CyberWire Daily - The security industry looks at DarkSide ransomware. CISA offers advice on defense and recovery. A new banking Trojan is out. Deprecated protocols remain in use. A quick look at Patch Tuesday.
Episode Date: May 12, 2021FireEye provides an overview of the DarkSide ransomware-as-a-service operation. Forcepoint suggests a connection between DarkSide and other ransomware gangs, notably REvil. Colonial Pipeline continues... its recovery efforts from the cyber attack it sustained. As ransomware grows more common, CISA offers advice on how to prepare defenses. A new Android banking Trojan is in circulation. Cecelia Marinier from RSA on the RSAC Innovation Sandbox. Bret Arsenault from Microsoft previews his new Microsoft CISO podcast. And yesterday, of course, was Patch Tuesday. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/91 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
FireEye provides an overview of the DarkSide ransomware-as-a-service operation.
Forcepoint suggests a connection between DarkSide and other ransomware gangs.
Colonial Pipeline continues its recovery efforts from the cyber attack it sustained.
As ransomware grows more common, CISA offers advice on how to prepare defenses.
A new Android banking trojan is in circulation.
Cecilia Marignier from RSA on the RSAC Innovation Sandbox.
Brett Arsenault from Microsoft previews his new Microsoft CISO podcast.
And yesterday, of course, was Patch Tuesday.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 12, 2021.
As Colonial Pipeline continues its recovery from the DarkSide ransomware incident it sustained last week,
various researchers turned their attention to the group behind the attack.
Security firm FireEye, said to have been brought in by Colonial Pipeline to assist with investigation and recovery,
yesterday published a report on DarkSide that emphasizes the group's ransomware-as-a-service model.
It's a selective operation.
Criminal applicants for affiliate status are, for example,
interviewed before being given access to DarkSide's control panel.
But it's also not a monolithic one.
FireEye's Mandiant unit currently tracks five clusters of DarkSide threat activity.
The affiliate model DarkSide uses shares criminal profits. Quote, affiliates retain a percentage of the ransom fee
from each victim. Based on forum advertisements, this percentage starts at 25% for ransom fees
less than $500,000 and decreases to 10% for ransom fees greater than $5 million.
FireEye's report says that Mandiant has identified at least five Russian-speaking
actors who may currently or have previously been DarkSide affiliates.
Relevant advertisements associated with a portion of these threat actors
have been aimed at finding either initial access providers or actors capable
of deploying ransomware on accesses already obtained. Some actors claiming to use DarkSide
have also allegedly partnered with other ransomware-as-a-service affiliate programs,
including Babook and Sodinakibi, also known as R-Evil. Researchers at security firm Flashpoint are interested in
the connections they discern between DarkSide and R-Evil. Quote, Flashpoint assesses with
moderate confidence that the threat actors behind DarkSide ransomware are of Russian origin and are
likely former affiliates of the R-Evil ransomware-as-a-service group. Several facts support this attribution.
Spelling mistakes in the ransom note and grammatical constructs of the sentences
suggest that the writers are not native English speakers.
The malware checks the default language of the system to avoid infecting systems
based in the countries of the former Soviet Union.
The design of the ransom note, wallpaper, file encryption,
extension and details,
and inner workings
bear similarities
to our evil ransomware,
which is of Russian origin
and has an extensive
affiliate program.
This shows the evolution path
of this ransomware
and ties it to other
Russian-origin ransomware families.
And the affiliate program
is offered on Russian-language
forums XSS and Exploit. As an aside, many outlets have reported, with an appearance of credulity,
that DarkSide has forsworn attacks that amount to an infliction of social ills,
and that the attack on Colonial Pipeline may be one the operators now regret.
Darkside communiques have indeed offered various high-minded expressions of care in their selections of targets,
while their avowals have more than a whiff of late-night dormitory discussions
of why it's wrong to steal from people but okay to steal from institutions, man.
It would, we think, be naive to take even such feeble moralizing too
seriously. As Flashpoint observes, quote, it's worth noting that dark side actors have pledged
in the past not to attack organizations in the medical, education, non-profit, or government
sectors. At one point, they also advertised that they donate a portion of their profits to charities.
