CyberWire Daily - Three ransomware gangs up their game. The US Postal Inspection Service’s “Internet Covert Operations Program.” GCHQ warns of dependence on Chinese tech. Undersea cable security.
Episode Date: April 23, 2021Ransomware operators begin timing their releases for more reputational damage. Another gang is equipping its ransomware with scripts to disable defenses, and yet another is now into stock shorting. Th...e US Postal Inspection Service is apparently monitoring social media. GCHQ’s head warns of the dangers of becoming dependent on China’s technology. Johannes Ullrich from SANS on Commodity Malware Targeting Enterprises. Our guest is Etay Maor from Cato with some of the clever ways criminals avoid detection. And it’s not just sharks interested in undersea cables. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/78 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ransomware operators begin timing their releases for more reputational damage.
Another gang is equipping its ransomware with scripts to disable defenses,
and yet another is now into stock shorting.
The U.S. Postal Inspection Service is apparently monitoring social media.
GCHQ's head warns of the dangers of becoming dependent on China's technology.
Johannes Ulrich from SANS on commodity malware targeting enterprises.
Our guest is Itai Maor from Cato
with some of the clever ways
criminals avoid detection.
And it's not just sharks
interested in undersea cables.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 23rd, 2021.
Ransomware continues to trouble organizations.
One of the bigger recent incidents was R-Evil's attack on Taiwan's Quanta, a major supplier for Apple, an attack that came to general attention this week.
ThreatPost reports that after Quanta refused to pay,
the R-Evil gang began to leak sensitive design documents online,
and they timed their leaks to coincide
with Apple's big spring-loaded product announcement event. Our Evil wants $50 million by May 1.
In other ransomware news, researchers at GuidePoint Security say that the gang behind
Mount Locker is changing the way it does business. Mount Locker, whose ransomware-as-a-service
business entered the criminal marketplace in the second half of last year, has been an
unfortunately effective but fairly conventional criminal operation. It encrypted and exfiltrated
files on the double extortion that threatens both data availability and data privacy
that's now customary with ransomware operators.
Now, however, GuidePoint says MountLocker is stepping up their game by including scripting
and capabilities directly targeting prevention measures, along with other enhancements.
The extortionists are now deploying scripts tailored to the specific defensive tools they find
in their target's environment.
the specific defensive tools they find in their target's environment.
And another ransomware group has expanded its threats to a promise that they'll work with crooked market speculators to short the stock of the companies they target.
Recorded Future finds that the hoods behind the dark side ransomware have now made it
formal.
Dimitri Smiljanets, threat intel analyst at Recorded Future,
told the Record, quote,
while other ransomware families previously discussed
how to leverage the effect of a publicly disclosed cyber attack
on the stock market,
they have never made it their official attack vector, end quote.
The U.S. Postal Service is running an Internet covert operations program,
Yahoo News reports.
Apparently, a broad monitoring of U.S. citizens' social media activity
in an effort to trawl for signs of extremist content that might suggest incipient violations of law.
The news has been poorly received by privacy advocates and some members of Congress.
The U.S. Postal Inspection Service is an actual law enforcement agency
with a serious and long-standing mission to protect postal service operations
that goes back to the surveyors Benjamin Franklin appointed for that purpose in the late 18th century.
In fact, since William Goddard was appointed the first surveyor on August 7, 1775,
the service arguably predates the Republic itself.
The Postal Inspection Service describes its mission as
to support and protect the U.S. Postal Service and its employees, infrastructure, and customers,
enforce the laws that defend the nation's mail system from illegal or dangerous use,
and ensure public trust in the mail.
It currently organizes that mission under several relatively expansive heads,
protecting USPS, protecting USPS employees, illegal narcotics, mail and package theft,
identity theft, mail fraud, fraud prevention and education, suspicious mail, disaster response,
money laundering, cybercrime, global mail security, and child exploitation.
