CyberWire Daily - Trojan Source--a threat to the software supply chain. Ransomware goes to influence operations school. Triple extortion? Criminal target selection.
Episode Date: November 2, 2021Researchers describe Trojan Source, a hard-to-detect threat to the software supply chain. A ransomware gang takes a page from the information operator’s book. From double extortion to triple extorti...on, as other ransomware gangs add distributed denial-of-service to encryption and doxing. Criminals are now hacking on material, non-public information, the FBI warns. Joe Carrigan looks at multifactor adoption at Twitter. Our guest is Steve Ragan from Akamai on API security. And criminals hit healthcare providers in Newfoundland. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/211 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Researchers describe Trojan Source, a hard-to-detect threat to the software supply chain.
A ransomware gang
takes a page from the Information Operators book. From double extortion to triple extortion,
as other ransomware gangs add distributed denial of service to encryption and doxing.
Criminals are now hacking on material non-public information, the FBI warns.
Joe Kerrigan looks at multi-factor adoption at Twitter. Our guest is Steve Reagan from
Akamai on API security.
And criminals hit healthcare providers in Newfoundland.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 2nd, 2021.
Researchers from the University of Cambridge have described a new attack method they're calling
Trojan Source. The method abuses
Unicode. The researchers explain, quote, rather than inserting logical bugs, adversaries can
attack the encoding of source code files to inject vulnerabilities. These adversarial encodings
produce no visual artifacts, end quote. Trojan Source places BD override characters into comments and strings
from where they're moved into source code in ways that compilers accept and that will appear
unproblematic to human reviewers. The method amounts to a software supply chain vulnerability.
The researchers, both affiliated with Cambridge, write in their abstract, quote,
we present a new type of attack in which source code is maliciously encoded
so that it appears different to a compiler and to the human eye.
This attack exploits subtleties in text encoding standards, such as Unicode,
to produce source code whose tokens are logically encoded in a different order
from the one in which they are displayed,
leading to vulnerabilities that cannot be perceived directly by human code reviewers.
Trojan source attacks, as we call them, pose an immediate threat both to first-party software
and of supply chain compromise across the industry.
We present working examples of Trojan source attacks in C, C++, C Sharp, JavaScript, Java, Rust, Go, and Python.
End quote.
The ability Trojan Source has to affect software written in a broad range of languages is noteworthy.
The researchers think compiler-level defenses will be important,
and they also describe mitigations that can be used in editors, repositories, and build pipelines
until compilers are effectively upgraded to deal with the risk.
Krebs on Security summarizes a few experts' reactions.
Some are surprised by how readily compilers will uncritically parse Unicode.
The potentially malicious code also persists through copying and pasting,
and that, of course, is a common
developer's practice. Fixes to compilers will be required to foreclose the possibility of
Trojan source attacks. Among other things, the researcher's paper affords what Krebs calls
a fascinating case study on the complexities of orchestrating vulnerability disclosure.
When the researchers began notifying software firms
whose products were affected,
they offered a 99-day embargo on public disclosure
to give the firms an opportunity to address the issue.
They described the reception they received,
quote,
We met a variety of responses ranging from patching commitments
and bug bounties to quick dismissal and references to legal policies.
Of the 19 software suppliers with whom we engaged,
7 used an outsourced platform for receiving vulnerability disclosures,
6 had dedicated web portals for vulnerability disclosures,
4 accepted disclosures via PGP-encrypted email,
and 2 accepted disclosures only via non-PGP email. They all confirmed receipt
of our disclosure, and ultimately nine of them committed to releasing a patch, end quote.
So the moral with respect to coordinated vulnerability disclosure is that it's complicated,
as the kids say about their relationship status in social media.
as the kids say about their relationship status in social media.
Ransomware gangs continue to evolve their tactics.
The Daily Beast reports that the Grief Gang has sought to ratchet up the pressure on the National Rifle Association,
recently one of the gang's victims,
by amplifying the threat of leaks with an army of Twitter bots created in August and September.
