CyberWire Daily - SolarWinds patches a zero-day. Trickbot is back. Bogus Twitter accounts, now suspended, were verified by the social medium. DarkSide hits Guess. Updates on REvil and Kaseya.
Episode Date: July 13, 2021SolarWinds addresses a zero-day that was exploited in the wild. A watering hole campaign lures users of online gaming sites. Inauthentic accounts (now suspended) get a blue check mark. Trickbot is bac...k, with new capabilities. The DarkSide hits fashion retailer Guess. Malek Ben Salem from Accenture on Remediation of Vulnerabilities using AI. Our guest is Jeff Williams from Contrast Security with a look at Application Security in Financial Services. And some updates on Kaseya, its customers, and the current state of REvil. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/133 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
SolarWinds addresses a zero day that was exploited in the wild.
A watering hole campaign lures users of online gaming sites.
Inauthentic accounts, now suspended, get a blue checkmark.
TrickBot is back with new capabilities.
The dark side hits fashion retailer Guess.
Malek Bensalam from Accenture on remediation of vulnerabilities using AI.
Our guest is Jeff Williams from Contrast Security
with a look at application security and financial services
and some updates on Kaseya, its customers,
and the current state of our evil.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 13th, 2021. SolarWinds is addressing a zero-day,
unrelated to last year's widespread sunburst exploitation
of its services for cyber espionage, Ars Technica reports.
SolarWinds, which credits Microsoft with alerting it to the problem,
has issued an update to fix the vulnerability in its file transfer software.
The company said, quote,
to fix the vulnerability in its file transfer software.
The company said, quote, The vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021,
and all prior versions.
A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges.
An attacker could then install programs, view, change,
or delete data, or run programs on the affected system. The vulnerability has been exploited in
the wild by at least one threat actor, the record reports, but neither SolarWinds nor Microsoft have
said when, where, or by whom. A watering hole campaign affecting some online gambling sites based in China
is serving up either Cobalt Strike beacons or the Biopass rat,
which Hacker News describes as a hitherto undocumented Python-based backdoor.
The site's support chat pages are infested with lures
to induce the unwary to download the malware. Hacker News writes,
quote, the attack involves deceiving gaming website visitors into downloading a malware loader
camouflaged as a legitimate installer for popular but deprecated apps such as Adobe Flash Player or
Microsoft Silverlight only for the loader to act as a conduit for fetching next-stage payloads.
End quote.
Trend Micro warned of the campaign in a report issued Friday.
The Daily Dot rounds up tweeted reports about six accounts that received Twitter's coveted blue checkmark,
but which appear to be bogus.
The accounts appeared roughly simultaneously last month,
shared many of the same followers, each having about a thousand,
used either stock images or pictures generated by AI as their profile pictures,
and had done very little actual tweeting.
Twitter user Conspirador Norteno, identified as a data scientist interested in disinformation, posted that,
quote, very few of the accounts in this network have tweeted. The majority of the tweet content
is spam in Korean, sent via automation service dlvr.it promoting a website, end quote. Twitter
has revoked the account check marks and suspended the accounts as inauthentic.
We have now permanently suspended the accounts in question and removed their verified badge under our platform manipulation and spam policy.
Blue-checked accounts have long been coveted by bad actors, but they've typically sought to get access to them by compromising legitimate accounts.
Getting such verification for purely bogus, inauthentic accounts is unusual,
and Stanford Internet Observatory's Alex Stamos commented that
a bribed insider might have served as the conduit for the checkmark.
Quote,
You might have a malicious or bribed insider.
Something similar happened at Instagram, paid off by scammers in that case, he tweeted.
TrickBot, the Russophone cybercriminal network heavily involved in ransomware, has returned, the Daily Beast reports.
TrickBot and the gang behind it, WizardSpider, had been disrupted in October of 2020 by U.S. Cyber Command and various industry actors, Microsoft prominent among them.
It's now resurfaced with a new virtual network computing module that Bitdefender describes as including
new functionalities for monitoring and intelligence gathering.
The renewed TrickBot seems involved in creating the Diavol ransomware strain Fortinet described earlier this month.
The resurgence is an example of the resilience of criminal organizations,
which survive both takedowns and arrests of some key figures.
Whatever restraints Moscow's commitment to legality have placed on ransomware gangs
don't appear to have put the dark side entirely out of business.