Presumably, incitement or conspiracy carried out over social media would fall under cybercrime,
but the whole business strikes many as questionable domestic surveillance.
The Postal Inspection Service didn't reply directly to Yahoo News in response to their questions,
but they did return a general statement about their activities.
They cast the Internet Covert Operations Program
as a routine protective measure to secure the mail.
Here's how they put it.
Quote,
The Internet Covert Operations Program is a function within the U.S. Postal Inspection Service
which assesses threats to postal service employees and its infrastructure
by monitoring publicly available open-source information.
Additionally, the Inspection Service collaborates with federal, state, and local law enforcement agencies
to proactively identify and assess potential threats to the Postal Service, its employees and customers,
and its overall mail processing and transportation network. In order to preserve operational effectiveness,
the U.S. Postal Inspection Service does not discuss its protocols, investigative methods, or tools.
End quote.
So, tell it to the people squabbling with their city's water department over late charges
because their bill was delayed by, in some cases, a month or more.
The Guardian notes that the surveillance effort comes
at a time when the U.S. Postal Service's core responsibility of delivering mail has been
perceived as falling off from previous standards. Sniffing out revolutionary or reactionary
wrong-think is now in the Postal Service's remit. NSA didn't want the mission, so it went to the
Postmaster General?
Representative Thomas Massey, for example, a Republican representing Kentucky's 4th District, put it this way, quote,
Disturbing. Why do presidents and my colleagues in Congress tolerate these violations of the Constitution?
Also, and unfortunately, the USPS has been losing money for many years,
so where do they find the money to run this surveillance program?
End quote.
Representative Massey tweeted these remarks,
so one presumes the Postal Service received them.
Had he dropped them in the mail?
Who knows.
It's a good thing dogs don't actually get mail,
or they'd have an even bigger justification
in the ancestral canine war with letter carriers
than pooches already do.
The head of Britain's GCHQ says that the West faces a moment of reckoning in cyberspace
and that unless it wants the world's operating system to be made in China,
it had better get skeptical about relying on Chinese technology in its infrastructure.
GCHQ director Jeremy Fleming told the BBC,
The risk as I see it today is that we lose control of the standards
that shape our technology environment.
The pressure to allow Chinese tech in will grow as cities become inevitably smarter,
smarter in the IoT sense of the word.
Fleming sees the experience
of rolling out 5G technology as an important cautionary tale. And finally, have you thought
about the possibility of undersea cables being hacked? Whitehall has. Technorati says the UK
is procuring a surveillance ship to quietly inspect cables for physical interference.
procuring a surveillance ship to quietly inspect cables for physical interference.
It's a real possibility.
The Royal Navy did it to German diplomatic communications during World War I,
so Whitehall should know.
And the Royal Navy's not the only one, either.
Or so we hear.
Skittishness about cables has been a point of contention in the southwestern Pacific in particular, where Australia has objected to Chinese tech companies' participation in running cable service to neighbors like Papua.
Of course, there's physical interference, and then there's physical interference.
There are plenty of documented cases of sharks gnawing on undersea cables,
presumably attracted by the EMI energy they may be putting out.
Real sharks, not, you know, robot sharks with lasers.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the
world what AI was meant to be. Let's create the agent-first future together. Head to
salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Thank you. for $1,000 off. with the familiar flavors of pistachio, or shake up your mood with an iced brown sugar oat shake and espresso.
Whatever you choose,
your espresso will be handcrafted with care at Starbucks.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Adversaries have perfected their game when it comes to evading endpoint security,
sandboxes, threat intel feeds, and more.
And the ongoing shift to the cloud has opened up new opportunities for them and challenges for defenders.
Atai Moore is Senior Director of Security and Strategy at Cato Networks,
and he joins us with thoughts on network-based threat hunting
and leveraging your tools to work together.
