CyberWire Daily - Emotet takedown. Solorigate updates (and President Biden tells President Putin he’d like him to knock it off). Vulnerabilities and threats discovered and described.
Episode Date: January 27, 2021Europol leads an international, public-private, takedown of Emotet. Four security companies describe their brushes with the compromised SolarWinds Orion supply chain. Solorigate is one of the issues U...S President Biden raised in his first phone call with Russian President Putin. New vulnerabilities and threats described. Our guest Michael Hamilton of CI Security questions how realistic CISA's latest guidance on agency forensics may be. Joe Carrigan looks at bad guys taking advantage of Google Forms. And the Internet is back in business on the US East Coast. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/17 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Europol leads an international public-private takedown of Emotet.
Four security companies describe their brushes with the compromised SolarWinds Orion supply chain.
Solarigate is one of the issues U.S. President Biden raised on his first phone call with Russian President Putin.
New vulnerabilities and threats are described.
Our guest Michael Hamilton of CI Security questions how realistic CISA's latest guidance on agency forensics may be.
Joe Kerrigan looks at bad guys taking advantage of Google Forms.
And the Internet is back in business on the U.S. East Coast.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 27th, 2021. Europol this morning announced a takedown of Emotet,
a cooperative operation in which Europol and Eurojust acted in concert with authorities in the Netherlands,
Germany, the United States, the UK, France, Lithuania, Canada, and Ukraine
took control of Emotet's infrastructure earlier this week.
Ukraine's cyber police say that steps have been taken to detain persons suspected of
running Emotet, and so by this time some arrests are either imminent or accomplished. Emotet has
bounced back before, so it would be premature to call it as dead as Al Capone, but the operation
will at least bring some respite from the malware. Team Kimri, one of the security companies that assisted with the
takedown, emailed us some comments on this week's operation. Quote, it's important to note that only
time will tell how long-lasting the takedown will be. The law enforcement, security vendor, and
network operator communities will continue to track, monitor, and collaborate in the continuous
effort to defend against these ever-evolving threats.
That's a good counsel of prudence, and organizations would do well to keep their guard up.
Still, any respite is welcome, and there's a good chance some of the perpetrators will be brought to justice.
So bravo, Europol, and all of your international public and private sector partners.
Those interested in whether their email address was among those found in Emotets Hall may consult a database the Dutch police have made available.
The known extent of Solarigate continues to expand.
Four security firms, Mimecast, Palo Alto Networks, Qualis, and Fidelis,
have acknowledged that they had installed Trojanized versions of SolarWinds Orion application.
Some of the disclosure was prompted by Netrasex report Monday that identified 23 targets of what most observers regard as a Russian cyber espionage campaign.
Of all of the compromises, Mimecast's seems the most worrisome, although it also seems to have been contained.
The company said that a certificate it had issued turned out to have been compromised,
but that its customers have been warned and provided new keys,
the former compromised connection keys now having been disabled.
Palo Alto Networks noticed suspicious behavior on two servers last autumn,
stopped it, and retrospectively connected that behavior with the SolarWinds campaign.
ZDNet reports that Qualys says that only an isolated test system was affected.
Fidelis also said that a test system had downloaded a Trojanized version of Orion,
but that the company is still investigating the possibility
that there may have been some further compromise.
but that the company is still investigating the possibility that there may have been some further compromise.
On Tuesday, U.S. President Biden made his first official call to Russian President Putin.
Defense One reports that President Biden brought up Russian complicity in Solaragate.
Russian statements characterized the call as open and businesslike. The Wall Street Journal quotes Russian sources as emphasizing President Putin's interest
in normalizing ties between the two countries.
Russia has categorically denied any involvement in Solaragate,
and Moscow didn't mention it in their public statements
about the chat between the two heads of state.
There are several new reports of vulnerabilities
or malicious activity.
To take the vulnerability first, security firm Qualys warns of a heap overflow vulnerability
they've found in the widely used Unix and Linux utility Sudo.
They've given it the voodoo-inspired name of Baron Samadit,
in an apparent allusion to Baron Samdi, the Lao of the Dead,
only giving their Baron vulnerability a final T
in its name. The pseudo-utility allows users to run programs with the security privileges of
another user, and Qualis has concluded that Baron Samadit has been hiding in plain sight for a
number of years. Qualis disclosed their discovery to Pseudo's author and open source distributors
before making it public, and fixes should be available. Qualys recommends patching as soon
as possible. Researchers at RiskIQ describe a phishing kit they're calling LogoKit, which they
assess as having been developed and deployed with an eye to simplicity of deployment and range of targeting. They've found some 700 sites hosting LogoKit over the past 30 days.
