CyberWire Daily - Ransomware hits an electronics retailer and a new-school financial services company. Updates on international action against REvil.
Episode Date: November 9, 2021Hive ransomware hits electronics retailer Media Markt. Robinhood Markets sustains a data breach it traces to social engineering. Ben Yelin looks at the law behind U.S. police demanding your phone pass...code. Dave checks in with Rick Howard for his thoughts on the Trojan Source vulnerability. And more notes on the international action against REvil, including the US application of sanctions (with Baltic cooperation) to three companies involved in supporting the gang’s financial infrastructure. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/216 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hive Ransomware hits electronics retailer MediaMarkt.
Robinhood market sustains a data breach it traces to social engineering.
Ben Yellen looks at the law behind U.S. police demanding your phone passcode.
I check in with Rick Howard for his thoughts on the Trojan source vulnerability.
And more notes on the international action against our evil.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 9th, 2021. Germany-based multinational electronics retailer Media Markt has seen operations disrupted by a ransomware attack, according to Bleeping Computer. The ransomware strain is said to be
Hive, and the criminal operator's opening position was to demand $240 million. That's high,
and probably represents an opening gambit, a negotiating position. Hive is a relatively new
ransomware operation, surfacing in June of this year. It's acquired a reputation for
indiscriminate targeting, even by the ruthless and careless standards that prevail in the criminal
underground, whatever pious argle-bargle they might wolf from time to time in their communiques.
MediaMarkt is one of Europe's biggest electronics retail chains, with 53,000 employees and 1,000 stores in 13 countries.
Retail Detail says that store employees in Belgium, Germany, and the Netherlands
have been told to take point-of-sale systems offline.
Company headquarters in Ingolstadt has told its stores that it's working on the problem.
Stock trading platform Robinhood Markets yesterday
disclosed that it sustained a data breach on November 3rd. A customer support employee was
inveigled or socially engineered into granting an unauthorized outsider access to certain company
data. The data exposed include email addresses for about 5 million Robinhood users, the full
names of a different set of roughly 2 million users, and more extensive personal information
like names, dates of birth, and zip codes for some 300 users. The data theft apparently
represented an extortion attempt. The Wall Street Journal reports that Robinhood has brought in Mandiant to investigate
the incident. Those who recall the meme stock short squeezes earlier this year will recognize
Robinhood as the trading firm mentioned in dispatches by the U.S. Securities and Exchange
Commission. Speculators established accounts with Robinhood, attracted by its convenient mobile app, its zero-commission trading, and its low-balance requirements.
Some of them used those accounts for wash trading,
essentially trading with themselves to manipulate the share prices of meme stocks.
There's no evident connection between those incidents and the present ransomware case.
Yesterday's announcement by Europol that a
Romanian-led investigation leading to the arrest of suspected R-Evil ransomware operators has not
only netted several difficult-to-apprehend criminals, but also lend some credence to
the impression that ransomware gangs in particular have grown a bit skittish about their vulnerability to arrest. The U.S. Justice
Department also seized $6.1 million in cryptocurrency from a R-Evil operator who remains at large.
The U.S. Treasury Department yesterday sanctioned Chatex, which describes itself as a fully-fledged
crypto bank, Security Week reports, for its role in processing cryptocurrency transactions
allegedly on behalf of the gangs.
Three other firms that supported Chatex were also sanctioned,
Izzybits OU, Chatextech SIA, and High Grade Financial Limited.
The Treasury Department wants people to understand
that there's nothing inherently nefarious about altcoin.
As the department's announcement says,
While most virtual currency activity is licit, virtual currency remains the primary mechanism for ransomware payments,
and certain unscrupulous virtual currency exchanges are an important piece of the ransomware ecosystem.
are an important piece of the ransomware ecosystem.
The United States urges the international community to effectively implement international standards on anti-money laundering
and countering the financing of terrorism in the virtual currency area,
particularly regarding virtual currency exchanges.
End quote.
Treasury has a lot of good things to say about its partners in Latvia and Estonia
who've moved to interrupt
the company's operations. The implications of the designation are as follows, quote,
as a result of today's designation, all property and interests in property of the designated
targets that are subjected to U.S. jurisdiction are blocked and U.S. persons are generally prohibited from engaging in transactions with them.
Additionally, any entities 50% or more owned by one or more designated persons are also blocked.
In addition, financial institutions and other persons that engage in certain transactions
or activities with the sanctions entities and individuals may expose themselves to sanctions
or be subject to an enforcement action.
Today's action does not implicate a sanctions nexus to any particular ransomware-as-a-service or variant.
Treasury's action, taken together with the seizure of $6 million-plus from the cryptocurrency account of an alleged ransomware operator,
shows an international determination to attack the economic model ransomware operator, shows an international determination
to attack the economic model ransomware operators depend on. They may enjoy the protection or at
least the indulgence of the government where they reside, but electronic finances are accessible
in some ways across borders. At yesterday's press conference, U.S. Attorney General Merrick Garland
made a point of saying, quote, most of the time the actors themselves are trying to hide abroad.
