CyberWire Daily - Updates on the Colonial Pipeline incident, and other ransomware incidents. A watering hole for water utilities. Credential harvesting, cryptojacking, and banking Trojans.
Episode Date: May 19, 2021Colonial Pipeline corrected yesterday’s IT glitch, and its CEO explains the decision to pay the ransom. A rundown of recent ransomware activity. A watering hole for water utilities? Credential harve...sting and cryptojacking in the cloud. A banking Trojan spreads from Brazil to Europe. Joe Carrigan looks at keyboard biometrics. Our guest Dotan Nahum from Spectral on shifting left in security development. And the metaphysics of attribution. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/96 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Colonial Pipeline corrected yesterday's IT glitch,
and its CEO explains the decision to pay the ransom.
A rundown of recent ransomware activity,
a watering hole for water utilities,
credential harvesting and crypto jacking in the cloud,
a banking trojan spreads from Brazil to Europe,
Joe Kerrigan looks at keyboard biometrics,
our guest Ota Nahum from Spectral on shifting left in security development and the metaphysics of attribution.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 19th, 2021.
After a brief disruption caused by an IT problem yesterday,
Colonial Pipeline tweeted that it had quickly resumed full service and that the
brief interruption was not the result of a cyber attack. The company said, quote,
our internal server that runs our nomination system experienced intermittent disruptions
this morning due to some of the hardening efforts that are ongoing and part of our restoration
process. These issues were not related to the ransomware or any type
of reinfection, end quote. Colonial's CEO Joseph Blount confirmed to the Wall Street Journal that
he did authorize payment of $4.1 million in ransom to the company's extortionists. The urgency of
restoring service combined with the company's uncertainty about how extensively its systems had
been compromised drove the decision. He acknowledged that deciding to pay the ransom was difficult,
that he knew the decision would be controversial, but he judged the situation analogous to the
challenge of restoring service after a natural disaster, like a Gulf hurricane. In this case,
however, the disruption was more widespread than what the company usually sustains in a hurricane. In this case, however, the disruption was more widespread than what the
company usually sustains in a hurricane. Elliptic, which identified a Bitcoin crypto
wallet used by DarkSide, puts the ransomware gang's take at somewhat more than $90 million.
On the average, victims paid $1.9 million. They were able to track payments made from 47 wallets. DarkSide
has claimed 99 successful attacks, which suggests that about half the organization's hit made some
payment. At noon today, security firm eSentire published an overview of six ransomware groups'
activities. Rayak Kanti had 63 new victims this year. Sodin R. Evil had 52. Doppelpamer came
in at 59 new victims. Klopp had 35. DarkSide, who are relatively new but high profile, they had 37
victims this year. And Avedon had 47 victims so far in 2021. E. Sentire writes, quote,
the high level of activity carried out by these six
ransomware groups has certainly given the TRU team pause. If these threat groups are to be believed,
they are wreaking havoc against many more entities than the public realizes, end quote.
Industrial security specialists at Dragos have an interesting account of a watering hole that
appears to have some circumstantial temporal connection to the incident at the Oldsmar, Florida, water utility.
Hosted on a water infrastructure construction company site, the watering hole did not seem to compromise or deliver malware to the utility's control systems,
instead collecting legitimate browser data for the purpose of improving the botnet
malware's ability to impersonate legitimate web browser activity.
Security firm Trend Micro's description of Team TNT's operation offers an interesting
kill-chain description of a credential harvesting campaign against cloud services.
Trend Micro wrote, quote, credentials stored in plain text serve as a goldmine for cybercriminals,
especially when used in subsequent attacks.
Harvested FTP credentials, for example,
could lead to old-school website hacking or credential modifications,
followed by ransom demands in exchange for access or data restoration.
The same goes for vulnerabilities,
especially those in unpatched and otherwise unsecured Internet-facing systems. Also active in the cloud are cryptojackers.
The Record reports they're abusing free tiers of cloud services.
It's a pretty obvious scam, really, the sort of thing that might well occur to some teenagers with too much time on their hands. The report says, quote, gangs have been operating by registering accounts on selected
platforms, signing up for a free tier, and running a cryptocurrency mining app on the provider's free
tier infrastructure, end quote. Obvious, of course, doesn't mean ineffective, but what follows can be
easily managed, quote, after trial periods or free credits reach their limits, the groups register a new account
and start from the first step, keeping the provider's servers at their upper usage limit
and slowing down their normal operations. End quote. Kaspersky researchers report that the
Bizarro banking trojan has spread from Brazil to targets in Spain, Portugal, France, and Italy.
Bizarro may be using social engineering to induce its victims to install an app that ultimately compromises their banking information.
Bleeping Computer says that a new version of Mount Locker ransomware is spreading through Windows Active Directory APIs.