The bots have the usual hallmarks of inauthentic accounts. They appeared at about the same time. They neither follow anyone nor are they followed
by anyone. And they're focused on retweeting news about compromised NRA accounts. And naturally,
a large fraction of their posting is written in what the beast calls stilted English,
of their posting is written in what the Beast calls stilted English, which we take to mean a dialect of shadow brokeries, that commonplace criminal lingua franca. It's a familiar
information operator's technique, and in this case it appears to be applied for criminal effect,
although of course an unstated political motive might be present as well. Some of the trollbots
are also tweeting about gun violence and the alt-right,
which suggests a possible interest in general disruption.
Still, it appears an effort to make the victim's seat even warmer.
An FBI alert issued Friday warned that the Hello Kitty ransomware gang,
also known as the Five Hands, had added a third threat, distributed denial of
service attacks, to the now-familiar double extortion threat of encryption, followed by
the threat of doxing. The Bureau warns, quote, The FBI first observed Hello Kitty Five Hands
ransomware in January 2021. Hello Kitty Five Hands actors aggressively apply pressure to victims, typically using the double extortion technique.
In some cases, if the victim does not respond quickly or does not pay the ransom,
the threat actors will launch a distributed denial-of-service attack on the victim company's public-facing website.
Hello Kitty five-hands actors demand varying ransom payments in Bitcoin that appear tailored to each
victim, to measure it with their assessed ability to pay it. If no ransom is paid, the threat actor
will post victim data to the Babook site or sell it to a third-party data broker, end quote. So,
distributed denial of service continues to enjoy its continuing mild comeback, and double extortion
encryption plus data theft and the threat of exposure may be evolving in the direction of
triple extortion encryption plus doxing plus DDoS. The FBI also warned yesterday of a ransomware
attack that's familiar but remains prominent, gangs time their attacks to coincide
with significant events. We're accustomed to seeing attacks timed to hit over holiday weekends,
for example, when victims' guards are thought likely to be lower, but in this case the noteworthy
events are financial ones. Quote, the FBI assesses ransomware actors are very likely using significant financial events,
such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.
Prior to an attack, ransomware actors research publicly available information,
such as a victim's stock valuation, as well as material non-public information.
If victims do not pay a ransom quickly, ransomware actors will
threaten to disclose this information publicly, causing potential investor backlash. End quote.
The Bureau's description of the way these operations work is interesting, and it tells
a story that makes sense with respect to the increased complexity of the criminal-to-criminal
market. It begins with reconnaissance, probably conducted by an initial access broker,
who will select the right targets to offer the right criminals.
The inspiration for the financial event approach seems to have been provided by a ransomware actor
who, in 2020, encouraged participants in the Russophone hacking forum Exploit
to use information from the NasdaQ to lend vigor and urgency to their
scams. Soon thereafter, quote, unidentified ransomware actors negotiating a payment with
a victim during a March 2020 ransomware event stated, we have also noticed that you have stocks.
If you will not engage us for negotiation, we will leak your data to the NASDAQ and we will
see what's going to happen
with your stocks, end quote. Among the gangs that have adopted the approach of extortion based on
material non-public information was DarkSide. Others can be expected to follow suit. From the
criminal's point of view, there's very little downside. And finally, lest anyone be inclined to take the high-minded assurances the gangs often
tender in their communiques, the Robin Hood schtick they cop when they claim to respect the public
good and avoid hitting targets whose disruption would actually hurt people like, oh, say, hospitals
or health care providers, there's this news from Canada. Reuters reports that an apparent ransomware
attack detected Sunday has disrupted healthcare management services in the province of Newfoundland.
The incident has forced cancellation of some appointments, and the Niagara Falls Review says
that healthcare providers in the province have temporarily reverted to paper records.
The effects seem more inconvenient than deadly,
but still, it's worth bearing in mind
the next time a gang talks about how they carefully distinguish
legitimate from illegitimate targets.
Booey.
These aren't targeteers interested in following the rules of war.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Security firm Akamai recently released the latest version of their State of the Internet report, with this round focusing on the security of APIs.
Steve Reagan is a security researcher at Akamai, and he joins us with highlights from the report.
Over the last 10 to 15 years, we've gotten really good at strengthening application development, SDLCs and things like this. But when you look at
modern web applications and compare them to like API focused applications, you see that the API
stuff is sort of not regressing, but they're experiencing the same growing pains that web
applications did years ago. It's like history repeating itself. And that became very clear
when you looked at like the Spring Boot applications that we
examined in the report. We're talking hard-coded credentials, SQL injection vulnerabilities,
cross-site scripting, configuration problems, just all the stuff we saw with web apps years ago.