But as we've shown time and again, we'll still pursue them, disrupt them, and hold them accountable.
The long arm of the law reaches a lot farther than they think.
And we've got ways of disrupting those sheltering in places like Russia.
As Polyanin discovered when he woke up and found $6.1 million he'd extorted from his victims missing.
End quote.
Mr. Polyanin is one of the protected privateers who remain at large,
still in the wind, but noticeably poorer. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
DRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Rick Howard. He is the CyberWire's chief security officer, also our chief analyst.
Rick, always great to have you back.
Hey, Dave.
So right after Halloween, news came out of the University of Cambridge that two of their distinguished researchers,
Nicholas Boucher, I'm not going to, your guess is as good as mine and apologize to Mr. Nicholas if I got it wrong.
But also Ross Anderson, they published some really interesting work here on a new supply chain attack technique that they're calling Trojan Source.
And they say that if it's done correctly, attackers can completely hide exploit code in plain sight within a program, and that
this would circumvent any human code review or automatic scan. Now, that sounds scary enough,
but I have to say a lot of this is over my head on how they would do it, and I thought I would
check in with you. Help me and the audience out here. How is this possible? Well, you're right,
Dave. Just when you thought
that the internets couldn't get any scarier, okay, that's when you know you're due, right, for
something like this to come along. And before I explain it, let me just vouch for the author's
credentials, especially Ross Anderson. He's a Cybersecurity Canon Hall of Fame winner for his
book, Security Engineering, A Guide to Building
Dependable Distributed Systems. And so, for all of your engineers out there, if you're looking for a
primer on security design, that's the book to read. All right. Well, so these two gents publish
a paper on this Trojan source idea. How exactly does it work? So, the technique takes advantage
of a system that the international community has
standardized on to represent numbers on computers, right? And so this is from the Unicode Consortium.
It's a non-profit standard body formed way back in 1991. And what they say is before we had these
Unicodes, we had hundreds of different coding systems for assigning these numbers to computers, and they all had limitations for like a single language like English, let's say.
No single encoding system was good enough for all the letters, punctuation,
and technical symbols we needed to get things done.
And the different systems crashed into each other with two encodings using the same number
for two different characters or the other way using different numbers for the same character and it's like gee many christmas in this precision world that wasn't
going to work so the unicode standard changed all that they provided a unique number for every
character no matter what platform device application or language so that's the good news
the bad news is where boucher is that how we're saying it? And Anderson.
We're going to go with that.
So these two guys from their paper, okay, they said, you know,
computer programs require support for both left to right languages, such as English and Russian,
and right to left languages, such as Hebrew and Arabic.
And if your program combines both kinds,
there must be a way for the compiler
to resolve which direction to go. And so the compiler for everybody that doesn't know is that
program that turns your written code into something that the computer can run. And it turns out
there's an algorithm for this. It's called the bidirectional or BIDI algorithm.
Okay. So I get all that and I have a handle on that in terms of operating in the real world.
But what exactly is the exploit trick that these researchers came up with?
So it turns out that for some edge scenarios, the BIDI algorithm may not be sufficient for all programmers.
And so the algorithm gives them the ability to tell the compiler what to do manually.
And that's the seam that the ability to tell the compiler what to do manually, all right?
And that's the seam, okay, that the hackers take advantage of.
What Boucher and Anderson describe in their paper is a way for a programmer to write code that looks like a comment statement or just a string of characters to the human eye.
You know, you and I are reading and say, oh, that's just a comment.
If you read it like right to left. But because of the BIDI encoding system, the compiler reads the code left to right
and a clever hacker can turn that left to right compiler reading into some kind of dangerous
exploit code. It's really ingenious. Now, in their paper, the authors say that this
represents a new kind of supply chain attack. How exactly does that work?
Well, in the supply chain attacks we've seen this year, like the SolarWinds attacks,
the attackers broke into the SolarWinds networks, found the code for a SolarWinds product,
and inserted their own Trojan horse code into the real code. When customers downloaded the
product to their own networks, the Trojan horse came along with it.
But once SolarWinds knew that, it wasn't hard to find the offending code, remove it, and issue an update to their customers.
What Boucher and Anderson came up with in their technique is hackers can insert their Trojan source code.
See what they did there? A little play on Trojan horse, right?
They do this into like open source programming projects like Linux or Kubernetes. And so when other contributors look at the code, all they will see is this weird
looking comment and not know that it's actually an exploit code. This kind of stuff could sit
inside code libraries for years without anybody noticing the problem. Wow. Are there any fixes
for this kind of thing? So there are several mitigation techniques
that the authors talk about in the paper, but the real trick is to get the compiler makers
to look for the technique in their own software. So according to the authors, the fact that the
Trojan source vulnerability affects almost all computing languages, let me say that again,
almost all computing languages, this sort of makes this a bit of an existential threat.
