CyberWire Daily - RATs, ransomware, payloads, and unsecured data: a look at the cybercriminal underground.
Episode Date: October 2, 2019Sobinokibi ransomware looks more like the child of GandCrab, and McAfee has some thoughts on how ransomware-as-a-service operates. FakeUpdates are back, and they’re installing ransomware, too. The A...dwind RAT is back and infesting a new set of targets: it’s moved on from hospitality and retail and into the oil industry. Maliciously crafted ODT files are appearing in the wild. And a big database about Russian taxpayers has appeared in an unsecured Elasticsearch cluster. Ben Yelin from UMD CHHS on a California town implementing a robot police patrol unit. Guest is Daniel Garrie from Law & Forensics on eDiscovery. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_02.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
So Binokibi Ransomware looks more like the child of GandCrab,
and McAfee has some thoughts on how ransomware as a service operates.
Fake updates are back, and they're installing ransomware too the adwind rat is back and infesting a new set of
targets it's moved on from hospitality and retail and into the oil industry maliciously crafted odt
files are appearing in the wild and a big database about russian taxpayers has appeared in an
unsecured Elasticsearch cluster.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 2, 2019.
Today's news is for the most part from private sector researchers, those who are watching the criminal underworld.
Researchers at the security firm McAfee, for one, have been keeping an eye on the Sodinokibi ransomware strain,
the one that's also known as R-Evil, since this past April.
They've just published an update of their studies.
Their blog begins with some foreshadowing.
They note darkly that Sodinokibi turned up at about the same time the Gandcrab Hoods announced their retirement,
saying they'd made enough money and proved to their satisfaction that anyone could easily find a profitable career doing evil.
This prompts a reversal of the traditional question, why do bad things happen to good people?
The really interesting question, if you follow Gandcrab, is why do good things happen to good people? The really interesting question, if you follow
Gancrab, is why do good things happen to bad people? At any rate, Gancrab announces their
retirement and Sodinokibi turns up. So McAfee asks, coincidence? Or is there more to the story?
You see where this is going. McAfee unpacked Sodinokibi and found that it had a 40% code overlap with Gant Crab version 5.03,
so they think there's a better than decent chance that this is just the return of the Gant Crab gang,
back from a quick retirement, rested, refreshed, and ready to make money while serving evil.
Sodinokibi is sold in the criminal-to-criminal market as an affiliate scheme.
In its ransomware-as-a-service model, one group maintains the code,
which it licenses to the other criminals who use it against their victims.
Both sides realize certain advantages from the arrangement.
From the developer's point of view, they get a cut of the ransom,
and they even get to set targets for their affiliates.
The affiliates run a great deal more risk than the developers,
especially if those
developers work from one of several countries that don't really regard developing malware as a crime
worth punishing, provided you leave targets in that country alone. The list of languages so
Dinokibi checks for and blacklists is instructive. They're spoken in Russia and the near abroad,
plus Iran and Syria. The affiliate gets a good deal, too.
They don't need to write the malware themselves.
That learn-to-code stuff is for suckers, as long as you've got someone coding for you.
There are low barriers to entry.
If you're willing to be a criminal, and if you can be accepted as such in the right dark web markets,
then Bob's your uncle, and you can get down to shaking down hospitals, schools, small towns
anyone who needs their data but may not have thought through how to protect that data.
When the affiliates do well, so do the developers.
That's why Gancrab used to kick the non-performers out of its affiliate network.
And it seems to be no accident that some of its top affiliates have moved over to Sodinokibi.
McAfee's researchers say that Sodinokibi is
generally well-prepared malware, quality albeit criminal work. It's a serious threat. The evidence
linking it to Gancrab is circumstantial but interesting, and the main point is this. Ransomware
is a criminal business being run like a business, and it has the characteristic vulnerabilities of
its business model.
Want to see an affiliate model fail? Make the top affiliates unprofitable,
or out-compete them with free decryptors. These are private sector solutions.
If you carry a badge and a gun, then we hope you'll make good collars.
Ransomware is clearly more than a nuisance, and it's very far from being victimless.
Computing reports, for example, that hospitals in both the U.S. and Australia have been forced to delay elective surgery and otherwise turn patients away
because of infestations in their systems.
They're working hard to deliver urgent care,
but it's difficult when you're working through the resistant medium
of maliciously encrypted files.
The U.S. health care facilities being hit this week belong to the DCH health system in Alabama.
The Australian victims are in Gippsland and southwest Victoria.
