CyberWire Daily - WastedLocker being distributed in RIG campaign. Investigation of the DarkSide attack on Colonial Pipeline. More ransomware gangs go offline. Double encryption. Third-party stalkerware risk.
Episode Date: May 18, 2021A new RIG campaign is distributing WastedLocker. The US Congress considers two bills informed by the Colonial Pipeline incident, and Congressional committees are looking at the company’s response to... the attack. More ransomware gangs go offline, but Conti is still trying to collect from the Irish government. Double encryption appears to be an emerging trend in ransomware. Ben Yelin looks at insurance companies clamping down on ransomware payments. Our guest is Nick Gregory of Capsule8 with thoughts on the Linux security landscape. And there’s another problem with stalkerware: third-party risk. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/95 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A new rig campaign is distributing Wasted Locker.
The U.S. Congress considers two bills informed by the
Colonial Pipeline incident, and congressional committees are looking at the company's response
to the attack. More ransomware gangs go offline, but Conti is still trying to collect from the
Irish government. Double encryption appears to be an emerging trend in ransomware. Ben Yellen
looks at insurance companies clamping down on ransomware payments. Our guest is Nick Gregory
from Capsulate
with thoughts on the Linux security landscape.
And there's another problem with stalkerware, third-party risk.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, May 18th, 2021.
Firm Bitdefender this morning issued a report that a new rig exploit kit campaign is distributing what appears to be a new variant of wasted locker ransomware, a strain associated with the Evil Corp gang.
The campaign targets unpatched Internet Explorer browsers, and it uses known VB script vulnerabilities.
Victims get the infection by visiting a watering hole.
Apparently, no interaction beyond the visit is required to expose vulnerable systems to infection.
Patches are available for both vulnerabilities, and Bitdefender advises bringing your systems up to date.
Now that operations have returned to normal, the dark-side ransomware assault on Colonial Pipeline has moved into its after-action review stage as legislators grill the company and third parties seek to extract lessons.
Bank Info Security says that two bills influenced by the incident, the Pipeline Security Act and the CISA Cyber Exercise Act, are under consideration in the U.S. House of Representatives. The former would sort out
responsibility for pipeline security between the Cybersecurity and Infrastructure Security Agency
and the Transportation Security Administration. The latter would require CISA to establish a
national program in which the government and industry could test their infrastructure's
resilience against a range of cyber threats.
Colonial Pipeline yesterday participated in staff briefings with the U.S. House Committee on Oversight and Reform and Committee on Homeland Security.
The committee chairs issued a brief statement communicating their concern and displeasure.
Quote,
Following today's briefing from Colonial Pipeline,
we remain extremely concerned
about the rise in ransomware attacks and the threat to our nation and its critical infrastructure.
It is deeply troubling that cyber criminals were able to use a ransomware attack to disrupt
gas supply on the East Coast and reportedly extort millions of dollars. We're disappointed
that the company refused to share any specific information regarding the reported payment of ransom during today's briefing.
In order for Congress to legislate effectively on ransomware, we need this information.
This attack not only highlights glaring vulnerabilities in our critical infrastructure,
it also exposes a marketplace in which it may be easier for a company to pay off a criminal
than put resources toward preventing and defending against attacks.
We look forward to working with the Biden administration
and our colleagues on both sides of the aisle
to strengthen our nation's cyber defenses and secure our critical infrastructure.
Politico offers a rundown of post-colonial opinion
on where the experts tell them ransomware is likely to strike next.
It's the usual suspects, education, healthcare, and local government, all of whom have recently received more than their fair share of attention from the ransomware gangs.
Kupnik's rather sour take on the incident is the observation that the ransomware didn't actually interfere with pipeline operations,
just Colonial's ability to bill customers for deliveries, which is why the company shut its systems down.
Of course, you have to be able to bill for your products and services, so inability to track and invoice deliveries isn't a trivial flaw you can just fix when you get around to it.
We're not in Hakuna
Matata territory here, friend, but the point is worth considering. Note, too, that an attack
needn't hit industrial control systems to disrupt operations. An attack on business systems can
often do the job, as it apparently did here. The Jalopnik piece also quotes some of the
communications from DarkSide recounted to ZeroDay, like this one,
quote,
Jalopnik's comment is apt enough, quote, I can't get over this exchange where the hackers are blasé about the billing breach
and refer Colonial to their customer service as if this were some broadband outage from an ISP,
end quote.
Tell it, brother.
The crooks do act like business reenactors, don't they?
