CyberWire Daily - Trends in phishbait. Ransomware exploits vulnerable Exchange Servers. Purple Fox develops worm capabilities. Attacks on industrial production. Third-party risk. What’s on your mind, crooks?
Episode Date: March 24, 2021COVID-themed phishbait has shifted to vaccines. Notes on the ransomware exploiting vulnerable Exchange Servers. Purple Fox gets wormy. Sierra Wireless halts operations to remediate a ransomware incide...nt. Notes on ICS vulnerabilities. More victims of third-party risk. Joe Carrigan looks at SMS security issues. Our guest is Ron Brash from Verve Industrial with takeaways from their 2020 ICS Vulnerabilities report. And what are the cybercriminals thinking? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/56 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
COVID-themed fish bait has shifted to vaccines.
Notes on the ransomware exploiting vulnerable exchange servers.
Purple Fox gets wormy.
Sierra Wireless halts operations to remediate a ransomware incident.
Notes on ICS vulnerabilities.
More victims of third-party risk.
Joe Kerrigan looks at SMS security issues.
Our guest is Ron Brash from Verve Industrial with takeaways from their 2020 ICS vulnerabilities report and what are the cyber criminals thinking?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 24th, 2021.
Palo Alto Network's Unit 42 this morning released a report describing the ways
in which cyber criminals are taking advantage of the COVID-19 pandemic.
The nature of the fish bait has shifted over the course of the pandemic. It began with come-ons
for testing kits and personal protection equipment, moved on to government stimulus and relief
programs, and now, in what one hopes is a sign of an approaching endgame, it's shifted to vaccine availability. Their reliance
on hurrying the victims with a sense of urgency is a familiar social engineering tactic. As the
report says, quote, we found that at each step along the way, attackers have continued to change
their chosen tactics to adapt to the latest pandemic trends in hopes that maintaining a
timely sense of urgency will make it more likely
for victims to give up their credentials. The criminals are now exploiting confusion and
concern over vaccine availability and vaccination scheduling. As is so often the case, much of the
fishing is angling for the victims' credentials. Along with some specific recommendations for defense,
Unit 42's general advice is individuals should continue to exercise caution when viewing any emails or websites claiming to sell any goods or services or provide any benefits related to
COVID-19. If it seems too good to be true, it most likely is. Employees in the healthcare industry
in particular should view links contained
in any incoming emails with suspicion, especially from emails trying to convey a sense of urgency.
Dear Cry and Black Kingdom ransomware continue to be deployed against vulnerable Microsoft
Exchange servers, but the execution is slovenly, suggesting that even for criminals, haste makes
waste. Wired notes that DeerCry's relative lack of sophistication renders it a less dangerous threat.
It's a bare-bones operation, pretty retro by today's prevailing ransomware standards.
No command and control server, and no automated countdown timers. It uses, instead, old-school human interaction to hustle its marks.
It lacks obfuscation, and it even engages in some self-jamming,
encrypting files that make it difficult or even impossible for the victim to operate their computer,
even if the victim wants to pay the ransomware.
So the Dear Cry hoods seem to have been better at jumping aboard the
vulnerabilities exposed and exploited by Hafnium than they were at writing good, by which we mean
bad, ransomware. Still, there's a risk associated with Dear Cry, and it's also the case that the
operators could learn and evolve their tools into more effective forms. That's already happened with
another ransomware strain.
The operators of Black Kingdom ransomware, first seen active last summer, have also taken note of
the opportunity unpatched exchange servers present criminals. The Record reports that Black Kingdom's
kickoff of its own operations against exchange servers was also in in some respects, sloppy. They'd failed to encrypt victims' files.
By yesterday, however, Black Kingdom had rectified their mistake, Sophos reports.
Guardacore describes Purple Fox, an active malware campaign targeting Windows machines.
It's backed by an extensive infrastructure, and it includes a rootkit with worm capabilities.
Gardecourt wrote, quote,
Throughout our research, we have observed an infrastructure that appears to be made out of a hodgepodge of vulnerable and exploited servers
hosting the initial payload of the malware, infected machines which are serving as nodes of those constantly worming campaigns,
and server infrastructure that appears to be related to other malware campaigns.
In a Form 6K filed yesterday with the Securities and Exchange Commission,
Sierra Wireless disclosed that on March 20th,
it discovered a ransomware attack that led it to suspend manufacturing.
The company believes only internal systems were hit,
with customer-facing products and services unaffected.
For its part, Honeywell, which had also suspended operations
after sustaining an unspecified cyber attack,
announced yesterday that it had resumed normal operations.
CyberScoop says that Honeywell has remained tight-lipped about the incident.
It's not known, for example, whether the attack the company sustained involved ransomware.
The U.S. Cybersecurity and Infrastructure Security Agency yesterday released six advisories on industrial control systems.
Clarity published its own research on one of those advisories, the one affecting Avaro T-Box,
its own research on one of those advisories, the one affecting Avaro T-Box, which the researchers believe illustrates the risks of connecting unprotected control systems to the internet.