If you've ever been sued or have had the occasion to sue someone,
you know that part of the legal process is discovery.
These days, much of that process is e-discovery,
dealing with all things electronic
and online. Daniel Gary is co-founder of Law & Forensics, a global legal engineering firm,
and he's editor-in-chief of the Journal of Law and Cyber Warfare. He shares his insights on
e-discovery. Litigation often ensues around a breach or around all sorts of things, right?
Firing employees, defense, how senior are, there's all sorts of things, right? Firing employees, depends how senior you are.
There's all sorts of complicated issues that come up that involve lawyers.
It's about the discovery of the responsive information relevant to that incident.
Now, sometimes discovery can also involve third parties.
So a lot of vendors that collect logs or have cloud-based services or whatever
will get third-party subpoenas in connection with discovery involving another case. Like, for example, they may want the endpoint log files that are hosted by a third party.
The part involved in the data breach, one of the lawyers may have to subpoena that company,
and there'll be discovery. So it's the process of getting information as it's connected to a
dispute. Now, there's also discovery in arbitration.
There's also discovery in government investigations and certainly in criminal cases as well. Those
tend to be a little more draconian and arcane sometimes or one way or better or worse,
depending on the regulator. And then you have state court litigation. And I was just referring
to federal court litigation earlier. State court litigation with state court judges is sort of, I want to say the Wild West, but
it varies based on the knowledge and understanding of a judge.
And it's about going before a court and saying, look, we need this information to argue our
case.
It gets inherently more complicated because judges are generalists and they're not, you
know, the wazirs of ones and zeros, so to speak.
They hear murder cases, divorce cases, criminal cases, white-collar crime, contract disputes, and everything else.
When people come before them and say, oh, we want all of the email server, it could be virtualized in the cloud, and the judge will be like, I don't know what any of that means.
And so articulating what's reasonable to get that information back and forth is sort of discovery.
So when things go wrong, when it comes to discovery,
what are the things that you typically find yourself up against?
It ranges, but usually it can be very, you know, from helping the parties.
You know, for example, there was a case involving Amazon and several different cloud-based service technology providers and a case called CDS versus
Rapid Systems in New York in the Southern District, where I was tasked with basically
creating a set of protocols and constructs so parties could have co-equal access to a cloud-based
platform as they proceeded to litigation, fairly complicated
because it virtualized private cloud and the court had no idea what the parties were fighting
about or how to grant this type of thing.
So I got appointed by the courts in federal court to create as a technical special master
to resolve all the issues and create a set of protocols so the parties could functionally
operate and update the product and release the product. They had different customers and different
instances of the cloud, but the same source code base. So stuff like that. And then we have like
small versus UMC, where the court appoints me with a sort of mandate of resolving a wide range
of e-discovery issues. And as I said in
the beginning, it's about finding the right information. And it ranges from parties and
lawyers don't know how to properly extract or collect the information, to the vendors they
hire don't do the right work, to just outright perjury and lying by parties about what they did or didn't do.
I often tell people, you know, I'm very fortunate because ones and zeros frequently don't lie.
You know, there's inevitably issues.
That's attorney Daniel Gary.
He's one of the featured speakers at the upcoming six-annual Cyber Warfare Symposium.
That's October 17th in New York City.
It's sponsored by the Journal of Law and Cyber Warfare.
Netscope has been following the spread of the Adwind rat and warns that the remote-access Trojan is now being used against a different sector.
Adwind has hitherto been observed in use mostly against retail and hospitality targets.
It's now in active use against the U.S. oil industry.
The rat's functionality includes capturing webcam images, scanning for files based on specific extensions,
performing injection into known legitimate Windows processes,
monitoring system status and exfiltrating data to its command and control server.
The current versions of Adwind seem to be showing improved obfuscation capabilities as well.
Cisco's Talos Group finds that criminals are looking into the possibility of using maliciously crafted ODT files
in an attempt to bypass detection by commonly used security programs.
The current campaign is still small, but it's used ODT files to distribute RevengeRat and NJRat payloads.
OpenOffice and LibreOffice users take note.
And finally, Comparatech reports finding personal information on some 20 million Russian taxpayers
exposed online in an unprotected Elasticsearch cluster hosted on an Amazon cloud.
The exposed data include basically the whole shebang.
Names, addresses, passports,
tax IDs, and so on. Here's a question for the tax man. In a country whose internet policy is as
self-sufficient as Russia's has become, what are income tax data doing on Amazon? Maybe the owner
of the data could shed some light on this. Unfortunately, Comparatech hasn't been able to
find that person
or organization, but they seem to be somewhere in Ukraine, so maybe this owner owns the data
kind of on the cutting edge of technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Visit salesforce.com slash careers to learn more. rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen.