However, neither claim has been verified and should be met with a heightened degree of scrutiny.
These dark side operators would be far from the first cyber criminals to make such claims
and not follow through, end quote. Colonial Pipeline's website came back online late yesterday,
newly armored with a reCAPTCHA landing page. The company
published an update in which it reported progress toward resumption of refined petroleum deliveries,
with some 967,000 barrels delivered to Atlanta, Belton and Spartanburg in South Carolina,
Charlotte and Greensboro in North Carolina, Baltimore and Woodbury and Linden, which are close to the port of New York and New Jersey.
Some lines have been operated under manual control since Monday, at least,
and have been moving existing inventory.
As the company prepares to restart deliveries,
they've taken delivery of an additional 2 million barrels,
which they'll ship once service is restored.
The company appears also to be addressing some concerns about its pipeline's physical security,
having increased aerial patrols of their pipeline right-of-way
and deployed more than 50 personnel to walk and drive 5,000 miles of pipeline each day.
The U.S. Cybersecurity and Infrastructure Security Agency has issued an alert that offers a set of best practices to protect against ransomware-induced business disruptions.
The alert was prompted by the attack against Colonial Pipeline, and it includes in its introductory section the preliminary conclusion that dark-side ransomware affected Colonial's IT systems only and had no direct effect on the company's OT
networks. The best practices CISA advocates are as familiar as they are sound. They include
measures that can be taken to avoid infection in the first place, mitigations that can reduce the
business impact of a ransomware infection should one occur, and steps organizations could take in responding to an attack.
The alert closes with a statement intended to strongly discourage any victim from paying the
ransom their attackers demand. Quote, paying a ransom may embolden adversaries to target
additional organizations, encourage other criminal actors to engage in the distribution of ransomware,
and or may fund illicit activities.
Paying the ransom also does not guarantee that a victim's files will be recovered.
Colonial Pipeline isn't the only energy company to sustain a ransomware attack.
The Wall Street Journal, which notes that ransomware is a burgeoning threat elsewhere too,
reports that VoluASA, a Norwegian provider of tech to infrastructure and energy companies,
was hit by ransomware earlier this month.
Recorded Future looks at the criminal's recent record
and sees indiscriminate attacks against targets of opportunity,
which appears to be the norm for ransomware operators.
Among the sectors affected indirectly by mounting rates of ransomware
is insurance. The Wall Street Journal describes underwriters' growing skittishness about covering
ransomware risks and that such coverage has become pricier to buy. A major insurer, France's AXA,
announced last week that it will no longer indemnify new policyholders for payments
they make to ransomware operators. It had been the insurance industry practice to do so,
ransomware payments being factored into the risk management calculus the way retailers accept a
certain amount of shrinkage, that is pilfering, shoplifting, of their inventory. It seems likely
that other insurance firms will follow suit.
Ransomware has become too large a problem to treat as a cost of doing business.
Cleafy describes T-Bot, an Android banking trojan that first appeared in Italy
and is now engaged in fraud campaigns across much of Europe.
T-Bot steals credentials and SMS messages. It includes key
logger and screenshot capture functionality. It disables Google Protect, and it steals other
accounts from Android settings and Google authentication two-factor authentication codes.
It also shows the ability to abuse accessibility services to simulate gestures and clicks on the screen.
ExtraHop this morning released a study of how insecure but widely used protocols expose organizations to cyber risk. In particular, the deprecated protocol exploited four years ago by
WannaCry and NotPetya pseudo-ransomware, server message block version 1, SMBv1, remains in widespread use. Other
deprecated and insecure protocols still in use include link local multicast name resolution,
LLMNR, NTLAN manager, NTLMv1, and hypertext transfer protocol, HTTP.
The U.S. Senate Homeland Security and Governmental Affairs Committee
is deliberating revising the Federal Information Security Management Act
to facilitate information sharing about attacks with national security implications,
Meritalk reports.
The chair and ranking member appear to agree that changes are warranted
by recent high-profile cyber attacks.