I think we're actually in a very interesting time right now because
different threats have been evading security controls for a while now,
but almost everything we had was on-prem, and we used
endpoint types of detections. And now a lot of the
companies, a lot of organizations are moving
to the cloud, which is a great opportunity for security. But as we've learned in the past,
it's also a great opportunity for attackers as well. So I think one of the challenges, though,
that we find ourselves now is we're trying to use old school or the techniques that were used in the past for on-prem infrastructure to detect
and mitigate cloud-based threats.
And it's not what it was designed for.
I mean, the attackers already know how to beat the old versions
on on-prem, and of course, for cloud infrastructure,
it's a different game.
Well, I mean, let's continue along with that metaphor then.
I mean, when folks are working in a cloud environment,
what sort of things do you recommend they have in place?
So there's several security solutions and architectures
that I would recommend.
But before even going to that,
I think a lot of organizations can better utilize what
they already have today in-house, which means taking a look at some of the security feeds that
they have, intelligence feeds, and correlating them, for example, is one good practice.
I worked for a threat intelligence company in the past as well. And I think some of these
feeds, some of the info that's there is amazing, but it's really siloed. And the attackers take advantage of siloed
information. For us as defenders, we have the opportunity to actually take all the information
that's coming from multiple sources, multiple vendors, whatever it is, and correlate them to
really identify threats and sometimes even identify threats
that have not been identified before.
And here's where I'm getting to the old school approach
versus the new school approach.
Old school approach was, hey, let's sign everything
and fight it.
As soon as I see that signature on my network,
I can identify it.
But there's so many threats out there today.
And I'm just taking one small example, right? But there's so many threats out there today. And I'm just taking one small example, right?
But there's so many threats out there today that signing everything is not easy,
not to mention the fact that sometimes you may want to identify the threat even if it's not signed.
And that's where I'm getting into network-based threat hunting,
which is, you know, one of the things that is allowed if you use a SASE architecture where you have the security and the network controls combined and integrate,
merged, and you can start looking at things and say, hey, so I have an alert here. Let's combine
that with information I know from all the network that I'm seeing, all the different network flows.
Is this little communication, is it going to somewhere that I've seen before?
Does it act in a certain way?
Did it invoke certain processes?
There's all kinds of elements you can collect from different systems.
And when you put all of them together, you can say, you know what?
I don't know what it is, but it's not something good.
Now, each one of them alone may not raise an alert. And we actually tried this with our own
security team. We saw threats that went undetected when you looked at them in a siloed view of one
of a specific, for example, threat intelligence or certain types of controls that you have.
But when you combined three or four of these elements together,
you could say, I don't know what it is,
but I know it's not acting like I would expect something good to act.
Does that make sense?
It does.
Now, the actual combining of the data there,
integrating that information,
how should folks go about doing that?
So you can use all kinds of models.
There are actually some good articles out there.
We have our own MDR team, and they take this information and combine different security feeds, combine popularity, for example.
Like I said before, one of the examples is if I have access to data for hundreds of customers,
One of the examples is if I have access to data for hundreds of customers, and now I see that one of my customers is trying to communicate over the network to a certain domain or URL.
Has any one of the other customers ever tried to connect to it?
That's a popularity rating, right?
And you can say, well, no, it's the first time. So maybe it's a domain that was just created, and it's not Google. It's not Yahoo. It's the first time. So, you know, maybe it's something that a domain that was just created. And, you know, it's not something it's not Google. It's not Yahoo. It's not CNN.
And so it's it's it's suspicious. Other things that we look into, for example, are the domains themselves.
You start looking if you try to sign a malware, the malware may communicate to different domains.
So the signature changes or the network signature of it changes.
But if you look at the domains themselves,
all of a sudden you start seeing these different patterns.
Oh, wait a minute, this domain,
it's always 24 characters
and it's always a vowel number, vowel number.
Okay, I'm seeing a pattern here.
So now I'm going to search for this pattern
in all the communications.