LogoKit's simplicity is said to make it easy for criminals to compromise sites.
RiskIQ describes its operation as follows,
quote,
A victim is sent a specially crafted URL containing their email address.
Once a victim navigates to the URL,
LogoKit fetches the company logo from a third-party service, such as Clearbit or Google's Favicon database. The victim email is
also auto-filled into the email or username field, tricking victims into feeling like they have
previously logged into the site. Should a victim enter their password, LogoKit performs an AJAX request,
sending the target's email and password to an external source, and finally,
redirecting the user to their corporate website.
Late yesterday, Proofpoint announced that its researchers had found a new version of
DanaBot active in the wild. DanaBot is a modular malware that's been traded in the
criminal-to-criminal underground market since 2018, but whose usage fell off last summer.
Now it's returning. The banking malware seems now bent on regaining lost market share.
AT&T Alien Labs has been tracking the TeamTNT threat actor, and they've found that the group
is now using a new detection evasion tool
that they've evidently copied from open-source repositories.
Team TNT is best known for its cryptojacking.
They're now using the Live Process Hider tool
to hide from process information programs.
Alien Labs thinks it would be worth a security team's while
to keep an eye out for LibProcessHider
and to regard it as an indication that Team TNT may be active in their systems.
And finally, if you're on the U.S. East Coast, did you notice some connectivity issues yesterday?
We did.
Verizon experienced an outage that disrupted Internet connectivity in the northeastern U.S. for a couple of hours yesterday,
The Verge and others report.
Service was substantially restored yesterday afternoon.
The cause remains under investigation,
but not every outage is a cyber attack.
This one, according to WRAL, seems to have been an issue,
not an attack.
to have been an issue, not an attack. life. You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, Thank you. Security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
In the aftermath of the SolarWinds Orion software breach,
CISA gave marching orders to federal agencies,
requiring that they conduct a forensic analysis by the end of the month.
Michael Hamilton is former vice chair for the DHS Coordinating Council,
former CISO of Seattle, and currently CISO of incident response firm CI Security.
I spoke with him about whether or not CISA's guidance is realistic.
Well, the SolarWinds events, which I guess we'll just call it that,
as the covers are peeled back from that, we're finding that there are more and more compromised pieces of software that are used in federal agencies.
And there have been multiple tools used to gain persistence that are outside the initial compromise.
And so it's going to take a bit of a deep cleaning.
Some of the recommendations that we all saw,
you need to nuke from orbit and start over.
Well, short of that, which is going to be an expensive and lengthy undertaking.
Well, so the cybersecurity infrastructure and security agency
sent out some guidance for these organizations.
And one of the things that they've given them is a deadline to do what they call a forensic analysis.
What are your thoughts on that?
Well, if their definition of forensic analysis is the same as mine,
of forensic analysis is the same as mine. I just don't see any way that they can complete a body of work like that by the deadline that they set. The human resources required to do that and the
technology footprint required to do that is substantial. So, you know, the federal government
has a lot of resources, you know, and they can go out and hire contractors to do this. But let's remember,
even the contractors, all of these resources are in such short supply. And I can tell you with a
good deal of authority that, you know, based on what's happening here in my company, the phone's
ringing off the hook with incidents that need to be cleaned up. And so the practitioners that do
this kind of work are in even shorter supply right now. So, you know,
it's, I won't say it's impossible. I will say that there's maybe a definitional difference.
You know, when they're talking about doing forensics, they may be talking about going
through and searching deeply for indicators of compromise. I don't think they mean creating legally defensible forensic images that are moved around with chain of custody paperwork and then exposed to a deep forensic analysis.
I just don't think they mean that because if they do, there is no chance they will get this done by the end of the month.
How would you come at this? I mean, what are your thoughts on a
practical possible way to come at a problem like this? Well, I think what they're doing is the
right thing. Again, you know, definitionally, we're not entirely sure what they mean there.
But while they go through a process of, let's just call it deep cleaning, and there's a variety of ways to do that, all the way from scanning with a tool that's not the same as your regular endpoint security tool to see if there's something that it missed, all the way to flatten and reimage.
is going on, because that is the process, implementing compensating controls around the network to make sure that, for example, if your preventive controls lapsed and let
this in the environment, your detective controls, your monitoring should be way tuned up to
make sure that any aberrational behavior, especially aberrational behaviors that map to known behavior of these pieces of malware,
that needs to get tooled way up
as they go through this process.
