CyberWire Daily - Ransomware hoods and their enablers may be feeling some heat. Supply chain compromise and third-party risk. Colonial Pipeline resumes deliveries (but paid ransom to no avail).
Episode Date: May 14, 2021DarkSide says it’s feeling the heat and is going out of business, but some of its affiliates are still out and active, for now at least. A popular hackers’ forum says it will no longer accept rans...omware ads. The Bash Loader supply chain compromise afflicts another known victim. Colonial Pipeline resumes delivery of fuel. Irresponsible disclosure of vulnerabilities hands attackers a big advantage. Carole Theriault looks at NFTs. Joe Carrigan wonders about the return on your ransomware payment investment. And there’s a lot of Amazon-themed vishing going on out there. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/93 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
DarkSide says it's feeling the heat and is going out of business,
but some of its affiliates are still out and active, for now at least.
A popular hackers forum says it will no longer accept ransomware ads.
The Bash Loader supply chain compromise afflicts another known victim.
Colonial Pipeline resumes delivery of fuel.
Irresponsible disclosure of vulnerabilities hands attackers a big advantage.
Carol Terrio looks at NFTs.
Joe Kerrigan wonders about the return on your ransomware payment investment.
And there's a lot of Amazon-themed vishing going on.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 14th, 2021.
The Wall Street Journal late this morning broke the story which they sourced to security firm FireEye,
a company whom Colonial Pipeline has brought in to deal with the ransomware attack it sustained,
that the dark side ransomware-as-a-service gang has told its affiliates that it intends to shutter its operations.
The criminals said they'd lost access to their infrastructure and that they were under pressure from U.S. law enforcement. Forcepoint researchers, who've been reading DarkSide stuff
on the dark web, say the gang complained that it had lost its blog, its payment servers, and its
DOS servers. They also said that funds in their payment servers, both theirs and their customers, had been extracted
and sent to parts unknown, so it seemed a good time to call it quits. How seriously this exit
should be taken remains to be seen. Other ransomware gangs have disbanded under pressure
before, only to reconstitute themselves later, perhaps under a different name.
Whatever DarkSide's actual plans may be,
and even as the Colonial Pipeline resumes deliveries interrupted by ransomware,
and we'll hear more on that shortly, DarkSide affiliates continue to inflict their ransomware
on other targets. The Colonial Pipeline incident is merely the highest-profile disruptive attack.
Kyoto reports that the group has claimed the exfiltration of some 740 gigabytes
of sensitive information from Toshiba's operations in France.
Toshiba has acknowledged that a European subsidiary was hit by a cyber attack.
And Bleeping Computer has confirmed that DarkSide also claims to have hit
Essen-headquartered chemical distributor Brentag.
The gang says Brentag paid them the equivalent of $4.4 million in cryptocurrency two days ago,
an amount negotiated down from DarkSide's original demand of $7.7 million.
As ransomware-as-a-service offerings play a more prominent role in the criminal underground economy,
the Record reports that one popular hacking forum, XSS, formerly known as Damajalab,
has announced it will no longer accept advertising for ransomware services.
The site's admin posted a note yesterday to the effect that
lockers, ransomwareware have accumulated a critical
mass of nonsense bs hype noise as has been the case with other fora in the past xss's firm
resolution to sin no more may have been prompted by a kind of near death or at least near prosecution
experience as the record puts it quote however even before those talks could take place, the message appears to have registered loud and
clear. In a message today, the XSS admin team decided to avoid unwanted scrutiny, claiming that
their forum's main purpose was always knowledge and not to serve as a marketplace for criminal
gangs. Their decision might have been hastened by the fact that the DarkSide ransomware gang
ran an ad for its affiliate program on the XSS forum,
together with all the major ransomware operations,
such as R-Evil, NetWalker, GandCrab, Avedon, and many others.
End quote.
So, hey, it's a quest for knowledge, not the aiding and abetting of criminal enterprises.
That's the ticket, and good for XSS.
Researchers at security firm Forcepoint have taken a closer look at XSS.
The forum's proprietors appear to have felt that Moscow was getting ready to hang them out to dry.
Forcepoint provides this translation from the admin's posts.
Force Point provides this translation from the admin's posts.
Peskov, that is, Russian President Putin's press secretary,
is forced to make excuses in front of our overseas friends,
which would be you, Mr. and Mrs. United States,
adding, this is a bit too much.
The admin linked to an article in Kommersant,
a Russian news site that ran under the title,
Russia has nothing to do with hacking attacks on a pipeline in the United States.
So the forum isn't feeling the love right now.
Sometimes guilty knowledge comes with a wink, and sometimes not.
XSS is not seeing a wink.
The Code Cove bash loader supply chain compromise has affected another victim.