Yesterday was Patch Tuesday. Microsoft addressed a total of 55 vulnerabilities,
four of them rated critical. Adobe fixed problems in several versions of Acrobat and Acrobat Reader.
The Zero Day Initiative has a summary of these patches and their implications.
initiative has a summary of these patches and their implications. Onapsis, which calls this month's Patch Tuesday a calm one, has an account of the 14 fixes SAP released. Siemens issued 14
advisories for its systems, nine of which, Security Week writes, cover issues in third-party components.
So, patch them if you got them.
So, hatch them if you got them.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
A highlight of the annual RSA conference is the Innovation Sandbox, where hopeful startups are given the opportunity to pitch their wares in front of a panel of esteemed industry leaders.
It's one of many innovation-focused endeavors from RSAC.
And joining me with an overview is Cecilia Marignier,
Cybersecurity Advisor for Strategy, Innovation, and Scholars at RSA Conference.
So this contest actually started back in 2005.
And it has been one of the flagship events at conference. And I believe also it's a flagship
contest across the globe talking about innovation and cybersecurity. So we're very blessed to have
amazing companies keep on putting their name in the hat to see who will be selected as one of the
top 10 finalists. For this year, we have an incredible lineup of companies.
It's, you know, I've been doing this for the past six years
and this particular year is so strong.
There were so many solid, amazing companies
that could have made it to the stage.
I actually wish I could have done two or three
of these contests because there was that many
that were that good.
So the quality and the
interest and where they're taking the innovation this year is really something to watch.
Can you give us a preview of what we might expect to see this year?
Absolutely. So one of the things that back at the beginning when we opened up this submission
process, and for any entrepreneurs, we do this about three months before the conference
starts. So please mark in your calendar to October for next year. But when we started this,
I had interviewed Nilou Hao, who's one of the judges. And I asked her, Nilou, what do you think
is going to be innovative in this year? And she's like, oh my goodness, the reality is everywhere.
And she named off at least 15 different areas
where she was seeing innovation happening in cybersecurity.
And it has a lot to do with the times.
It has a lot to do with the change from working from home.
But we've seen innovation everywhere.
And what I was really impressed by
is the diversity of not only the companies
where they came from,
but also just the actual innovative spotlights
that they're coming at.
What are the solutions actually focused on?
And it is security risk and compliance
and zero trust networks, democratizing fraud alerts,
cloud infrastructure security,
data security protection, encrypted learning,
SEC DevOps infrastructure platform.
And I mean, just, I can keep on going on and on.
It was just an incredible year of innovation
in almost all facets of cybersecurity.
You know, one of my favorite things
when we're able to attend RSA conference in person
is to wander around the edges of the show floor,
to find those startups, those little
companies who have, you know, some of them not much more than a hope and a dream, but that they
really believe that they've got something that could really change things. In the virtual world,
it's harder to have that sort of serendipity of discovery, but I know you all are working on making those discoveries
still possible this year. Absolutely. Great for highlighting this. We have an area in our digital
expo called the Early Stage Expo Area. It's on site. We have a place on site that's also
dedicated to startups. But when you come into the RSA conference this year, please go into the expo area, check out those exhibitors that are in the early stage startup area. They're all also very
interesting and have great solutions. And the top 10 will be included in there as well, the
Innovation Sandbox top 10 companies. So if you want to learn more about what they're doing,
I highly recommend going into the Early Stage Expo area.
That's Cecilia Marignier from RSA Conference.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
I have some special news to share today. The CyberWire Podcast Network is proud to be partnering with Microsoft to bring you a new podcast.
It's called Microsoft Security Unlocked CISO Series,
and it's hosted by Microsoft's Chief Information Security Officer,
Brett Arsenault. Brett joins me with a preview of the new podcast.
With Prop2, the idea of starting the podcast was, over the past year, particularly with the pandemic
and people working in different scenarios, I would get asked often about, you know,
how do you think about security in this environment? What do you do? What are best practices?
often about, you know, how do you think about security in this environment? What do you do?