And by the way, not just for this customer, for all my customers. And now I'm going to search for this pattern in all the communications. And by the way, not just for this customer, for all my customers.
And now I'm actually a security vendor, but I'm actually using the knowledge,
the combined knowledge coming both from security and network of my customers
to actually get a very good understanding of what is the threat landscape.
And, you know, where is the needle in the needle stack?
Because there's a lot of needles.
There's a lot of bad stuff going on.
But you really want to detect the ones
that, you know, might put you in the news
in a couple of days.
So that's the type of work that we're doing.
That's a tie more from Cato Networks. networks. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity
solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute,
also the host of the ISC Stormcast podcast.
Johannes, it's great to have you back.
I know you and your team have been tracking some commodity malware
that's been targeting enterprises lately.
What are you all looking at?
Yeah, so if you are in this business,
one of the sad parts about it is that day after day,
you see these reports, you get the sample, but an email arrives with your office attachment and a macro.
And, of course, for the most part, enterprise tools are having a pretty good handle on them and are removing those malicious attachments.
But ever so often often something slips through. Now, often these exploits are really more targeted at your home small business user
that doesn't have a lot of protection in terms of anti-malware.
And in that case, typically that malware, what it did is it sort of focused on the machine
that it was running on.
It may encrypt it for ransomware, it may steal credentials,
banking trojans and whatnot we had.
Maybe it went out after a couple shares, network shares,
that were mounted on that machine,
but that even was sometimes more accidental.
Now, what we saw recently is that actually
what these attackers realized is,
hey, there are a lot of enterprises with good protection
that will not allow our macros in,
but ever so often something slips through.
You know how it goes that the CIO or CEO
who has an intern to print out his email for him.
In that case, the intern, of course,
gets blamed for starting the macro,
but it's now being started on the corporate system.
So what this particular malware does is it checks,
am I running on an enterprise network?
And the way it figures that out is it checks if it is part of an active directory domain,
so a more managed network.
And if so, then it installs additional remote access tools,
in particular Cobalt Strike.
That sort of seems to be the tool of choice here,
or some variants or similar open source products
are then being used to sort of gain persistent access to the system.
What are your tips here then to prevent this sort of thing?
Well, to prevent it, first of all, if you are analyzing malware,
make sure that you also analyze it on a sandbox that is joined to an active directory domain
so you see the full behavior of it.
Of course, your standard NL malware tools should full behavior of it. Of course, your standard NML tools should take care
of it. They should find the macro. They should block it. They're really sort of looking for the
one system that slipped your central control. That's what they're looking for. And what happens
next then really is this command control channel. So this is one of those things where you really shouldn't just focus on prevention
by blocking these attachments,
but assume that one or two of them are slipping through.
So make sure you're also having detection in place
to identify compromised systems.
It really is remarkable how much of this is a numbers game.
That these folks are, they try to hit everybody with everything
and sort of see what sticks.
Yes, in part here, the problem is also that
the way the bad guys are organized.
These people that are sending you the malware,
you're probably already dealing with two organizations.
There's the one organization that really just provides the spam service, you the malware. You're probably already dealing with two organizations. There's the one organization that really just provides
the spam service, sending the emails.
And then there's the other organization
that is writing the malware.
But then they're essentially providing services
for other tiers of malicious organizations.
And they figured out that, hey, for a home system,
we'll encrypt the baby pictures and they'll pay us $100.
For the enterprise system, we'll hand it off to someone,
we sell access to that company
and they can probably make more money that way
and spend the time to really sniff around the network
and see what hurts the most.
Yeah, I mean, they're running like real businesses.
Yeah.
All right, well, Johannes Elric, thanks so much for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Be sure to check out this week's Research Saturday and my conversation with Jason Passwaters from Intel 471 on bulletproof hosting, what it is and how to minimize impact, common BPH malware families and top BPH providers.
That's Research Saturday. Check it out.
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.