CyberWire Daily - Patch notes. What’s happening with REvil remains unclear, but it would be rash to count the gang out.
Episode Date: July 14, 2021SolarWinds patches a zero-day exploited by a Chinese threat group. Patch Tuesday notes. What’s up with REvil: takedown, retirement, rebranding, or glitch? (Don’t bet against rebranding.) Joe Carri...gan from JHU ISI on cell phone carriers sneaking us ads via SMS. Our guest is Nicko van Someren of Absolute Software with a look at endpoint risk. And bots like futbol. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/134 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Solar winds patches a zero day exploited by a Chinese threat group.
We got patch Tuesday notes.
What's up with our evil?
Take down, retirement, rebranding, or glitch?
Joe Kerrigan from Johns Hopkins University Information Security Institute
on cell phone carriers sneaking us ads via SMS.
Our guest is Nico van Someren of Absolute Software
with a look at endpoint risk.
And those bots like football.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 14th, 2021. We begin with a few quick notes on this week's patches. SolarWinds yesterday
patched a vulnerability in its Serv-U FTP server that Microsoft discovered. Bleeping Computer
reports that groups based
in China were using the vulnerability to prospect U.S. defense contractors and software companies.
The Microsoft Threat Intelligence Center says it has observed DEV-0322 targeting entities in the
U.S. defense industrial base sector and software companies. This activity group is based in China
and has been observed using commercial VPN solutions
and compromised consumer routers in their attacker infrastructure.
Yesterday was Patch Tuesday.
Microsoft's fixes included patches for three zero-days
undergoing exploitation in the wild,
two Windows kernel privilege escalation issues,
and one scripting engine memory corruption flaw. CISA released advisories on 21 industrial control
system products, and a separate CISA emergency directive also required federal agencies to
apply mitigations to Windows print spooler vulnerabilities. Those mitigations have been made generally available
in Microsoft's July updates, and CISA wants the agencies it oversees to implement them.
R-Evil's disappearance early yesterday morning from its usual online haunts,
including its own cynically named Happy Blog, remains unexplained. The New York Times and others note that the vanishing
followed a U.S. request that Russia do something about ransomware gangs operating from its
territory, but it's unclear what connection that had with the American demarque. Steve Moore,
chief security strategist at security firm Exabeamam wrote to offer some perspective on what may have happened to R-Evil.
Quote,
It would seem that everything is down for R-Evil.
Landing page, payment, help desk chat.
This outage could be criminal maintenance, planned retirement, or, more likely,
the result of an offensive response to the criminal enterprise.
We don't know.
If the outage is the result of an offensive response,
then this sends a new message to these groups
that they have a limited window in which to work.
Furthermore, if a nation responds to criminals
backed by and hosted in another country,
this will change the definition of risk
for affected private organizations.
The question becomes who is and isn't ready
to participate in this new theater.
If a nation engages in offensive hackback operations,
then to what degree should they defend private companies as well,
which is arguably more valuable?
The Washington Post summarizes three likely alternative explanations.
First, the Kremlin bent under U.S. pressure and forced Areval to close up shop.
Second, U.S. officials tired of waiting for Kremlin bent under U.S. pressure and forced Areval to close up shop. Second, U.S. officials tired of waiting for Kremlin cooperation
and launched a cyber operation that took Areval offline.
And third, Areval's operators were feeling the heat and decided to lay low for a while.
Dmitry Alperovitch, chairman of the Silverado Policy Accelerator
and well-known as the co-founder and former CTO of
CrowdStrike, tweeted his own three suggestions. One, Areval decided to take a summer break or
even rebrand themselves entirely like they did in 2019. Two, they got pressured by Russian
government to go quiet, at least for a bit. And three, with the tip of his virtual hat to
domain tools Joe Slowik, he suggests their interns screwed up DNS.
On that third possibility, Alperovic and Slowik are surely funnin',
but the possibility of IT problems can't be ruled out entirely.
As Recorded Future's Alan Liska told MIT Technology Review,
the bulletproof hosting services criminals tend to use are often dodgy and unreliable,
and sites do drop on and off. But in this case, that's unlikely, since all things are evil took
it on the lam simultaneously. Liska said, quote, ransomware sites are hosted by bulletproof hosting
and they're flaky, they all go up and down, but they never all go up and down at the exact same In his Twitter feed, Alperovitch also commented that REvil's disappearance didn't look either like a U.S. Cyber Command operation or a takedown by non-Russian law enforcement agencies,
quote, given that domains were not fully seized, as would be standard practice, end quote.
seized, as would be standard practice, end quote.
R-Evil's operators may simply be rebranding,
as they are generally believed to have done in 2019,
when R-Evil appeared shortly after GandCrab announced that it was disbanding.
Perhaps the operators will reform under a new name.