He's the Program Director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security. Ben, it's always great to have you back. We had word come by that the city of
Huntington Park in California has a new addition to their police force. What's going on here?
So the Huntington Park Police Department announced this past June the addition of a robot police officer, or as they call it, a HP RoboCop.
This is a 400-pound security robot.
It roams through the streets of the city of Huntington Park.
And to just try and create an image for people, to me it looks like the offspring of Eve from the WALL-E movie, R2-D2, and maybe a little bit of the cone heads in there, just the shape of the head.
It looks rather silly, something that seems like it would be in a really bad science fiction movie.
It's not intimidating.
That's for sure.
It does not seem intimidating.
Maybe it's not supposed to be.
I feel like I would just laugh if I saw a RoboCop.
But then when you dig into the details, it becomes not as much of a laughing matter.
Part of it is based on the surveillance capabilities of this robot.
So the company that produced it says that this robot is, quote, a fully autonomous security data machine,
quote, a fully autonomous security data machine, meaning they basically observe everything around them, take real time photos and videos, and are just constantly collecting data on what they see.
And the purpose of that from the city's perspective is to fill in blind spots.
So if you can't have law enforcement at all locations at all times,
and you can't have traditional surveillance at all locations at all times, and you can't have
traditional surveillance techniques like plain old security cameras, you can have these robots
going around corners and into alleyways where there might not be persistent surveillance.
What was particularly disturbing to me is the company trying to describe why this particular
robot wouldn't generate false positives. In other words,
identify people as security threats when they are not actually security threats.
And the answer was something like, well, RoboCop has the power to distinguish between the good
guys and the bad guys. They'll know what makes a criminal and...
I know it when I see it.
I know it when I see it. And they can place, you know, once they determine that someone's a bad guy, they can put the
that person's face through their facial recognition software.
They can red flag that person.
They can collect IP addresses.
They can identify that person's smartphone if it's in a particular geographical range.
smartphone if it's in a particular geographical range. So this is, you know, pretty disturbing in that oftentimes AI is extremely biased, as we've seen in all sorts of previous studies. In terms of
legal recourse, I mean, we have this public view doctrine, which means if you are out in public,
and a member of law enforcement observes you doing something,
you have no reasonable expectation of privacy.
That's fair game for a prosecutor to use in a criminal court case.
We've talked a lot on this podcast, Dave, about applying that doctrine to all sorts
of modern technology.
So license plate readers, aerial surveillance. When you
start to talk about these robocops, it's so far beyond the traditional understanding of the public
view doctrine, because we're just expanding the universe of what can be seen in public view to
such an absurd degree. I don't think a court at this point would accept the argument that the
public view doctrine shouldn't apply when we're dealing with these robocops or other extremely
persistent forms of surveillance. But I think it's something in the long term they're going to have
to consider. Well, how is this different from, say, a security camera on a telephone pole up in the corner of the public park
versus this being that that can just move around.
It's a camera that can move from place to place,
and its very presence improves the security
because it's an active reminder to folks that safety is a priority here in our public space.
Robocop is on the beat.
Control yourself, people.
Yeah, I mean, you know, with a security camera, there's generally a level of notice.
So people can see the cameras.
They'll realize that they're under surveillance.
I assume if you see one of these guys, these robocops going through the park, perhaps you'll adjust your behavior as well. But, you know, I think that the other big difference is the area that can be covered.
You can put up a million different security cameras, and they're going to be little nooks
and crannies within a jurisdiction that aren't going to be subject to their coverage. And when
you have Robocops on wheels, they're going to be able to go into back alleys and obscure areas of
public parks where security cameras would not be able to reach so this the surveillance is
more persistent and then also that the smart elements of this particular surveillance tool
so the ability to take in more information than simply a video or a photo, to do real-time
analysis, to do profiling, those are also types of things that don't exist in traditional video
surveillance. Well, and for anybody who is familiar with the original RoboCop movie,
please put down your weapon. You have five seconds to comply.
original RoboCop movie, please put down your weapon. You have five seconds to comply.
Exactly. Exactly. I never thought RoboCop would come to life in this capacity, although RoboCop, the movie, would have been far less interesting if the RoboCop looked like this
little guy, who just does not seem super intimidating to me.
Yeah. Yeah. All right. Well, we'll see how this one plays out. Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.