attack that plays upon an employee's responsibilities
or fears that something might happen.
So fear of losing your job or fear of getting disciplined in it
is a powerful kind of motivator for people to do things that might not
be so secure. Is there any sense at all for what might be causing the increase here that you all
are tracking? I think, you know, it might just be something that's a little bit understudied and
under monitored. Like, I did, personally, the scale of this issue
until we took a look at it.
So I think if we expand our research,
we look into other software,
we find more indicators to pivot on,
you could find that it's a much wider problem
than we had any idea about.
But I think, as with all malicious activity,
there's also going to be responses to
different trends, whether that's geopolitical. So the conflict, a conflict somewhere where
Russia's invasion of Ukraine leading to elevated threat activity, you can see that reflected in
something like this as well. But in general, I think it's just there's a mountain under the sea
that we haven't fully explored yet, but it seems to be a pretty vast problem.
And to be clear here, I mean, we've been talking about Ukraine, but your research has found this
here in the U.S. as well. Absolutely. And, you know, we have a geographical distribution that shows a strong concentration in Eastern Europe.
And one of the more surprising things from our sort of geographical distribution information
is there was a pretty small section in APAC.
I know from my years of research on threat actors in that area,
that there is a lot of pirated software that goes on there too
that is also exploited and used in different adversarial campaigns.
So I think if you looked at different cracktivators,
in addition to Windows and other software that requires licensing,
you would see very interesting,
different geographical distribution and different industries targeted.
So it's a very fascinating, diverse,
and kind of difficult problem.
Our thanks to David Liebenberg from Cisco Talos for joining us. Our discussion today was on their work tracking Microsoft Windows software being downloaded by enterprise users across the globe.
We'll have a link in the show notes.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
The CyberWire Research Saturday podcast is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilpie.
And I'm Dave Bittner.
Thanks for listening.