CyberWire Daily - REvil is back. Misconfiguration with major effect. Mining Monero. Judgments against market-rigging hackers. A FIN7 operator is sentenced.
Episode Date: June 25, 2021REvil hits a Brazilian medical diagnostics company and a British fashion retailer. A misconfigured cloud database exposes millions of WordPress user records. A new cryptojacker is deploying XMrig to m...ine Monero. A judgment is issued against a hacker and one of the traders he worked with to trade securities on non-public information. Johannes Ullrich from SANS on server site request forgery and errors in validating IP addresses. Our guest is Tom Patterson from Unisys reacts to the DOJ launching a ransomware taskforce. A FIN7 operator is sentenced to seven years. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/122 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Our Evil hits a Brazilian medical diagnostics company and a British fashion retailer.
A misconfigured cloud database exposes millions of WordPress user records.
A new crypto jacker is deploying XM rig to mine Monero.
A judgment is issued against a hacker and one of the traders he worked with to trade securities on non-public information.
Johannes Ulrich from SANS on server site request forgery
and errors in validating IP addresses.
Our guest is Tom Patterson from Unisys,
reacting to the DOJ launching a ransomware task force.
And a FIN7 operator is sentenced to seven years.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberW a few weeks ago, has afflicted another victim.
Sao Paulo-based Grupo Flury, the Rio Times reports, is in the process of responding to and recovering from an attack that's crippled normal operations and forced the
large healthcare organization to revert to backup systems as its customers continue to deliver
patient care. Grupo Flury, the largest medical diagnostic firm in Brazil, was hit on June 22.
Areval has also recently hit fashion retailer The French Connection, The Register reports.
The French Connection said that the incident affected its back-end servers and that customer data is not at risk.
InfoSecurity magazine reports that researchers at Website Planet found a misconfigured cloud database belonging to DreamHost
that exposed more than 800 million records associated with WordPress users.
It's an accidental exposure, but of course the actual or potential compromise
raises the prospect of more plausible social engineering.
The more the hoods know, the more specious their approaches can be.
Avast describes a strain of malware they're calling Crack-a-Nosh.
The malware's coinjacking capabilities appear to be its main goal.
Specifically, it installs the XM-Rig coin miner and collects Monero.
Crack-a-Nosh is distributed through pirated cracked copies of software,
including some antivirus utilities.
Coindesk says the hoods operating the malware have taken in around $2
million so far. Crack-a-Nosh is evasive, and it takes particular care to disable security software
it detects on its victims' machines. The U.S. District Court for the District of New Jersey
entered a default judgment against two gentlemen who hacked non-public copies of press releases from Business
Wire, Market Wired, and PR Newswire. They then used the information for illicit securities trading.
The default judgment, neither of the men appeared, ordered hacker Alexander Yeremenko
to pay a Securities and Exchange Commission-imposed fine of $319 million.
and Exchange Commission imposed fine of $319 million. One of Mr. Yeremenko's colleagues,
trader Pavel Dubovoy, was ordered to pay $33 million. Both are currently resident in Ukraine,
and so for the time being, at least, beyond the reach of the SEC.
And in other news from the courthouse, another Ukrainian national,
Odrey Kopakov, a leader of some sort in the Fin7 cybercriminal organization, was sentenced yesterday to seven years and required to pay his victims $2.5 million in rest restaurant, gaming, and hospitality sectors. Some prominent fast and
fast casual American dining chains were among the victims, including Chipotle, Chili's, Arby's,
and Red Robin. Fin 7 would sell some of its take in prominent criminal carding markets,
like Joker's Stash. Mr. Kolpakov took a guilty plea back in November,
Mr. Kolpakov took a guilty plea back in November, and while he evidently made a serious contribution to Finn Seven's crimes,
he was not, as he explained it, anything approaching the kingpin Big Boy Number One or Mr. Big.
His lawyer argued, in extenuation and mitigation during sentencing hearings,
that Mr. Kolpakov joined Finn Seven without fully understanding what he was getting into. Maybe he had a point, although that point wasn't enough extenuation to get him less than
seven years. FIN7 represented itself online as Combi Security, an information security outfit
that claimed to be a legitimate provider of services to business. This was, for the most part, a recruiting ploy,
and Mr. Kopakov said it worked on him.
The record explains, quote,
Kopakov maintained that he did not seek to join Fin7.
He applied to a classified advertisement
for what he thought was a legitimate cybersecurity job
at a company called Combi Security.
Additionally, Kopakov made about
$75,000 for his work, an amount that provided his family security and stability, but a modest sum
for a cybercriminal, end quote. Fin7 put up a website for Combi Security on which the front
company described itself as one of the leading international companies in the field of information security. But, in truth and fact, the court documents say, Combi Security carried out no
legitimate work and was not hired by any company to provide security-related services. So, Combi
Security was a front for both recruiting and also a front designed to give Finn Seven's members a measure of plausible deniability. By the time he realized what was afoot, Mr. Kopakov said he'd been backed into
a corner and found it impossible to get out. He apologized to his victims and asked for their
forgiveness. How was he caught? On vacation, of course. Like most Eastern European cyber criminals, he craved sunlight and warmth.
Spanish police collared Mr. Kopakov in 2018 while he was vacationing in the town of Lipe.
He had in his possession incriminating electronic devices, laptop, phone, and storage media that
were used in Fin7's capers. Spain extradited him to the U.S. in 2019,
a moral for criminals and privateers.
Book your vacations in Chelyabinsk.
It may not be scenic, but at least it's safe.
And for heaven's sake, while you're on vacation,
leave your work at home.
We keep telling our editors to do that,
but do they listen?
No.
They take their phones, their laptops,
their storage devices to Ocean City with them,
and that is no way to vacation.