That said, EnergyWire deputy editor Blake Subcheck tweeted late this morning that
Colonial Pipeline notified customers today that it was currently experiencing network issues
impacting customers' ability to enter and update nominations. Nominations, in this sense,
refers to a shipper's request to move a certain amount of product. It's not known how serious
this is, how long it might last, or whether it's
related to the DarkSide attack, but it's another instance of how problems with a business system
can affect operations. The DarkSide gang responsible for the Colonial Pipeline attack
went offline late last week, either feeling the heat and deciding to lay low for a while,
or perhaps simply absconding with their affiliates'
funds. Reuters reports that two other ransomware gangs, AKO and Everest, also went dark over the weekend. While underground criminal websites do from time to time suffer from instability,
Recorded Future thinks that in this case the two gangs made a conscious decision to drop offline.
Intel 471 has a useful account of where things
stood with various gangs as of Friday. A number of groups seem to have skedaddled.
Conti is one ransomware gang that's still committing high-profile attacks,
demanding the equivalent of $20 million for restoration of healthcare sites in Ireland.
Computing reports that Prime Minister
Martin says the Irish government has no intention of paying. Wired describes a further evolution in
ransomware, double encryption. The gangs began by simply rendering victims' data unavailable,
moved on to data theft and doxing, and now have begun encrypting data twice.
In some cases, they use one strain on part of a victim's information and a second strain on the rest,
which means that a decryptor will at best restore a fraction of the data.
In others, the criminals use first one strain, then another on the entire corpus.
So a second decryptor is necessary.
You pay for one decryptor,
and then find you're being upsold to two. This doesn't seem a sustainable business model.
One of the problems, we remember, with Colonial Pipeline's payment of ransom is that their
reported $5 million didn't get them a particularly useful decryptor. That may just have been a lousy
decryptor, and that's been seen before,
but the principle is the same. It's bad business for a bad business, and no amount of chipper
customer service chat is going to overcome the reluctance people are going to have to paying up.
Stalkerware is unsavory and a threat to privacy, but according to ESET,
it's also dangerously slovenly, exposing
its victims to further third-party risk. Stalkerware is often sold as a safety product,
presumably one that enables a protector to look after you as a parent might keep track of a minor
child. But ESET notes that this particular fig leaf is a pretty small and translucent one,
the security firm writes,
for stalkerware vendors to stay under the radar and avoid being flagged as stalkerware.
Their apps are in many cases promoted as providing protection to children, employees, or women,
yet the word spy is used many times on their websites.
Searching for these tools online isn't difficult at all.
You don't have to browse underground websites.
End quote.
ESET researchers looked into 86 Android stalkerware apps
and found a total of 158 vulnerabilities across 58 of them.
Those bugs would enable a third party,
neither the stalker nor the subject of the stalking,
to extract sensitive personal information from the victim's affected device.
And wait, there's more.
Some of the apps upload that personal data to their servers.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Despite vulnerabilities on Windows and macOS
tending to grab the biggest headlines,
attacks on Linux systems continue to grow in scope and prevalence.
Nick Gregory is a research scientist at Capsule 8,
and his team has been tracking the issue.
So for Linux itself being the kernel,
I would say it's a relatively good state of affairs, right?
It's not like we're finding critical bugs every other week.
Things do pop up every once in a while, but for the most part, the kernel itself is pretty robust at this point, I would say.
As for the rest of the Linux ecosystem, that's where I would say we start to run into more issues.
ecosystem, that's where I would say we start to run into more issues.
Again, not everything is bad, but you're certainly more likely to hear about things impacting
large businesses in those types of things
it feels like almost every week.
And what sort of things are you all tracking? I mean, how has the
proliferation of these sorts of malware tools taken place in the past year or so?
So we've definitely noticed a lot more just kind of low-hanging fruit attacks.
Crypto miners in particular have been basically present wherever we look, which was definitely not the case, it feels, a couple, two, three years ago.
which was definitely not the case, it feels, you know, a couple, two, three years ago.
Other than that, like, it feels like we're just seeing a lot of, again, kind of low-hanging fruit,
people taking public proof of concepts and just trying to get whatever fast money they can with them.
Yeah, you know, and not a whole lot of advanced attacker stuff every day, luckily. I know one thing that you and your team have been tracking
is the adoption of the Go programming language
when it comes to the hackers coming after Linux.
Can you give us a little bit of the background there?
Why do you suppose we're seeing that?
Yeah, so Go in particular has a lot of nice properties for attackers.
Existing tools to do reverse engineering
are just now beginning to actually be able to properly parse Go programs.
Before, literally I think two days ago,
the most popular reverse engineering toolkit, IDA,
basically just didn't support Go programs.
It would load them, but you just didn't get anything useful out of it.
So there's that.