You're seeing it now in API development.
It's growing pains.
It's nothing that can't be fixed.
And so we explored that.
That was one of the big highlights for me personally as I was writing the report.
The other thing that stood out
was watching the criminals target APIs
and the way they were going about it.
So I highlighted one instance in the report,
and it's Twillow is the name of the application.
Really popular service for developers.
Well, what the criminals are doing is they're scanning the web
and looking for the configuration files.
And in a lot of these files,
you'll find the necessary API key and credentials.
The criminal gets a hold of that.
They take your access and use it for their gain, which is very, very bad if you consider
that it's used for text messaging and email communications, things like that.
So that was another standout for me.
And what are the take-homes here in terms of recommendations based on the information that you
all have gathered? So one of the big, big take-homes for me, and we highlighted this when it came in,
is organizations need to not only know what their APIs are, like what they're using and how they're
using them, they need to make sure that they can find all of them in their organization. So track them, find them down and, you know,
figure out where they are and how they're being used. Because a lot of organizations have had
incidents involving APIs and they weren't even aware the API existed. So that's a problem.
And then you look at, you know, now that you know where they are, test them.
Understand, you know, are there any vulnerabilities with the API connector itself?
Are there any vulnerabilities within the application that's leveraging the API?
Test that stuff.
You know, there's plenty of tools in the market and education available for developers.
Take advantage of it.
And then, of course, when it comes to the overall picture, leverage your existing WAF infrastructure and identity management stuff alongside any of your API security offerings.
And what I mean by that is tie it all together. If you're using single sign-on or really lockdown
access management at your organization or for your
customers, make sure you tie that into all of your mobile apps or your web-based apps leveraging APIs.
Because what criminals will do is they look for those gaps and they look for those weaknesses,
and they start to focus on that for exploitation. You mentioned at the outset that this report
was the result of a collaboration.
And it strikes me that I'm seeing more and more of that in the security world, that people are reaching out to, you know, colleagues and sometimes even competitors to try to come up with better insights than they'd be able to get on their own.
Absolutely. And that's the way it should be. And it should have been like that from all along.
So obviously Akamai is a security company. We're never going to back away from that. But our overall reaching goal,
and this is the same for a lot of companies in the space and a lot of security professionals,
we just want to make the world safer. We want to make the world better, more secure. We want to
see people learn. We want to educate. And if that means, you know,
collaboration between competitors or collaboration between, you know, companies operating in the same
space or in some cases, different areas of the security industry, then that's what needs to
happen. You know, we're, we are not shy with making sure that, you know, we work with the best.
shy with making sure that, you know, we work with the best. And that was, you know, one of my boss's goals when we started developing the SOTI for this year was to try and get collaboration.
We worked earlier this year, we worked with another company, WMC Global, to produce a financial
services report that literally, you know, we used our phishing data and cred stuffing data,
and we use their phishing data and cred stuffing data and we used their phishing data and cred stuffing data and we created a really comprehensive report on it.
It's something I think needs to happen more. I'm quite happy we're able to do these type of team Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting blog post came from the folks over at Twitter.
This is written by Nick Fose and Nupur Golap.
They are both senior-level folks at Twitter.
And this is right up our alley for stuff we cover over on Hacking Humans.
It's titled, How We Rolled Out Security Keys at Twitter.
Really interesting insights behind the scenes
of what they did here, Joe.
Can you share some of the details with us?
Yeah, a couple things.
Number one, they're letting users use security keys,
multiple security keys now.
Right.
Which is good because when I tell people
to adopt a security key like a Yubico or a YubiKey
or a Google Titan or whatever it is,
they all use the same algorithm. It's an open algorithm from, or architecture actually, from the Fido network
or Fido Alliance rather. And I tell people buy two of these things in case you lose or damage
one of them, right? Because that way you'd be locked out of your Twitter account and getting
support from Twitter for this, I imagine would be like screaming into the void. You'd never hear
back. So use two and they're letting you do that now at Twitter. But interesting about this blog
post, they talk more about the rollout of these keys internally. Because last year, you remember
the Twitter hack that happened last year. Yeah. The reason that was possible was because the
attacker socially engineered one of their internal people to give up a multi-factor authentication code
that was sent via SMS.