Such unprotected control systems are readily discoverable through Shodan searches.
Federal News Network reports that the third-party breach that affected AFCEA this week has also affected another organization
that used the compromised Spargo conference registration software.
The U.S. Geospatial Intelligence Foundation
has also notified individuals
whose data may have been compromised in the incident.
And finally, suppose you were a criminal working in cyberspace.
Not that you are or would ever be, of course, but just suppose.
You'd want to avoid getting caught, right?
Sure you would.
Anywho, in the spirit of jailhouse lawyering and age-old traditions of master-apprentice mentoring,
cybercriminals are offering advice to one another about how to avoid getting collared.
The security firm Digital Shadows, and we hasten to add that they're the good guys here, not the crooks,
says it got interested in how the underworld views its relations with law enforcement.
Do they worry about being arrested?
Does the prospect of getting caught deter them?
Digital Shadows snooped its way through various online underworld communities
and found a lot of chatter about the importance of separating your criminal online identity
from your in-real-life physical personal kinetic identity.
The identity that brings home beer, for example, that will take a shower every now and then.
A lot of that discussion seems folkloric as opposed to technical.
The crooks also advise each other to be cautious in their dealings.
You can't have friends in the darknet, one representative comment said.
That's tough because, of course, most crime involves some sort of collaboration,
but cooperation with other crooks also brings risk.
A catch-22, Digital Shadows observes.
A theme in Russophone circles is to avoid hitting
victims in the near abroad, that is in former Soviet republics. Go after the British and the
Americans and your Jake, but mess with the near abroad, and especially with Russians, and you'll
wind up in the slammer. This advice has been tempered recently by the Ukrainian authorities'
recent arrest and prosecution of criminals who thought they enjoyed a degree of immunity.
And once you've embarked on your life of crime, forget about foreign travel, except maybe to places that don't have a lot of extradition treaties in place.
That's a downer for vacation plans, because after all, there's only so much to do in Transnistria.
There's another advice on what to do when the cops show up, what to expect from prosecutors,
and what the realities of prison life might be. The hoods have a lot of worries. So, fellow youths,
the best advice is to stay in school and stay on the straight and narrow.
If you don't, you'll break your mother's heart. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with
Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Verve Industrial are providers of OT and ICS security services,
and they recently published their ICS advisory report.
Ron Brash is Director of Security Insights at Verve Industrial.
These advisory reports are a bit of a table stakes, I think, in the industry nowadays. I
think every vendor and their grandmother is producing one. But why we chose to do it and
to do it in a slightly different way is I came from an embedded systems engineering background.
And one of the reasons that we wrote it and we wrote it the way we did was we
don't believe that, you know,
CVEs and CVSS scores and all that stuff are perfect and they're definitely not
perfect in OT.
But what we wanted to do is to look at the advisors and add more nuance to the
discussions, right? For example, you know, we had 200,
there was actually slightly more, but we honed it in a bit, but there was 248 advisories in 2020, which was up something like 50% from the year before.
But we wanted to talk about it in a different way, right?
You know, how do you identify that an advisory is referring to third party code or supply chain problems?
How do you talk about all those other devices that don't have advisories,
but should have advisories? How do you talk about it from multiple perspectives? You know,
there's the asset owner perspective, then there's the cybersecurity professional, if you will.
And then there's just the sheer looking at it of which vendor might be better than another or not.
So there's multiple perspectives there. And we tried to put all that into something cohesive.
And I think it turned out pretty good.
Well, let's go through some of the details together.
I mean, what are some of the things from the report that stood out to you?
Well, interestingly enough, if you look at just the sheer number of advisories,
36 both in 20, the ones that I just identified on an initial analysis,
36 out of the 248 were supply chain
related. And that number coincides with 2019 by sheer fluke. Now, again, this is a thumb in the
wind strategy, but that stood out to me because of those 38 supply chain, you know, related
vulnerabilities and products or those advisories, that accounted for something like 17 or 18% of all
of the vulnerabilities out there.
And for me, that was the main point that we were trying to make across is, you know, you thought SolarWinds was bad?
Well, wait till you start looking at software build materials and stuff like that, which will be part of the solution.
But that was probably one of the most surprising things there.
Is there a general, I don't know, lack of visibility when it comes to ICS security?
Well, yes, yes and no. I think there's a lot of awareness on vulnerabilities these days
because cybersecurity is an Ouroboros, a snake eating its own tail, right? So you have multiple
agendas competing for marketing FUD and generating all sorts of
awareness for their own purposes, right? Because it increases their bottom lines.
That's not what we try to do at Verve. And the company is not like that. And I'm not like that.