What are best practices? And I've had the opportunity to meet with customers and partners and people from all over the globe that have really amazing and unique perspectives because
it's affected people differently. Some people, like you think geographically, sectorally,
if you're in manufacturing versus service industry. And so this is just a way to share,
frankly, some of the great learnings
I've been able to be fortunate enough
to meet with people
to have those kinds of conversations.
You know, one of the things that strikes me
is that as CISO at Microsoft,
you certainly have your eye
on a breadth of issues
all around the world.
So you're going to be able
to bring that perspective to the show.
Yeah, I think we do have a unique position in that,
one, we are one of the more attack companies in the globe,
and two, we have a unique position in just the way we protect ourselves
and how we work in that environment.
So yeah, I think there's a pretty interesting opportunity
from both us and our customers and partners to share some of that.
What are your goals in terms of some of the conversations you're looking to have?
Really, the goals should be super simple.
One, get some goals on key insights and topics relative to cybersecurity.
But most importantly, leave with three practical things you can go do to help your position or help you with your own security mission.
So that idea that there are lots of smart people, converting that into the three actions you could go do that would actually help improve your security posture,
that's fundamentally what success would look like at the end of each session.
And who are you targeting here?
Are we aiming for other cybersecurity professionals?
Are we looking for folks throughout an organization who may gain from your wisdom?
Yeah, I think there'll be security people who are interested, but honestly, I think it'll be
people outside the security realm. I think security executives who aren't steeped in security,
but are trying to get a simplified view on what things they should go prioritize and maybe how they should go talk to their security people.
You know, I think an interesting perspective that you bring to the table is one of scale. I mean,
we think about Microsoft as being the large global company that it is, but would you say that you're
really fighting a lot of the same fights that people who are defending organizations
of all sizes around the world are faced with? Yeah, I agree. Security is an interesting realm
in that it impacts all facets of the business on all sectors, from consumer, like personally,
to small business, to mid-market, to enterprise, and also every part of the business, whether it's
business applications or whether it's cloud services
or on-premise services. So it really does touch about every element or every part of every
business. And the good part of it is that the things that we learn even at enterprise scale,
the same things apply, like how you do zero trust or securing a hybrid workforce are relative
and relevant for a small business, a medium-sized business, a large business, and some for the consumers.
Although this isn't targeted to consumers, so I probably wouldn't include that.
Yeah, yeah.
You know, as one of the most well-known brands, certainly when it comes to computing,
but I would say just in general,
Microsoft, is it fair to say that you all have a bit of a target on your back
when it comes to folks trying to come at you in the
cybersecurity realm? I think it's fair to say
I have a great t-shirt with a big bullseye on the back
that I got when I took this job
I think that adversaries
come after all sorts of companies
and sectors and industries and regions for various reasons.
But yeah, certainly being a large player in the space, in the technology space,
we see our fair share of attempts.
Can you give us a preview of some of the topics that you're
planning on addressing here on the show?
Yeah, I think the topics that we want to cover is really driven by the types of questions
we were hearing broadly from our customers.
How to secure the cloud?
What is zero trust really and how do I implement it?
Securing a hybrid workforce in the new world of work
as we slowly come out of this pandemic.
And really things like that or cybersecurity skills gaps.
Most people are struggling with how to get the right talent
and how to address that.
I think they're topics that really address every company,
every business, and every sector around the world.
You know, Brett, one of the things that I think you bring to the table
as the CISO at Microsoft is you have an extensive Rolodex.
When you make a phone call, people are likely to answer it.
And I'm hoping that that means you're going to get some really interesting guests who are going to join you on the show.
Yeah, it's a great point. The guests are who make the show. These will be
who I consider some of the industry thought leaders in security, both from Microsoft,
but probably more importantly, from customers who are just doing amazing work.
And the goal for them really is in every episode to share practical advice,
not just theoretical work, that their listeners can actually go implement
and help them drive their own security missions.
All right, well, Brett, we're looking forward to hearing the Microsoft CISO podcast here.
Best of luck to it, and thanks for taking the time for us today.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Thanks for listening. We'll see you back here tomorrow. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.