Its propagation is worm-like, and the gang that's distributing it has operated as a ransomware-as-a-service
affiliate scheme, with the gang itself keeping a relatively low, by criminal standards,
20-30% of the take. In March of this year, a new group, AstroLocker, surfaced to deploy a new version of MountLocker.
AstroLocker described themselves as in an alliance with the MountLocker gang.
Attribution of cyberattacks to specific criminal groups is the last refuge of metaphysics and
security, if only because identity conditions for gangs are notoriously slippery and protean.
How do you recognize the same gang when it shows up again?
Defense One points this out in the case of DarkSide,
the group generally regarded as the one behind the Colonial Pipeline attack.
The authors, both from RAND, note that, among other things,
it would be unwise to accept DarkSide's self-presentation as apolitical.
Cyberspace is no stranger to fronts, false flags, cutouts, and other forms of misdirection.
Krebs on security notes some evidence of, at the very least, a desire on the part of DarkSide
to avoid getting on the wrong side of the Russian organs.
Quote, DarkSide, like a great many other malware
strains, has a hard-coded do-not-install list of countries which are the principal members of the
Commonwealth of Independent States, former Soviet satellites that mostly have favorable relations
with the Kremlin, end quote. More to the point than friendly relations with Moscow, which a number of the former Soviet republics decidedly do not enjoy,
is the kind of linguistic slop that could facilitate collateral damage to Russian organizations.
Better to avoid anyone using Cyrillic characters.
And such damage is something a gang operating at the sufferance of the Kremlin,
even if not working under state direction, would in all cases
want to avoid. Cyber Reason finds Darkside's claims to follow a high-minded Robin Hood-esque
code of ethics implausible. The gang's communiques suggest that they didn't mean to impose any
hardships on individuals, regular Janes and Joes in the line at the gas station.
If they are to be believed, all they saw
was another slow-moving wealthy target. They were pirates, they tell us, not privateers,
and certainly not a nation-state navy. And they are honest pirates who follow a code and thus
deserve some sympathy for this huge but honest mistake. Hornigold and every before him, Darkside
wouldn't be the first criminal
organization to appeal to the sympathies of their victims by claiming that they follow a strict code
of ethics. It remains to be seen if it will work or if it's true. Semi-state-sanctioned crime may
not repeat itself through the ages, but it often rhymes. And finally, Sergei Naryshkin, director of Russia's SVR,
told the BBC that not only was Russia not behind the SolarWinds compromise,
but that, in fact, the American intelligence services were.
Probably.
And the British services, too.
It's the kind of thing the Anglophone powers would do.
Probably.
Mr. Naryshkin is flattered by the accusation that the SVR did it,
but such charges are not only false, but in his words, pathetic.
So there you go.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies,
access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Shift left is a phrase often heard applied to software development and software security.
But what exactly does it mean?
Dottan Nahum is the CEO and founder of Spectral, a code security company. And he joins us to help make sure that understanding shift left is something that we get right.
There's one thing I'd like to say is that history repeats itself.
So actually shift left isn't so new.
I mean, if you look at QA, which is quality assurance in software,
and we go back maybe 20 years.
That, as a profession, that has evolved.
So we used to ship software and we used to have this epic moment
where software was being tested in terms of for quality and looking for bugs.
And we had specialized personnel that were actually testing the software.
And there was this big event which we called GA
and we burned the software on a CD
and we shipped it to our customers that way.
Right, the golden master, right?
Yeah, yeah.
I mean, even the term is taking from there.
And then around 2001, there was like extreme programming,
you know, a movement led by Kent Peck,
which is, you know, a unit testing superstar.
And then unit testing was kind of introduced as a practice.
But you know what?
Just fast forward 20 years to today,
and today unit testing is very, very natural.
And manual testing is kind of awkward.
So that is kind of an evolution that happened in software.
And it's basically intuitive and we can all connect to that because we've all experienced bugs. So in that terms, shift left is how do we break this epic event
called testing security in production or getting an audit
or getting a pen tester, and how do we take that thing
and bring it toward the start of the development process.
So the actual term of shift left refers to moving it earlier in the process,
having it not be something that happens at the very end.
Correct. So it assumes that left is the beginning and the right is the end,
like reading an English sentence.
And actually the left side is the left side of the software development
lifecycle, which means the left side is the left side of the software development lifecycle,
which means the left side is the start and the right side is whatever,
like deploy to production and ship your software.
So is this the shape of things to come?
I mean, does it seem as though overall the industry has recognized that this is the way they should be heading?
Yeah, I mean, it's all about optimization.
I mean, every society, every organization,
everything that needs to produce is actually,
if you look at this in a philosophical way,
is trying to optimize.
And we're running out of things to optimize, right?
So scale, that was an issue back in 2011 up to 2014.