Phooey.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. on the cutting edge of technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Visit salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The U.S. Justice Department recently announced plans for a ransomware task force.
For insights on this development, I checked in with Tom Patterson.
He's chief trust officer for Unisys and a senior fellow at Auburn University's McCrary Center for Homeland Security.
Yeah, I think this is a direction that this entire administration is heading in.
direction that this entire administration is heading in. The appointments that have been made in national security and cybersecurity have been people that really have a firm grip, not just on
policy, but on what's going on in the real world, how the threats are impacting our critical
infrastructure, how they're impacting our daily commerce, how they're impacting our citizens'
lives. So they've really, I think, tried to address these issues in a coordinated way, but in a way where they're tackling some
of these harder ones that are really highly impactful to our economy.
It strikes me also that this is one of the, I suppose, few areas that remains having bipartisan support.
You know, there are, I can't think of anyone in Congress who's against better cybersecurity.
Does that point to this having an easy pathway through the legislature, if need be?
I've lived in Washington long enough not to project what's going to go through.
Fair enough. Absolutely.
I'm a lifelong national security employee of some sort somewhere,
and I can tell you it is a bipartisan effort.
We've got great people, regardless of what color tie they wear,
that are really highly supportive of this on Capitol Hill.
The administration has just been loading up on great additional new people,
kept a lot of great people.
And so we've got a good team on the federal side.
I think it will be working to drive this forward.
It will take that whole-of-nation effort, though.
So we do need companies, especially companies that work in our critical infrastructure sectors,
to really step up. And, you know, if they say we need help, I think the government is more than
ready, more ready than they've ever been to step up and give companies the kind of help they need
so that they can really help this fight against ransomware. You know, this is everybody's responsibility. You read about these exotic
attacks, you know, vectors, and everyone that's a victim says, oh, we could have never foreseen
this. And yet a lot of this malware still gets in because companies aren't doing the basics.
They aren't doing, you know, the dozen or so basic things that just has to happen. If you want to
have an organization today that
uses the internet, especially now you've got your employees working from home, you may keep more of
that, you've got to step up your defenses and really do the basics across the board. They're
not that hard. There is a cost to it, but consider it the cost of doing business. If everybody did
the basic stuff, it would make it much harder
for these ransomware folks
to really get in and cause this damage.
So it's something that everybody
needs to participate in.
And that was really the gist
of the initial report from the DOJ
is that it's a whole of nation effort.
That's Tom Patterson from Unisys.
There's a lot more to this conversation.
If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Johannes Ulrich.
He's the Dean of Research at the SANS Technology Institute,
also the host of the ISC Stormcast podcast.
Johannes, always great to have you back.
Got some interesting stuff to cover today. You wanted to check in on this notion of server-side request forgeries and what's going on there. Can you share with us what you're working on?
Yeah, so thanks for having me again, Dave. What this is specifically about is, well,
server-side request forgery is part
of it and that's certainly a vulnerability that has sort of been taken off over the last few years
with us deploying more and more of these apis that are htp based that sort of connect to each other
and as part of this we have to validate which other ap a particular API can connect to. It's, after all,
all about machines talking to machines these days.
We have to make sure we only talk to nice machines, not to those
Terminator kind of evil machines that we sometimes have.
Sure, sure.
But part of how we identify them is by IP address.
So a cornerstone of validating what we connect to,
what we allow our users to connect to,
is validating the IP address.
And sadly, pretty much every language that's trying to do this has had a very specific vulnerability lately.
And that's the fact that IP addresses,
they may be represented in octal.
I'm sure you use octal to add up your grocery bills
and stuff like this.
Oh yeah, sure.
We do this all the time.
Just rattle it off.
Honestly, I don't think I've thought about octal
since I was a kid.
But go on.
Yeah, so, and apparently a lot of developers
develop these libraries that validate IP addresses,
didn't really think about it,
but then the libraries that establish the connection,
they think about it.
And so now, for example, I may specify an IP address,
but now if I use a 0 as leading digit, that sort of implicates that this is octal.
So think about 10-dot addresses.
We always use them.
They're usually internal addresses, so they may be allowed.
Now, if I say 010, so 010, well in Archital that's 8.
So now if I want to connect to, let's say, 8888, the Google DNS server,
and you don't want me to connect to the Google DNS server,
I could just specify 010.010.010.010 and bypass your filter.
Wow, okay.
Clever computers, clever computers,
clever people.
Is there a fix here?
What's the workaround, or is this something we're stuck with?
Well, the fix is as so often just update everything
that'll fix it.
I think it was this week
we had a fix, for example,
for the Python library that does that.
A couple of months ago we had the respective N for example, for the Python library that does that. A couple of months ago, we had the respective
NPM libraries were updated.
Perl was vulnerable. Like I said, pretty much any language
was vulnerable. As a quick workaround,
don't allow these leading zeros.
The purists here will complain that you're supposed
to allow it because the standard allows it, but
we throw standards out of the window all the time if it makes things easier.
And safer.
And safer.
If there's a leading zero, no good point in having that.
Let's throw out those IP addresses and hopefully over time
your libraries will get updated and fix that.
All right.
Interesting stuff as always.
Johannes Ulrich, thanks for joining us.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out this weekend's Research Saturday
and my conversation with Yonatan Stream Amit from Cyber Reason.
We're going to be discussing the Promete botnet exploiting Microsoft Exchange vulnerabilities.
That's Research Saturday.
Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing Cyber Wire team is sending warm wishes for future success to producer Kelsey Bond
as she leaves the Cyber Wire and moves
on to new challenges and opportunities. On behalf of all of us, I can say that Kelsey's contributions
to our team were invaluable and we wouldn't be where we are today without her hard work,
creativity, and dedication. Good luck to you, Kelsey, and don't be a stranger.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.