Rapid7 disclosed yesterday that a small subset of their source code repositories for internal tooling for their MDR service was accessed by an unauthorized party outside of Rapid7. The company emphasizes that the incident has now been contained and that in any case they haven't used CodeCove on any CI server
employed for product code. Colonial Pipeline reported yesterday afternoon that it had resumed
delivering product through its lines to all the markets it serves. That said, it's expected to
be several days until service returns to normal, and some customers may experience intermittent
disruption while Colonial brings
its service back. More outlets, including the Wall Street Journal, are reporting that Colonial
Pipeline paid almost $5 million in ransom within hours of being contacted by the dark side
criminals. That, however, may have done little good, as the decryption tools are said to have
proven inadequate to their promised task of restoration,
and the company seems to have worked from its own backups to resume deliveries.
That's bad news in some sense for everyone.
Colonial is out $5 million.
Other organizations, the New York Times notes,
are chagrined by the fuel the payment poured into the bandit economy.
And, as Joseph Cox tweets,
the hoods themselves will find it difficult to make their case for payment in future attacks.
If the decryptors are less than fully successful,
why throw good money after bad?
The Voice of America reports
that U.S. Homeland Security Secretary Mayorkas
promised Congress a whole-of-government response
to the incident.
DarkSide is generally believed to operate from Russia.
So was the Russian government behind the ransomware attack?
According to an AFP report published in Security Week,
when he was asked during a media availability
whether President Putin or his government were aware of the attack,
U.S. President Biden said,
I am confident that I read the report of the attack, U.S. President Biden said, quote, I am confident that I read the report
of the FBI accurately, and they say they were not, he was not, the government was not. We do not
believe, I emphasize, that the Russian government was involved in this attack, but we do have strong
reason to believe that the criminals who did the attack are living in Russia. That's where it came
from, end quote. President Biden did say that he thought
the issue of Russian control over criminal groups operating from its territory would probably come
up during this summer's Russo-American summit talks. An official disavowal of belief of direct
Kremlin involvement may be motivated by the way the incident looks like deniable sabotage.
The Russian government has used fronts, cutouts, and contractors before,
and one of the responsibilities of sovereignty is preventing attacks on other nations
by people operating from one's territory.
And if there were mark and reprisal in cyberspace,
it might well look a lot like a ransomware attack.
The government sees its adversaries disrupted,
and the cyber privateers get, in this case, about $5 million in altcoin.
CNBC offers an example of this kind of speculation,
which we emphasize is exactly that, speculation, but plausible speculation.
The Global Times, a Chinese government-aligned media outlet founded in 2009
to counter the designed provocation that is common in Western media's China reportage,
frames the ransomware attack on Colonial Pipeline as blowback for American aggression in cyberspace.
That's one way of looking at it.
Speculation, but tendentious speculation.
Attention, vulnerability researchers. Here's a reason for responsible disclosure.
A study by Kenna Security finds that white hats who publish exploits before patches are available
are handing a big advantage to attackers, one that amounts to a 90-day head start over the defenders.
90-day head start over the defenders. And finally, has a robo call recently told you it was from Amazon and asked you to press 1 to resolve suspicious activity in your account? You know,
the kind of call that gives you that suspicious bloop sound when the robot hands you over to the
crooked human operator? You're not alone. YouMail warns that this particular vishing scam is hitting U.S. phones at a clip of between $100 million and $150 million a month.
So don't press 1, friends, and class dismissed.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
I have personally been trying to keep NFTs at arm's length.
Honestly, I've got a certain amount of blockchain fatigue,
and the whole thing reminds me a bit of tulip madness.
My own hesitation, however, in no way represents the unencumbered enthusiasm others are feeling for NFTs.
So, what the heck are they and why should you care?
Our CyberWire UK correspondent, Carol Terrio, shares this commentary.
So, NFTs, what the heck are they?
I'm going to tell you what they are.
I'm going to tell you why people are talking about them.
And I'm going to tell you what they are. I'm going to tell you why people are talking about them. And I'm going to tell you what to look out for.
So NFT is an acronym and it stands for non-fungible token.
That's right, fungible.
Now, fungible refers to something that can be interchanged like rice or dollars or a
Bitcoin.
Trade one for another and you're no better or worse off. So non-fungible refers to
something original and unique, but there's no item exactly like it anywhere else. This can exist in
the physical world or the digital world. So like a digital painting or a physical sculpture.
painting or a physical sculpture. Now, a non-fungible token or an NFT is an identification of authenticity of something original in the digital or physical realm.
Now, most NFTs are part of the Eurethium blockchain. For those who don't know,
Eurethium is a cryptocurrency like Bitcoin,
but its blockchain also supports these NFTs, these non-fungible tokens. Whoever has the NFT
certificate in their digital possession is considered to be the rightful owner of the item.
And because it is on a blockchain, it can't be altered, effectively creating a kind of
irreversible history.
So NFTs are bought and sold much like you would buy and sell stuff on eBay, auction
style-y, right?
You go to a platform to buy or sell an item with an NFT certificate.
So platforms like OpenSea, Mintable, and Rarible. And then you can bid on
items as you would on other internet auction apps. Some items will have a set fee, and some prices
can hike to dizzying heights. Now, currently, there's a lot of buzz around NFTs in the creative
digital space, such as original pieces of music, a painting, a cool software
experiment. This crypto art movement was kicked off by CryptoPunks, which is a 24 by 24 pixel
art image generated algorithmically. The brains behind this is Larva Labs. They have 10,000 unique
collectible characters. They are all NFTs.
