CyberWire Daily - Phishing for those who fear Pegasus. ChamelGang APT active against multiple countries. Problems with a ransomware decryptor. Controversial proofs-of-concept. And a death blamed on ransomware.
Episode Date: October 1, 2021A malware campaign offers bogus protection against Pegasus surveillance. A new APT, ChamelGang, is found active against targets in at least ten countries. A ransomware gang can’t get its decryptor r...ight. A proof-of-concept shows that charges can be made from a non-contact Visa card in an iPhone wallet. David Dufour from Webroot warns of potential perils in cyber insurance. Our guest is Shamla Naidoo from Netskope with advice for cyber innovators .And ransomware may be responsible for a child’s death in an Alabama hospital. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/190 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A malware campaign offers bogus protection against Pegasus surveillance.
A new APT shamal gang is found active against targets in at least 10 countries.
A ransomware gang can't get its decryptor right.
A proof of concept shows that charges can be made from a non-contact Visa card in an iPhone wallet.
David DeFore from Webroot warns of potential perils in cyber insurance.
Our guest is Shamla Naidoo from Netscope with advice for cyber innovators.
And ransomware may be responsible for a child's death in an Alabama hospital.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 1st, 2021.
Concerns about NSO Group's Pegasus spyware intercept tool have prompted a foreseeable response by threat actors.
Pose as a Pegasus detection and removal tool.
Cisco's Talos Group has found that the bad actors are posing as Amnesty International
and fishing for concerned, well-informed, but gullible users who are worried that they might be compromised with Pegasus.
Downloading the proffered tool, however, actually installs Sarwent malware,
which Talos describes as a little-known malicious kit that serves as a remote access tool.
Unlike more commonplace information stealers, however, Sarwent doesn't simply grab and exfiltrate data, but rather establishes persistence that enables it to upload other varieties of malware, as well as pulling users' data at will.
The campaigns observed are well-executed, the bogus amnesty sites and emails have a convincing look and amount to a persuasive imitation of the genuine article,
and the Sarwent malware itself seems to have the general look and feel of an antivirus tool.
Talos summarizes, quote, the campaign targets people who might be concerned that they are
targeted by the Pegasus spyware. This targeting raises issues of possible state involvement,
but there is insufficient information available to Talos to make any determination on which state or nation.
It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access.
End quote.
So, for now, there's no clear attribution, but be wary of offers to immunize you against Pegasus.
Positive Technologies has identified a new threat actor, Shamal Gang, an APT targeting the fuel,
energy, and aviation sectors. Quote, In addition to two organizations in Russia,
fuel and energy and aviation production companies, During further threat intelligence of the group activity, we identified 13 more compromised organizations in 10 countries of the world,
the United States, Japan, Turkey, Taiwan, Vietnam, India, Afghanistan, Lithuania, and Nepal.
In particular, compromised government sectors were found in the last four.
Microsoft Exchange Server was located on almost all compromised
nodes. In all likelihood, the nodes were compromised using vulnerabilities such as
proxy logon and proxy shell. All the victims were notified by the national certs, end quote.
Comparable organizations in the UK are also believed to be vulnerable. The APT operates by exploiting proxy shell vulnerabilities in attacks to affect Microsoft Exchange.
The attack also exploited trusted relationships.
Positive Technologies explains, quote,
A trusted relationship attack is an attack in which criminals hack the infrastructure of a third-party company
whose employees have legitimate access to the victim's resources. For example, subsidiaries may become the first link in the
chain of attacks on the parent organization. In other cases, the attack may begin with hacking
the company providing technical support. Such attacks are associated with the compromise of
trusted channels, VPN for example. However, they are often confused with supply chain attacks,
which are carried out using software and hardware means.
An implant is embedded in the tool itself or in one part of the update
to provide direct access to the server or establish a connection with the C2.
End quote.
The researchers have not yet attributed Shamal Gang to any particular nation-state, but an APT it definitely seems to be.
Presumably, the intelligence services of the victims can be ruled out.
RansomX, and that's E-X-X, a relatively new entrant into the ransomware-as-a-service criminal-to-criminal market,
apparently has some quality control issues.
Their decryptor, Proforo Reports, doesn't work reliably.
It leaves many encrypted files damaged beyond immediate recovery.
Many such files can be recovered with additional work,
but the criminal's decryptor won't help the victims.
work, but the criminal's decryptor won't help the victims.
SecureWorks has reported a brute force vulnerability in Azure Active Directory.
Microsoft, after some initial resistance to accepting that the researcher's findings and proof of concept represented an actual security flaw, now intends to issue a mitigation for the
vulnerability, GovInfo Security writes.
Ars Technica summarizes the issue between SecureWorks and Microsoft,
and a routine disclosure, Microsoft is a CyberWire sponsor.