It's been disclosed that the gang has hit fashion retailer Guess, ZDNet reports.
Guess has been relatively tight-lipped about the incident beyond saying that customer paycard data
was not compromised during the February exposure, but that other information, notably employee data,
was exposed.
Bleeping Computer notes that Guess hasn't said which group was behind the attack,
but the dark side had already counted Coup by listing the retailer among its victims.
Kaseya has completed addressing the three vulnerabilities R-Evil exploited at the beginning of the month.
Threat Post summarizes the fixes, and IGI places them in perspective.
Customers continue what VentureBeat calls their long slog to recovery.
The general consensus is that R-Evil operates with at least the knowledge of,
and probably with the tacit approval and encouragement of, the Russian government.
The joint enforcement action the U.S. has requested of Russia has not materialized,
GovInfo security notes.
Moscow is standing on ceremony as it expresses its commitment to the rule of law,
as the register puts it, with a straight face.
But so far, there are few, if any, signs of Russian authorities taking action against the gangs that operate with impunity from its territory. We'll continue to follow developments and operations against
REvil, DarkSide, and other ransomware gangs, with particular attention paid to Russian
enforcement actions, if any such appear, and U.S. retaliation, again, should any such appear.
One preliminary report tweeted this morning by Recorded Future's Alan
Liska says that our evil sights have been down since 1 a.m. Eastern Daylight Time, which would
be 8 a.m. Moscow time. It is, of course, too early to know what to make of this, whether it's a
temporary tactical occultation, whether it's a system failure, whether the gang is absconding,
occultation, whether it's a system failure, whether the gang is absconding, whether Russian authorities have told the gang to chill for a while, whether those same authorities have actually
taken action in conformity with their public commitment to the rule of law and the responsibilities
of sovereignty, or whether some foreign cyber organization has reached into Russia.
All of these are possibilities. Some are more likely than others.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical
for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io. Services Report, exploring the strengths and weaknesses in the apps many of us use to manage
our personal and professional finances. Jeff Williams is co-founder and chief technology
officer at Contrast Security. Everybody uses applications for just about everything that's
important in their lives, and not much is more important than financial institutions. So where
you bank, where you store your money, where you get your insurance, all those things use a massive amount of applications. In fact, those companies are
some of the largest software development organizations in the world. And so we thought
it'd be useful to study them, find out what they think about their application security efforts,
where they're weak, where they're strong, and publish the results.
where they're strong and publish the results. Where do financial services organizations stand when it comes to addressing the specific challenges that they face with their application development?
Well, they almost all have a program in place. So they'll have a small team of experts,
sometimes a large team of folks, and they use tools, they scan their applications. But I would
say most of them, I think, are really sort of more focused on a compliance kind of approach,
like enforcing application security rules, rather than actually making real progress
on securing applications. And so what we found in the study was some disturbing facts about
application security in financials. Well, take us through some of the things that you explored here.
Well, the big thing that jumps out at me from this study is that when we asked them about
whether they've been actually breached through their applications, this is not network breaches.
We're not talking about ransomware, email attacks or anything. Just through their web applications and web APIs, 98% admitted that they had at least three successful application exploits in the past year. That, to me, is shocking.
52% saw 10 or more successful attacks over the last 12 months.
That's a terrifying level of attack.
I mean, there's hundreds, thousands of financial institutions out there, and they're all getting attacked at a very high rate successfully.
And it's way more than what you read about in the newspaper, for sure.
Can you give us a little perspective on that? I mean, what's the range when we talk about
an attack on one of these organizations, a successful attack? Can you give us a range of
the spectrum or, you know, how serious are they? How concerned should we be?
Yeah. So one thing we asked about was the cost of each of these breaches. And 99% of respondents
in organizations with more than
15,000 employees, which is a substantial portion of this survey, put the cost of each attack at
more than a million dollars. So when we're talking about, you know, 10 a year, that's a million
dollars each time. Are they seeing this as a cost of doing business to some degree, or how are they coming at this?
Well, I think they all want to do better. They certainly don't want to have successful breaches
against them because any one of these breaches could be much more serious than a million dollars.
So I hope that they haven't resigned themselves to thinking of this as a cost of doing business
because it's very preventable. Now organizations that are effective here, who are doing a good job,
are there things that you find that they have in common? Yeah, I think we see well-structured
AppSec programs that focus on what matters. They use threat modeling. They've automated as much as possible of application security so that their teams can make code changes, push them into their pipeline.