Right.
Right?
And even if you were using a different kind of code,
like the time-based codes,
you know, these numbers on the apps that we have,
like Google Authenticator or Microsoft Authenticator
or whatever,
that's still susceptible to being asked for.
Right.
Somebody can call you and ask for it, and people could give it up.
So we say SMS is the least secure, and if it's the only one you have, the only option
you have, you should still use it.
Yeah.
Don't disregard it because it's not as secure as anything else.
Way better than nothing.
It's way better than nothing.
Right.
But it's a lot worse than using a security key.
Yeah.
Right?
And Twitter has this great blog post about their process of rolling these things out internally so this doesn't happen.
They selected YubiKey 5s, the NFC and the 5C NFC, which are both USB and near-field communication.
So you can use them on your computer or you can use them on your phones if you have NFC on your phones,
which most phones have. So the majority of this blog post talks about how they did this,
what their process was for doing this. First, they selected a model and they went with the Yubico,
the Yubikeys. Then they actually had to go and buy these devices and they had to buy 5,500 of them.
Right. Some sales agent at Yubico had a good day that day.
Actually, I'm sorry.
They didn't have to buy.
They had to buy them for 5,500 users, and they bought two of them for each user.
Right.
Okay.
So they sold 11,000 of these things.
Wow.
And then Yubico helped them with shipping.
Yeah.
Then they added the security key to the internal support systems so that people could register their keys.
security key to the internal support systems so that people could register their keys. And then they let people register their keys, and then eventually they flipped the switch so that you
would no longer be able to use the old SMS means of authenticating. Right. And I think it's also
worth emphasizing here that they switched to these keys and only these keys for internal use. You
could no longer use the legacy types of multi-factor.
If you're a Twitter employee now,
you have to use YubiKey.
Right.
Right?
Which is great, I think.
Yeah.
They will never have an attack
that happened the same way it did last time again.
That will never happen to them
because there is no way to call somebody
and ask for a code out of this thing.
It just doesn't work that way.
The next attack is going to have to be different of some kind if it's going to be successful.
Yeah.
They did have some great lessons learned here.
Anticipate global shipping challenges was one of the things.
Yeah.
So make sure that you have that in your plan.
Leveraging built-in keys, which are, there are things on your phones,
like usually your, like Apple's touch ID and face
ID and Android's built-in security key that will actually let you do a workaround. I've actually
disabled password authentication on my Microsoft account. I use the Microsoft Authenticator app now
on my phone to authenticate into my Microsoft account. However, I think that is also susceptible
to social engineering attacks
as well. Somebody could just call me up and say, hey, Joe, go ahead and push that button. I'm about
to log in. I mean, it would obviously require a whole lot of subterfuge, but it still works.
Another thing they say is track enrollment, right? The last thing you want to do
is flip that switch and lock out maybe half of your employees. Right. Right.
So track enrollment, encourage enrollment,
and anticipate support needs, of course.
And this is interesting.
I found this.
This is the last thing they talk about under Lessons Learned.
Encourage wider use.
They actually made it clear to the employees that these YubiKeys were theirs to keep.
So essentially, they're giving people two YubiKeys.
And they're saying, use these and use them everywhere.
And this is fine because once these people leave,
Twitter can invalidate the keys and secure the login.
There's not a security risk here,
as long as they properly maintain the login credentials, right?
Right.
Which is part of any exit process for employees that exist regardless.
But it's great that they're just giving the people and saying, use these everywhere.
And you're going to have to become accustomed to using it at your job.
And once you're accustomed to using it at your job, you understand the workflow, you're
off to the races.
Right.
And if somebody has it in hand as they're signing up for new things, I think it's more
likely for them to check and say, oh, can I use this hardware key instead of nothing at all or whatever.
So just having that convenience of putting those out into the world seems like a good thing.
Agreed.
Yeah.
Yeah.
All right.
Well, as you mentioned, a really interesting article.
And hats off to these folks at Twitter for sharing this with the rest of the world.
I think there's some valuable lessons here.
All right, Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.