Microsoft thinks there are already precautions in place to keep users from succumbing to the sort of brute-forcing SecureWorks describes,
but Redmond appears to be working on some changes nonetheless.
Researchers from the universities of Birmingham and Surrey have demonstrated, the BBC reports,
a contactless hack of a locked iPhone that enabled them to extract a visa payment of £1,000 from
visa cards set up in the iPhone's wallet express transit mode.
Apple sees it as a Visa issue, not an iPhone issue, so apparently people disagree.
Do remember that the hack, clever as it may have been,
was a researcher's proof of concept and not an issue encountered in the wild.
And finally, a lawsuit alleges that an Alabama hospital that delivered a baby while systems were degraded by a ransomware attack
missed a condition that ultimately resulted in the baby's death, the Wall Street Journal reports.
The Spring Hill Medical Center in the U.S. state of Alabama was the facility affected.
The ransomware had rendered a number of the clinical information systems
doctors and nurses normally relied upon unavailable. The hospital had reverted to backup systems,
and the plaintiffs allege that the unavailability of the additional layers of scrutiny
and clear presentation that would normally have been used amounted to an unacceptable risk.
The medical center denies wrongdoing, and whoever was or
wasn't at fault, the child's death was a tragedy. This is the second case in which ransomware has
been directly implicated in a death. The first, as the Washington Post reminds us, was a case in
Cologne, Germany, where a ransomware attack a year ago in September of 2020 forced an ambulance
to divert an emergency case to a more distant hospital. The patient died en route but might
well have survived had the affected emergency room not been too disrupted by ransomware to handle
cases. Both cases should be borne in mind when reading the tiresome claims of restraint and discriminating targeting that the ransomware gangs are wont to make.
And of course, our condolences to the families of both victims.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way Thank you. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Shamla Naidoo is Head of Cloud Strategy and Innovation at Netscope and judge of the upcoming
Data Tribe Challenge, which ends its submission phase tonight.
A unique annual competition that brings together the best entrepreneurs in the world
looking to disrupt cybersecurity and data science,
DataTribe selects three finalists that split $20,000 in prize money
and one winner that could receive up to $2 million in seed capital.
Full disclosure, DataTribe is a CyberWire investor.
I checked in with Shyamala Naidoo for her advice
to innovative startups looking to gather attention.
I would say that, you know, there's a lot of innovation out there.
We are not short on innovation.
And the innovation is very readily available to all.
Sometimes free, sometimes low cost,
sometimes high cost, but it is available.
And what I would say is, you know, we have to look at how businesses are consuming the
innovation that exists and what are the risks that are being created in this new environment.
Those are the problems we need to be solving.
So, you know, if I had to pick a couple, I would say the cloud is forming the backbone
of our telecommunications and our communications environments.
And not because the cloud is just an innovation that we should consume.
What we really want is to speed up our businesses.
is to speed up our businesses.
We don't want to spend our precious resources and talent building out infrastructure and capability
that we could commoditize and buy from someone else.
So the idea is we want to preserve our resources
to do things that are special and unique to our business.
Everything that's commoditized, we can outsource, we can delegate, we can buy it, we can lease it,
we can borrow it from others. And so I think the cloud forms that backbone where others are writing
applications, others are creating all of the solutions. We just want to go consume those and add our unique perspective.
So for me, I'd say to an entrepreneur is make sure that anything you create follows the cloud.
Because almost every business is out there either already on a cloud journey or they are on a cloud journey and they don't even know it.
And so, you know, we have many, many organizations where cloud is being consumed, cloud services,
cloud applications are being consumed.
They may not even know it.
So we need that visibility.
So make sure that your solutions support businesses where they have cloud workloads.
Make sure that the cloud workloads give the consumer visibility and gives you a place
to control that may be outside of your immediate area of either ownership or control.
And then, you know, remember that we live in a data world. So I would say looking at cloud
as a backbone, look at data and data protection, because almost every organization right now has
become a data-driven decision-making organization. Everything we do generates data. Someone is
collecting it. Someone is aggregating it, collating it, and making decisions about what we should be doing. And they're looking to influence our
behavior and influence our actions. So, you know, we know that businesses are driven by data. So
data protection is the other really big key piece to remaining relevant to where businesses are
going. And then on the other hand, you know, I'll think about things like artificial intelligence.
We've got so much data that none of us can humanly consume.
Artificial intelligence actually helps us to do that, to again, give us that benefit
of speed and scale.
So we can use and consume large amounts of data.
So we can use and consume large amounts of data.
We can create conclusions and action lists very, very quickly from our analysis.
And so those are two areas I would really focus on is data protection and artificial intelligence.
How do you actually consume that data?