The pipeline does all the security testing, and they're cleared to go into production with a high degree of confidence that what they've written is secure.
Teams that struggle are much more manual-oriented.
They do pen testing maybe a few times a year.
They don't do it on all of their applications.
They haven't really standardized their approach on application security.
So I think that's one huge thing that teams can do to get better.
That's Jeff Williams from Contrast Security. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Malek Bensalem.
She is the Technology Research Director for Security at Accenture.
Malek, it's always great to have you back.
You know, I want to touch base with you on application security.
You know, we've seen the recent executive order come down from the presidential administration.
I know that's something that you and your team are working on.
Specifically, can we touch today on optimizing security scanning?
Yeah, sure. Thanks for having me back, Dave.
Yeah, with the executive order, I think there has been calls for even more scanning,
more application scanning, and performing various types of scans. You know, the static application security tests or SAST, DAST scans,
IaaS scans, etc. But we know that these scans generate loads of findings that developers may
not be able to respond to in a timely manner, or they may not be able to respond to at all,
right, especially for the vulnerabilities that are not that critical.
So what we wanted to do is to help these development teams prioritize what they need
to respond to. And we do so by, you know, several optimizations. Number one, we generate some exploitability rankings for these vulnerabilities so that the teams respond to the findings level by adding some additional information about the vulnerabilities, such as their exploitability over time, their past exploitability.
But also, you know, these are scores that are available through the NVD database, right, through their common vulnerability scoring system.
through their common vulnerability scoring system.
They do provide some of these scores,
such as the impact of the vulnerability and its exploitability.
But it's based on the likelihood of that vulnerability being exploited.
What we add is threat intelligence information about whether that vulnerability has been actually exploited,
whether we've seen POCs, right,
proofs of concepts of that vulnerability being exploited
and how many of them do we see.
Now, we also include information about the vulnerability notability.
So if vulnerability is gaining notability in the media,
that means it either has been used
or is very likely to be used by malicious actors.
By combining all of these scores,
we come up with better exploitability rankings
for these vulnerabilities that application teams
and application development teams and security teams
can use to prioritize which
vulnerabilities they need to mitigate or remediate first.
So is it part of the notion here that you're providing a lot more context to the information
that they're getting?
Absolutely.
Absolutely.
And that is key for these teams who are very time constrained.
Absolutely. And that is key for these teams who are very time constrained.
The second thing we do actually is identify any correlated vulnerabilities or in some cases, any false positives that the scanning tools generate.
We have realized that a lot of the vulnerabilities being found are actually false positives that teams do not have necessarily to respond to.
And so we do some triaging to help these teams,
and we do that through different techniques. Number one, we look at duplicates within the same scan.
So we review the same scan, identify if there are any vulnerabilities
that have been reported twice or more, and we remove those so that the teams respond to fixing
the vulnerability just once. We correlate findings between different types of scans.
So we take the SAS scan and the DAS scan, and we try to identify if there are vulnerabilities reported in the same scan that are actually the same vulnerability.
Again, this would help the team just respond to one, right, mitigate just one, instead of responding twice to these vulnerabilities reported differently on two different reports.
And then the third thing, we do correlation between scans.
So what I talked about, between scans in different time windows, right?
So earlier I talked about correlating vulnerabilities between SAST and a DAS scan,
and that's at one snapshot.
But sometimes we can correlate a scan done, let's say, a week ago with a scan that has been done today
and look at the correlations between the vulnerabilities between scans
and remove any false positives that have been identified in the previous scan
so that we don't have to respond to it again
or analyze it in the current scan.
And what we found out is that we can identify
between 50% and 80% of these false positives,
and we're able to save about 64% of the security analyst's time
as they are reviewing these findings from the scans
and as they are trying to triage them.
And this can be all enabled through artificial intelligence.
That's fascinating.
I mean, obviously, nothing is perfect,
and I suspect the AI is not perfect as well.
But I mean, is the system constantly feeding back on itself so that over time the results that it generates are also improving?
Absolutely. Absolutely.
It is constantly learning and it's constantly applying or contextualizing information for particular clients because we know that the development environment
for one of our clients may be different from another client.
So we are optimizing that learning for client environment.
Yeah, interesting.
All right, well, fascinating stuff.
Malik Ben Salem, thanks for joining us.
Thank you, Dave.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Justin Sabe, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.