But for right or wrong, there has been increased visibility on these things because of things like
the Trek IP stack or Urgent 11. We call those or even like Heartbleed, for example, if you look at
the IT world problems, those are what we call branded vulnerability families. And often they
have very overreaching claims. But well, fortunately and unfortunately, fortunately, they get to the
boards of large companies, which means that there's awareness at the top of the company,
which is good. Nobody was doing that before. Same with ransomware. But the bad is, is that it's determining whether or not those
vulnerabilities are in products is a very, very nuanced discussion. For example, I always say,
I always quote this is the presence of vulnerability does not mean exploitability. So there's awareness
of the top level organizations. But when it comes to knowing what's inside of your products and then what to do about them, we're really off the mark
there. That's Ron Brash from Verve Industrial.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host on the Hacking Humans podcast.
Hey, Joe, good to have you back.
Hi, Dave.
We had this article come by from Vice written by Joseph Cox,
and this is titled, A Hacker Got All My Texts for $16.
This one's been making the rounds, and I wanted to check in with you on it.
I mean, this is the kind of thing that we talk about over on Hacking Humans,
these potential issues with SMS.
So describe to us what's going on here and give us your take.
So if anybody who's been a longtime listener to this show has heard me talk many times about
multi-factor authentication and how you should use multi-factor authentication and the most
secure form that you can, wherever you can use it. Unfortunately, the most common form of
multi-factor authentication is also the least secure, at least the most common form of multi-factor authentication is also the least secure,
at least the most common form that I've found in my experience, right?
And that is authentication via SMS message.
And there are a number of issues with it.
You can be the victim of a SIM swapping attack,
which is where someone calls into your mobile provider
and assigns your account to a new SIM,
which is the little device in your phone
that identifies your phone to the telephone network.
Right.
They can also use it for social engineering
or via social engineering.
They can get the code out of you,
which is also something that is true
with other like pre-shared keys,
pre-shared secret keys.
But this new attack actually doesn't require a lot of that.
We don't really know if it's a new attack, actually.
That's one of the things this article says is this has been a capability for a very long time.
And what Joseph Cox is talking about is for $16, you can sign up with a company for a new service that allows text messages to be redirected
to a new location. And they ask you to fill out this letter of authorization, right? But in order
to fill out the letter of authorization, there's really not a lot of security checks on it.
there's really not a lot of security checks on it.
You can put in fake information,
and this company, this hacker who called himself Lucky225,
who works with a company called Okie Systems,
was able to do this for buying a prepaid plan for $16 a month.
And he was able to transfer all the texts that came from Joseph's providers to him.
And Joseph got no notification of this.
There was no authorization.
There was no, first, let me send a text to your existing phone.
And let me make sure this is okay with you.
Right?
There was none of that.
It was just like, okay, we started sending it.
And the phone was still connected to the T-Mobile network, which is really scary.
So this is just another attack on this SMS two factor authentication.
Now, of course, the question comes that everybody's going to ask and ask me in particular, because I'm still an advocate for this.
Should I continue to use SMS multi-factor authentication? And I still say, yes, if that's the best that you can get from the institution
you're dealing with or from the website you're dealing with. If they offer anything else,
now is the time to move on, right? Yeah, right. So it's way better than nothing.
Right. But there are things that are way better than it.
Right. Exactly. Exactly. Yeah. And it's going to be way better than nothing. Right. But there are things that are way better than it. Right, exactly, exactly.
Yeah.
And it's going to be way better than nothing, especially with this attack,
because there is a cost associated with this attack.
So this attack is not scalable, right?
Like credential stuffing is scalable.
I can take a million credentials and try them on a million websites,
and I can automate that and do that.
But I can't go out and perform this attack on a million people without $16 million,
which I may not be willing to spend. I'm sure I can do it for less, actually.
But there's some limit to this. There's got to be some limit to this as well with the companies
that provide these kinds of services. Yeah.
And the company who's mentioned in this article, as Joseph Cox points out, they say that they've cracked down on this.
Since it was pointed out to them, they've made it more difficult to do.
So that's good.
But the article also points out they're not the only company who does this.
Right.
And there are some companies, I get the feeling out there, that might be doing this with a wink and a nod, right?
Yeah, we get it.
Right.
Yeah.
Right, right, right.
And I think the bigger issue here, which is something that drew the attention of Senator Ron Wyden, which is that he says that the FCC needs to crack down on this sort of thing.
That there's – things are too loosey-goosey when it comes to SMS,
that the companies are even capable of doing this sort of thing.
That's a problem, and it's a long time coming.
It's been way too long since the FCC took a closer look at this
from Senator Wyden's point of view.
I would agree with that 100%.
Maybe this will draw some attention to it.
Yeah, I hope so.
I hope so.
And I hope that the FCC is paying attention.
I hope that they are thinking about
putting in some new regulation
that make this more difficult.
And I don't like the idea
that somebody can just pay another company 16 bucks
to take all my text messages.
And I really don't like the idea
that that can happen without me getting any notification or any way for me to find out.
At least with a SIM swapping attack, my phone stops working, right?
Right, right.
I can look at my phone and go, hey, something's wrong.
Right.
But this, you get none of that.
You just stop receiving texts.
Yeah, it's an interesting revelation for sure.
Again, it's over on the Vice website written by Joseph Cox.
It's titled, A Hacker Got All My Texts for $16.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
It's the pause that refreshes.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.