How do you extract business insights from the data that you have collected?
How do you extract business insights from the data that you have collected?
But then, you know, on the security side is recognizing that we have to continue to secure and protect that cloud infrastructure that we don't own, that we don't control.
So we're going to have to find unique and different ways to solve for that.
So entrepreneurs out there should help us to do that.
And then, you know, lastly, I would say, you know, just recognizing that because speed
is so important, removing the friction from how we work should be a key component in creating
any solution.
So making sure that, you know, that you're creating smooth workflows that are going to give you an outcome versus too many handoffs and too many
steps and creating either inconvenience or creating obstacles for the end user.
So all of us want to create a very productive workforce. We are looking to extract as much
value as we can from the precious talent and
resources that we have. Removing the friction helps us to make better business decisions and
make better business outcomes. That's Shamla Naidoo. She's head of cloud strategy and innovation
at Netscope and judge of the upcoming DataTribe Challenge.
Entrepreneurs and founders, it's not too late to get your application in.
It's quick and easy.
Go to datatribe.com slash challenge.
There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
And joining me once again is David DeFore.
He's the Vice President of Engineering and Cybersecurity at WebRoot.
David, always great to have you back.
I know that you have had your eye lately on cyber insurance and some of the good and bad that comes with that.
What can you share with us today?
Yes. Hey, David, always good to be back. Love the show, love being on it. You and I have been
talking about cyber insurance off and on for a couple of years now, probably more like five.
And it's really starting to become a well-defined product that insurance agencies are figuring out
how to sell. Obviously, their goal is to make money while protecting you.
So as we've seen the growth of cybersecurity as an industry,
the insurance companies have done a pretty good job
of figuring out how to offer the services to folks.
You know, one of the things I've noticed is,
obviously, the prices are heading up
as more ransomware cases are coming up. So it seems like the
cyber insurance companies are doing a better job of calibrating their own risk.
Yeah, and that's the key thing to consider with any type of cyber insurance. Initially,
it was the Wild West. You would get a policy. The insurance underwriters wouldn't exactly know how much to charge or how much to insure for.
Because originally, a lot of the insurance covered things like brand protection or physical downtime because you couldn't sell because your website was down.
But what's happening is with the growth of ransomware and the ability of organizations to be
attacked in that manner, they've really done a good job of applying NIST standards,
making sure that you're following proper cyber hygiene, and then offering insurance around that.
The trick there being is if you're not following what you signed up for in the policy,
they're not going to pay out. So again, they've gotten really good at the underwriting and then
identifying what you need to do to stay compliant. What are you telling the folks that you're
working with in terms of, you know, shopping around and finding the best fit for them?
Yes. Well, so the good news as it becomes more of something that can be
well-defined, we're seeing not fringe insurance providers. So you're able to go to your really
strong insurance companies and get coverage. But what you've got to do is decide what you're
trying to insure against. A lot of folks, there still is a brand awareness that's important.
So you've got to be aware of
that. And then, you know, are you trying to insure against ransomware? If you're hacked or attacked
in some way that involves a ransom, do you want to make sure you have that coverage? And, you know,
maybe that's more important to you because, you know, we always like to talk about the welder in
Oklahoma who just wants to send out invoices. If you have cyber insurance, you're not really caring about paying for brand cleanup or brand
protection.
You're more concerned about having the coverage for ransomware to get you back on your feet.
So basically, you need to know what you're getting.
And then the bigger part is know what you're paying for, but what you've got to do to stay
compliant in terms of the policy itself.
Yeah, I can't help wondering if as things go forward and
we see more and more payouts, if cyber insurance may go the way of flood insurance, where it's
really hard for private companies to underwrite these sorts of things and we end up with some
sort of government backstop. That and, you know, with the way crypto is going and the government involvement there, we may end up with
some type of government backstop. And what's interesting, David, and there's news articles
about this. We're seeing it. So I by no means have the market cornered on this. But the industry is
seeing where nefarious actors are going into an environment, into somebody's systems, looking for insurance coverage, figuring out what their policy is, and then setting the ransom to what the policy is.
So, I mean, there's at some point going to be some rule in a policy that says you can't keep your policy on your network.
But we've seen that happen in many cases here recently.
But we've seen that happen in many cases here recently.
Yeah, I can imagine companies placing decoy policies in their honeypots, right?
Exactly, for low amounts.
Right, right, exactly.
All right, interesting stuff as always.
David DeFore, thanks for joining us.
Hey, great being here, David. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Wondering what to do with all that free time this weekend?
Well, check out Research
Saturday and my conversation with Dan Petro and Alan Cecil from Bishop Fox on their research,
You're Doing IoT RNG. That's Research Saturday. Do check it out. The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yelling, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.