If they just watched Black Widow, maybe they'll pick Red Room as their new name.
It's worth noting that pressure by the Russian government is consistent with both retirement and rebranding.
Privateers take guidance, after all.
Taken down on vacation, in custody, or just regrouping,
the organizations who represent ransomware gangs' potential pool of victims
would be unwise to let their guard down.
Neil Jones, cybersecurity
evangelist at Ignite, wrote us to say that, quote, when malware infrastructure goes offline,
even temporarily, that's obviously good news for businesses. However, I would encourage
organizations not to let their guards down and to continue with the proven detection and mitigation
strategies that have gotten them through the recent ransomware crisis.
Realistically, new ransomware infrastructure can be brought online quickly,
so we all need to remain vigilant.
While it's too early to determine the cause of the site's outages,
continual steps must be taken to thwart ransomware groups,
and the public and private sectors must come together at the highest levels
to challenge multi-million dollar cybercriminal gangs.
So, criminal infrastructure might be flaky and unreliable,
but it's not difficult to stand up.
Let the defenders beware.
And finally, Imperva reports that the Euro 2021 tournament
was accompanied by a flood of bot traffic across European sports and gambling sites.
Italy took the football cup home, by the way,
if the bots haven't already told you so.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Thank you. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Nico van Summeren is Chief Technology Officer at Absolute Software,
an endpoint security and data risk management firm.
Using telemetry data gathered from the more than 13,000 endpoints Well, of course, it goes without saying that COVID has changed a number of things for a lot of our customers,
particularly around the extent to which people are working away
from head office.
And so, as you might expect, we've seen an increase in the deployment of various of the
controls that you would expect as people were sent home, VPN software and the like.
But what we also saw was a continuation of a number of trends that we've been seeing for a few years around the time it takes for risks at the endpoints to actually get addressed, around the amount of sensitive data being stored at those endpoints, about the complexity of the sets of security controls that happen at those endpoints. So we've seen trends about the
number of vulnerabilities that are existing at the endpoints and how long they go unaddressed.
We've seen trends around the amount of sensitive data being stored at those endpoints and generally
about the decay of those controls at the endpoints. As you get increased complexity at the endpoint, you often
find that the controls fight with each other. And so you tend to get what we call decay of the
security at the endpoint as those increasingly complex endpoints and the sets of tools that
you've installed fight with each other and often switch each other off. Is this a situation with diminishing
returns where too much of a good thing might fight against us? Oh, yes. It's actually not
merely diminishing returns, but we actually see that at certain stages you start to get a negative
return. This increased complexity at the end point means that not only are you adding more
things to manage, but because those clients often fight with each other, we actually see that
there's lower levels of compliance for some types of tool when you have other types of tool installed,
reaching the point where as you add more complexity to the endpoint,
you actually increase your risk rather than reducing your risk.
So in terms of the information that you've gathered here, what are the take-homes?
What are the recommendations for organizations going forward?
Well, I think that there are two things.
One of the things I only touched lightly on earlier was the level of unaddressed vulnerabilities and the delay in patching.
Now, not wanting to sound like a stuck record, but getting faster at patching your systems is a really good thing because we're seeing, we saw a slight improvement over last year down to 80 days instead of 95 days was the average length of
out-of-dateness of Windows installations. But we're still seeing 40% of Windows 10 machines
having over a thousand known vulnerabilities, which is a staggering number. So we do need to
get better at patching, but we also need to make sure that we rationalize the set of endpoint
controls to reduce that complexity. I think that moving towards more of a sort of zero trust model
and trying to keep data in highly managed cloud services rather than allowing the sensitive data to end up on the endpoints is something that
you can do to reduce that endpoint risk. And then we also see that some of the management tools that
people expect to rely on themselves need managing. So one of the key things we noticed this year was
that SCCM, actually Microsoft now call it i think mscm or
something they changed its name m-e-s anyway the the thing the the endpoint agent formerly known as
sccm even that built-in tool requires regular maintenance and reinstallation or reconfiguration. We're seeing that within a 90-day
period, upwards of a quarter of those endpoints actually need maintenance. So having insights into
the state and health of those endpoints and all of the various different controls you install on
there is crucial to maintaining your security posture. You can have the best
intentions to roll a set of controls, but if they don't stay in good condition, then you're not
getting the value from all of those products that you've purchased. And so being able to have that
insight and stay healthy by keeping an eye on everything is crucial to maintaining this posture.
That's Nico van Summeren from Absolute Software.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
A Twitter thread came by that caught my eye
and really hits on some of the things that you and I talk about a lot over on Hacking Humans.
Yes.
This is from a gentleman named Chris Lacey.
He's at ChrisMLacey on Twitter, evidently a developer.
I believe he's from Australia, seems to be.