It's still kind of an issue, but back then databases, document databases, all kinds of
new databases were emerging just to compensate for the scale problem that was caused by the
network effect, that everyone were building their own Facebook and Twitter
was born and social networks were emerging every now
and then. But you know, it's kind of
so where's the scale problem these days? You hardly hear of
apps, organizations that are crashing due to scale problems
these days,
where in 2014 it was kind of a couple times a quarter.
And so it looks like security is the next thing to optimize,
and that is what's happening.
That's Dutton Nahom from Spectral.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
This interesting Indiegogo caught my eye.
This is one of those fundraising platforms.
And there's a security-related one that some folks are trying to spin up here.
And the product is interesting,
but I thought it also speaks to an interesting way of tracking people online. And I thought we
might have an interesting conversation about that. Why don't you give us a little background here,
Joe? So the concern, this is from somebody named Paul Moore, who is the founder of something called Privacy Protocol.
Yeah.
And Paul's concern here is that biometric tracking of the way you type can identify you.
And in the Indiegogo ad, he says that they can identify your,
these algorithms can identify your gender within 10 keystrokes
and then identify you uniquely with just a few 10 keystrokes and then identify you uniquely
with just a few more keystrokes. Right. So everybody has their own unique cadence when
they type. And so they can look at that cadence, assign that to you, and then when you show up
typing somewhere else, they can say, aha, I recognize this cadence. That's correct. Okay.
And this can be used for tracking you across different platforms.
I am almost positive that some of the social media sites out there
are already using this kind of thing to identify you online,
even without your knowledge.
It can be done locally with JavaScript in your web browser.
So your computer actually does the processing to send back the fingerprint to the AI algorithm
that then does the comparison.
And from there on, they've got you.
There's an interesting article that Paul links to in here
from Ars Technica from way back in 2015.
Do you remember 2015, Dave?
Vaguely.
From Dan Goodwin, it's
how the way you type can shatter
anonymity even on Tor.
Okay? If,
I mean, Tor is a great anonymity
tool out there. It does a really good job
of anonymizing your traffic.
But, if you
allow JavaScript to run
on a web browser, and somebody
fingerprints your typing, they've got you.
They've got you pretty, they've identified you and your privacy is gone.
It doesn't matter how many different Tor nodes you're coming through.
If they have a way of saying, who is this?
This is Dave Bittner.
Right.
Then guess what?
They know it's you.
I mean, it's like you go to Facebook and log in from Tor.
Then Facebook knows who you are
on that entire Tor session. Sure, sure. What this project does is, this project is actually,
on Indiegogo, is actually a hardware, a piece of hardware that you plug your keyboard into,
and then you plug this into your keyboard slot on your computer through the USB port.
So it's essentially like an intermediate USB device.
Yeah, little USB man in the middle.
Right, exactly.
Okay.
So it alters the timing of how you type.
I don't know if there's any visible outcome of this.
As you're typing, things show up,
and you can notice how much slower they show up.
Yeah.
I don't know.
I've never used this device.
It seems like a really good idea.
They have a Chrome plug-in, which was how they got started on this.
Right.
There is a Chrome plug-in that kind of does the same thing.
But one of the arguments they make in their article here for the Indiegogo campaign is that the Chrome plug-in can be detected.
And this device cannot be detected.
Right.
I'm not sure how comfortable I am plugging in a USB device directly into my keyboard.
I mean, I'm not trying to impugn Paul's character here.
Sure.
I'm sure Paul Moore is a good guy.
But, you know, there's all kinds of opportunities
for supply chain attacks on this.
Sure, sure.
But this should be something that maybe people like Dell and Apple should start considering.
And Microsoft, I guess, because Microsoft also makes hardware now.
Maybe you should start adding this as a feature to your keyboards or offering it as an option.
Yeah, it could just be built into the OS, I suppose.
It could be built into the OS, that's correct.
It just randomizes the delay between characters so that it takes away their ability to track you
biometrically or smooths it out. Who knows what the most effective way is? It seems as though
these people who are behind this keyboard privacy project, they've, according to their testing,
whatever they're doing here is very effective.
Right.
It looks like these algorithms have no success once you use the hardware.
Yeah.
This reminds me of something I thought of many, many years ago,
which was instead of using passwords, could you use pass rhythms?
Yeah.
You can.
But the problem with that is
this is a biometric.
Yeah.
And I've made clear
my feeling on biometrics.
And I'll just restate it here.
My problem with biometrics
is they're immutable.
You can never change them.
So,
because of that,
it's,
it's,
I think that there,
there is,
there are,
there's a good attack model,
a good threat model of impersonation and making impersonation a lot easier.
Yeah, yeah.
Particularly with these rhythms.
If I can identify the biometric rhythm with which you type, I can impersonate it very easily.
Yeah.
All right.
Well, it's an interesting project.
Again, it's over on Indiegogo.
It's called Keyboard Privacy if you want to chase it down.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman,
Puru Prakash,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow. Thank you. Not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.