So if you're a development shop, it would definitely be asking your vendor about the countermeasures that they're putting into their products for this problem.
Yeah, that's fascinating.
I mean, I suppose it's the kind of thing where the packages that you use for your development could automatically flag when it sees one of these direction shifts, right?
Yeah, you could definitely see when they're calling the BIDI algorithm, right?
So at least that's a flag, right?
And then there's probably things we can do to check if they're trying to do something malicious.
So we'll see how that goes in the future.
Yeah.
Yeah. You know, I noticed in the paper that there is a reference to research that was first published in 1984 by Ken Thompson, and he's the co-founder of the original Unix system along with Dennis Ritchie back in the 60s.
So, I mean, is that an indication that these Trojan source techniques are not actually all that new? Well, you can say that Kim Thompson invented the idea of a rootkit.
He's the first guy that came up with the idea.
So in that 1984 paper, the paper was called Reflections on Trusting Trust.
And he just did it as a thought experiment, right?
He devised a way to alter the C compiler that shipped with every Unix system at the time.
So when the compiler noticed an administrator recompiling the login program,
this is the program that people use to log into systems,
the compiler would insert additional functionality
to not only accept the password of the user trying to get in,
but also a second password that only the hacker knew about.
But when reviewers analyzed the code for the login program,
that code wasn't in the login program.
It was in the compiler, right?
So they would see no signs of this additional functionality.
So I would say it's the same technique as the Trojan source thing that these guys came up with.
It's not exactly the same, but it's definitely in the same ballpark.
All right.
Interesting times, huh, Rick?
Yes, it is. That's why we get paid the big bucks, Dave. That's why we get paid the big bucks.
All right. Well, Rick Howard, the CyberWire's Chief Security Officer and Chief Analyst,
as always, it is a pleasure to have you here. Thanks for joining us. Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Hello, Ben.
Good to be with you, Dave.
Interesting publication here from the folks over at the EFF,
the Electronic Frontier Foundation.
This is an article written by Andrew Crocker,
and it's titled,
Police Can't Demand You Reveal Your Phone Passcode
and Then Tell a Jury You Refused.
What's going on here, Ben?
So we've talked a lot on this
podcast, on the Caveat podcast, about this right against self-incrimination and law enforcement
compelling you to enter your passcode. So your passcode is the content of your own mind, meaning
it is generally protected under the Fifth Amendment's self-incrimination clause. You can't
be compelled to testify against yourself. So generally, law enforcement cannot
force you to open your device, especially in the absence of a judicial warrant. So there's this
case in Utah, it's State v. Valdez, where a defendant was charged with kidnapping his ex-girlfriend
after arranging a meeting under false pretenses. The defendants in these cases are rarely the type of people
that you want to be going to bat for,
but, you know, that's what EFF does and the ACLU does
and a crucial part of our legal system.
So the police find a cell phone in his pocket.
They want to search it for evidence.
Valdez, the defendant in this case, refused to tell them the passcode.
So he goes to trial.
The police, you know, had given up.
They weren't seeking a court order to get access to his device.
But at trial, law enforcement testified that Mr. Valdez refused to enter in his passcode to open up the device.
And that allows the jury or the finder of fact in the case to infer that the defendant was trying to hide something.
And this goes against the fundamental notion of the Fifth Amendment right against self-incrimination.
In all other circumstances, law enforcement is not allowed to bring up at trial that a person invoked their Fifth Amendment right because that is going to prejudice a potential jury that the individual is trying to hide something.
For this right to be meaningful, you know, this has to be something where a jury shouldn't be able to simply infer that somebody is trying to hide something
because the person invoked that right against self-incrimination.
This is a fundamental right.
It doesn't have to do with digital devices necessarily. It
has to do with the Fifth Amendment as it's existed throughout our country's history.
Right. So there should be no penalty for invoking that right.
Absolutely. So the Utah Court of Appeals, so the court just below the Utah Supreme Court,
agreed with that viewpoint. They said that it was not proper to introduce a trial evidence
that this person refused to unlock their device. And now the case is in front of the Supreme Court
and you have EFF and other groups writing Friends of the Court briefs. This is Utah's Supreme Court.
The Utah Supreme Court, that's right. So they're writing Friends of the Court briefs saying in
order to maintain this fundamental Fifth Amendment privilege against self-incrimination, whether it's in the modern technological context or
any other context, an accused person's ability to exercise their right without having that person's
silence used against them has to be continued and maintained in our judicial system.
And in the digital realm.
Absolutely.
And that's certainly something I agree with.
I mean, I think the right against self-incrimination wouldn't have much meaning if at every future
legal proceeding, law enforcement could come in and say, we asked Dave to unlock his phone.
He didn't do it.
Must be hiding something.
Right.
You know, I think it would lose its luster.
So a really interesting decision and
something we're certainly going to follow as the Utah Supreme Court takes it up.
Yeah. All right. Interesting stuff as always. Ben Yellen, thanks for joining us.
Thank you.
Thank you. where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Bharu Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.