Develops a product called Action Launcher for Android. And Chris posted this
thread. He said, I just received a two-factor authentication SMS from Google that included an
ad. Google's own messages SMS app flagged it as spam. And he says, what a shameful money grab.
And he had a screen capture here and it says, it has, here is your Google verification code, right? The kind of thing. It starts with the G just like you'd expect.
Anything you'd expect from Google. And then there's an ad. It says, keep the hackers at bay,
get a VPN today. And it has a link. Yeah. So Chris goes down the path of wondering,
who put this ad on my SMS verification message?
Was it Google?
And some Googlers chimed in and said, no, it wasn't us.
We don't do that.
In fact, they're also very happy that their Messenger app flagged it as spam.
Right.
They were pleased to see that part of the app was working.
Right, right. But it turns out that whoever Chris's provider is, the carrier,
was appending his SMS verification message with an ad. Right. Now, the fact that this ad seems to be associated with security makes me think that in some way they're analyzing the
content of the SMS message that he got.
Or they could be analyzing the sending number of the SMS message.
Yeah, absolutely.
Say this is the number that Google uses to send their multi-factor authentication codes out.
Absolutely.
Anytime you see that, just add this to the end, put an ad at the end of the text message.
Yeah.
So I'm going to go out on a limb.
Let me tell you how I feel.
And then I want to get your take on this.
I think everybody knows what my take is.
I think I'm with Chris here.
This stinks to high heaven.
Yeah.
It does stink to high heaven.
Okay.
What do you think about this, Joe?
I'm with you and Chris.
And I'm thinking somebody at whatever government level should be looking into this.
Yeah. Because, you know, an SMS, you pay for that service. Right. Right. First off,
that's one of the things I object to. This is a service I pay for. Yeah. Do you remember years
ago when we used to have to pay per message? Yes. Right. Yes. 10 cents per message for what was
essentially just a, you know, a millisecond long use of the network. We had to pay 10 cents per message for what was essentially just a millisecond long use of the network.
We had to pay 10 cents.
Now we don't have to do that anymore because the market forces have made it unlimited texting.
Right.
But this carrier is still trying to capitalize on getting a text message by selling ads on a text message that Chris pays for.
Right.
That in and of itself infuriates for. Right. That, in and of itself, infuriates me.
Yeah.
The second thing I don't like about this is, what kind of vetting process do you do for
these ads?
Do you just sell them to anybody?
Right.
Right?
Right.
Who knows where that link goes?
Right.
There's a link there.
That's a shortened link, right?
Yeah.
With MR5.co with some, that is obviously some shortened link or link shortening service
that you don't know where that goes. No. What due diligence is the carrier doing here? Yeah. I want to know that.
Second off, should the carrier even be doing this? Should there be some kind of regulation
that says you cannot interfere with this in this way? Right. No, here's the other thing that gets
me about this is that this can erode your trust in your verification process.
Absolutely.
Right?
Absolutely.
So on the one hand, that's terrible.
I suppose if there is an upside to that, maybe we should be eroding trust in SMS as a multi-factor authentication method.
Yeah, it's not the best multi-factor authentication method.
Actually, and Chris talks about that.
Yeah, it's not the best multi-factor authentication method.
Actually, and Chris talks about that.
He says, to address the most common comments, one, I'm aware SMS is unencrypted and a poor choice for multi-factor authentication. Right, right.
Yeah, he seems sort of exasperated by that.
Right, because I know thousands of people went, you shouldn't be using SMS for your two-factor, right?
And he says, it's an older account, and he was just logging into it again.
I'm sure he now has gotten it set up with some kind of YubiKey or something.
Right.
To help him secure this.
Or some universal two-factor device.
Yeah.
He does say he's not going to tell you who his carrier is for security reasons, which I think is probably wise.
Yeah, yeah.
I'd like to know who it is, but I'm not going to ask him because I think his concern is valid.
Yeah.
Well, I'll tell you, if this were my carrier, they wouldn't be my carrier for long.
Right.
They'd be receiving a phone call from me very quickly.
Right.
One of the final things comes from Mark Rishton, who apparently works at Google.
Yeah.
And it says, to close the loop, these are not Google ads and we do not condone this practice.
We are working with wireless carriers
to understand why this happened
and to ensure that it doesn't happen again.
Yeah, yeah.
All right.
Well, you know,
you can see why this got my dander up, right?
Yeah, yeah.
It irritates me, Dave.
Yeah, yeah.
I appreciate Chris sharing it here.
I think this is good information to know that this sort of thing is out there.
And boy, the carriers, I agree with you.
When I rule the world, there won't be this kind of thing.
The hammer of justice will come down upon these carriers.
That's right.
That's right.
All right.
Well, Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash,
Justin Sabey,
Tim Nodar,
Joe Kerrigan,
Kirill Terrio,
Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening. We'll see you back here tomorrow. Thank you. guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.