So they have not only a way to do this deep cleaning,
but a way in the interim to be watching the network
to make sure that they can identify
anything that starts to look weird
and then focus on that, prioritize that.
So that would be the way I would go about it.
That's Michael Hamilton from CI Security.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute, also my co-host on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting story from the folks over at Proofpoint. They did some research that they published
on their blog. It's titled BEC Target Selection Using Google Forms. There's some interesting
stuff going on here. What can you describe for us here, Joe?
It is interesting, Dave. Actually, this ties in nicely with the last week's episode of Hacking Humans, where we had our guests talking about this exact same kind of thing.
The folks at Proofpoint have found a campaign where people are using Gmail and Google Forms in tandem.
And they're using these to bypass their email security content filters based on keywords.
And what they do is they send emails in. And what's interesting is they're not sending emails
from a spoofed name. It's just the email address in the name. It doesn't have any name associated
with it like you can do with a Gmail address. but they're putting that name, the name of the C-level suite of the target organization in the subject line. Right.
And then it's, it's a typical, typical, almost like a gift card scam, the way it's opening up
with a very short thing. Hey, I'm going into a meeting and I need your help. Right. And that's
the end of the discussion. But the idea is to get people to respond back to that. And then they send a link
to a form. It's a Google form. And it's just an empty form. There's nothing set up on it.
And they're trying to get people to interact and say, maybe even submit the form, the empty form
as it is. And proof point is
speculating that the reason these, these actors are doing this is because they're trying to select
who they're going to send business email compromise phishing emails to, so they can get their
credentials. Because if I send you an email, uh, impersonating someone from your C-suite, and it's not from
a recognized email address, I don't even spoof the person's name, I just put it in the subject
line, and you click on the form link I send you, and you fill out a blank form, you're
probably a prime candidate for clicking on links in emails.
Right, right.
Right?
Right.
I mean, this is a really astute observation, I think. And what's interesting is that they're using these existing services to
get around all the filters that are out there. There are filters that these companies pay
thousands of dollars a year to use, and this just bypasses all of them.
thousands of dollars a year to use, and this just bypasses all of them.
Because everything here is coming from Google, who is a legit entity.
Yep, absolutely.
Now, when you go to the Google Form, can they tell that it was you that went to the Google Form?
Is that how they're tracing it back to you?
You know, I don't know. I'm not a Google Forms user. I mean, I could be. I have a Google account. But I did some quick research,
and I can't find a definitive answer that says, yes, you can tell that this person went to the form or loaded the form. But you can certainly tell when they submit the form. You can get that
information from them. I see. And if you go through the trouble of building a form for each
person that you send an email to,
then you can easily tie those two together,
the form submission and the email address.
No problem.
Yeah.
You can put images on the form.
If you can put an image on the form,
you can track that image using another web service.
Sure, sure.
Yeah, it's interesting how these are more and more,
they're multi-tiered.
You know, we've got to put the first level of bait out there to see who's susceptible to that.
And then once we get that group of people who have proven themselves susceptible to this first level,
then we know who to really spend our time, attention, and resources on.
Exactly. This is very much like the Nigerian print scams, right? The Nigerian print scams
are ridiculous and far-fetched, as well as the benefactor scams. There are a lot of scams out
there that are just so ridiculous and far-fetched that they're engineered to be that way so that
the people that respond to them are the people that are more likely to be
susceptible to believing it. And you can lead them along. In other words, I don't want to use
the word dumb, right? But if you're the kind of person that responds to an email from a Nigerian
prince, you're also the kind of person who sends money to someone you don't know, right? There's a
higher probability of that. So this is the same kind of
research. These guys are honing their craft. And you and I have watched this evolve over the past,
what, six years, seven years? But these guys are part of the sales organization. I like to make
the business analogy because these operations are run like businesses. And these guys are taking, these are the lead generation.
These guys are taking the vast list of emails from a company
and they're condensing it down to the people
who are most likely to respond to the next step in the sales chain.
And they're going to pass that information on to the next group of people.
Yeah.
Yeah, well, again, it's an interesting bit of research here
from the folks over at Proofpoint
So if you want to get the details, you can head over to their website and check out the blog there
Yeah, interesting development for sure
Alright, well Joe Kerrigan, thanks for joining us
It's my pleasure, Dave And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Sock it to me.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thank you. tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.