There's the fact that they're statically compiled,
so there's no chance of anything really going wrong.
You just drop the binary and run it.
There's no dynamic linking or anything.
It's just there.
And it's performant enough, and you can link in C libraries,
so you can do anything with it still.
So it's got a lot of nice features for attackers.
Where do you suppose things are headed when it comes to
security on Linux, but then also the bad guys coming
after it? What do you think we're in for as you look towards the horizon?
So I would say opportunistically, I'm very
excited to see more adoption of Rust and other memory-safe languages, Go included.
It does have a good use for placing C programs.
But Rust in particular is getting a lot of traction, and it's even starting to be integrated into the kernel itself.
So the more things that we can get in that realm, the better.
Just completely eliminate a
whole bunch of vulnerability classes. Sounds good to me. I guess that's kind of the largest thing
that I'm seeing in the future. There is going to be the continued push for cloud computing stuff
and some of the nice things that come along with that too. Again, security-wise, you can very
finely tune like IAM. So you do get some nice benefits there if you choose to use them. But
yeah, I would say in general, the state of things is generally going in the right direction,
eliminating vulnerability classes as we can. That's Nick Gregory from Capsule 8.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hello, Ben.
Hi, Dave.
It's an interesting story from Insurance Journal,
and they are covering one of Europe's largest insurers
who has decided to stop paying for ransomware crime payments in France.
What's going on here, Ben?
This is a really fascinating story, which to me, we're going to,
I think this is going to become more and more of an issue,
and I'm not sure we have a solution to this problem.
So this is the insurance company AXA.
I believe that's how it's pronounced, not AXA, but you can correct me if I'm wrong.
And they have decided that they are going to stop writing cyber insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.
So a couple limiting factors to this case.
It does only apply in France.
They insure companies in the United States, and this new policy will not apply to those insurance policies.
in the United States, and this new policy will not apply to those insurance policies.
But I think we're reaching a tipping point where policy officials and officials in the insurance sector and in other areas of the private sector are starting to realize that there is this
incentive problem. A lot of people are purchasing cyber insurance policies that cover the cost of paying a ransom
or paying an extortion fee.
And that's made the potential benefits
of instigating ransomware attack
far greater to cyber criminals
because there's just more money in the game.
If your ransom is covered,
it's far more likely that you're going to pay the ransom because it's not coming out of your own pocket.
It's covered by insurance.
So that could potentially lead to a resolution like the one here where insurance companies decide to stop paying these extortion payments.
But that's not really a solution to the broader policy problem because then the companies that are the victims of ransomware attack are still going to be on the hook for those payments. You know,
that might give them more of an incentive to, you know, try and recover their own data rather than
paying the ransom. And perhaps, you know, that's the long term solution to this problem.
But I think it's something we're going to have to watch out for.
We're entering an era where cyber criminals are realizing how profitable it can be
to engage in cybercrime largely because of these insurance policies.
Yeah, it's interesting. This article points out that they, I believe it was Emsisoft estimated
last year that France's overall losses were more than $5.5 billion due to ransomware, and the payments have tripled to the costs of recovering from a ransomware attack, but not the actual ransom itself.
Yeah, and I think they're trying to create an incentive structure where the easiest solution is not to reward the criminals who instigated the ransomware attack in the first place.
And I think that's a noble cause and a noble goal.
Does it contend with the real world situation
where sometimes organizations really just want to pay the ransom
and have their data decrypted?
I'm not sure it contends with that real world,
and I think that's going to be a problem.
I think in an ideal world, yes, you have the insurance recovering from the attack and not engaging in these extortion
payments. But I just don't know or think that that's the world that we live in.
Yeah. I've wondered about this in some other interviews I've done with some experts on the
topic. I wonder if insurance for ransomware
is going to go the way of flood insurance, where you have a national program backed by the feds
because it's not profitable for any private insurance companies to underwrite something
like this. The losses can be too catastrophic. And so really the only backstop you can have is
at the federal level. There's been some talk of that coming out of the Biden White House.
Nothing's settled yet, but it's not something that they've dismissed.
Yeah, you'd hate to see that because the National Flood Insurance Program is kind of a mess.
True.
Which is a subject for a different show.
So you'd like to see this sort of decentralized system
where people are purchasing insurance based on risk.
And I think that can be undermined
when you have the situation that we're seeing now
where cyber criminals realize that there's a lot more,
there's a much greater chance
that they're going to be reimbursed for their crimes
because so many of these companies have insurance policies that cover extortion payments.
Yeah, yeah.
All right. Well, interesting times for sure.
Ben Yellen, thanks for joining us.
Thank you. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.