They have currently raised, at the time of recording, $500 million.
For the top one having gone for $7.5 million USD at the time of recording.
Before you get too excited about this, a few things you need to be aware of.
NFTs can be stolen.
The platform where you store your NFT account gets hacked.
You can say sayonara to your ownership.
And if someone gets a hold of your password and your username, well.
So make sure you lock it down with multi-factor authentication, unique complex passwords.
Put every security component you can to make sure you keep it safe.
And like any blockchain, they take their toll on all mother nature. The carbon output required to do all the calculations is mind-boggling. There was even an article that said,
urethium calculations required to run the blockchain consumes as much electricity as all of Ireland.
I mean, think of that.
But despite that, I don't think NAFTs are going anywhere soon.
So keep your eyes peeled and your accounts safe.
That's the CyberWire's Carol Terrio. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute and also my co-host on the Hacking Humans podcast. Joe, great to have you back. Hi, Dave.
Interesting story from the folks over at Sophos, depending on what side of the pond that you're on.
They recently put out their ransomware report, and there's some interesting stats in here.
I guess some things that surprise me
in the way that they break down. Can you share what they found here? Yeah, there are some
interesting statistics in here. One is that only 8% of ransomware victims get all of their data
back after paying a ransom. So we've been hearing that a lot of times when you pay the ransom,
many times you do get your data back.
But this research from SOFO says, well, only 8% of people get all of their data back, which implies to me that there's some mechanism in place here that these guys are encrypting data and they're not able to recover all of it.
And that makes sense to me because these are criminal organizations that don't care
about your data. If it's destructive and you lose some of it, so what? In fact, the average amount
that people got back after they did pay the ransom, the average amount recovered was 65%
of your data, right? 29% said they recovered less than half their data. That's shocking.
said they recovered less than half their data.
That's shocking.
Another interesting statistic is that the price of recovering from one of these attacks has more than doubled.
It's gone from $761,000 on average last year
to $1.85 million to recover from a ransomware attack now.
Wow.
And they're saying that's because these are more sophisticated attacks
and that they are actually becoming less frequent.
So it's like these ransomware gangs are focusing more on the jobs that they're doing
and not trying to – they're going for quality over quantity.
Right, right, yeah.
So the ransoms – we actually had a guest on Hacking Humans who was talking about how
these ransomware attackers actually do the math on your company's net revenue every year.
And based on your company revenue, that's how they determine what they're going to charge
for the ransom.
Right, right.
So, they're maximizing their profit
with research. Right. They have teams of accountants in the back room who are trying to decide how much
they should demand from you. Yeah. Yeah. So what is this, what's the take home here in terms of,
you know, preparing yourself for the possibility of a ransomware attack given this data?
Right. I think this data lends
a lot of credence to the argument, don't pay the ransom. Don't pay the ransom because even if you
pay the ransom, you're still not getting all your data back. There's an 8% chance you'll get
everything back. Right. That's a really low chance. Yeah. And if you have good backups
and you can get all your data back without paying the ransom, you're golden.
I mean, yes, you're going to lose time and that there's still going to be a cost impact that is going to happen.
And that's unfortunate.
But if people didn't pay the ransom, these attacks wouldn't happen by and large. Yeah, it also, I mean, it strikes me if you just look at the raw numbers here that,
you know, how much of an investment would it take to greatly lessen your chances of being hit by
ransomware? And when you look at these numbers, it seems to me like you can make a good case that
that's money well spent. Right. I agree 100%. Yeah. There's something that's not really mentioned
in this data. And that is we're seeing that, or in this report rather,
we're seeing that these ransomware attacks are also turning into data breaches.
And in order to incentivize people to pay the ransom,
these criminal organizations are saying,
not only have we encrypted your data, but we've stolen it.
Right.
You pay us the ransom, we don't release it.
You should absolutely not let that be part of your calculus.
What has happened is you've suffered a data breach, period. That's all. You have to act
accordingly and do whatever mitigation you have and notify whomever data has been breached.
You have to take care of that. And you should not let that influence you because
even if you pay the ransom, studies have shown that they are still going to
sell the data or release the data. It doesn't do you any good. And that data is still out there in
the hands of criminals. And you also open yourself up to repeat business from these guys. You paid
us the ransom to keep the data quiet. Now we need that some amount of money on an annual basis in
order to continue to keep it quiet. So once that data is out the door, assume the reputational loss that's going to follow because you cannot do business in good faith with criminals.
Yes, absolutely.
That's an excellent way to put it.
All right.
All right.
Interesting stuff for sure.
Joe Kerrigan, thanks for joining us.
It's my pleasure.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this week's Research Saturday show and my conversation with Lieutenant Colonel Erica Mitchell from the Army Cyber Institute.
We're going to be discussing their infrastructure resiliency research.
It's a project called Jack Voltaic.
Be sure to check it out. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Paru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Falecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm
Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com