Federal agencies migrating to the cloud in record numbers.
According to Coalfire’s latest report on FedRAMP, U.S. agencies spent $6.5B in cloud services in FY2018, an impressive 32 percent year-over-year increase, with the vast majority of Federal cloud migration still to come. SaaS/PaaS/IaaS providers can gain access to this market with significantly less investment in both time and cost by taking advantage of automation and recent FedRAMP program updates. Learn how.
The Week that Was.
October 5, 2019.
By the CyberWire staff
Looking at GandCrab and Sodinokibi/REvil's affiliate model.
McAfee has published research on the Sodinokibi/REvil ransomware, examining the ransomware-as-a-service (RaaS) business model and providing further evidence that the malware is linked to GandCrab. In addition to extensive code overlap outlined in McAfee's first report, the researchers found that many of GandCrab's favored affiliates have switched over to Sodinokibi, along with the top operators using other RaaS families, forming what the researchers call "a sort of all-star team." McAfee provides a detailed overview of Sodinokibi's affiliate model on GitHub.
McAfee was able to identify separate affiliates based on hardcoded values in GandCrab and Sodinokibi samples. The malware's developers give their affiliates a cut of the ransom, so they need a way of tracking which affiliate is responsible for which attacks. They seem to achieve this by using hardcoded IDs and sub IDs which correspond to each affiliate and their campaigns. McAfee identified some IDs that only showed up once, indicating affiliates which had been expelled from the RaaS network after failing to prove themselves. Four IDs in particular were seen many times, with the most successful affiliate's ID appearing in seventy-one unique GandCrab samples. Notably, none of these four most active affiliates' IDs were present in samples of the last version of GandCrab released in February, which the researchers believe could somehow be related to GandCrab's retirement several months later.
McAfee found that Sodinokibi uses an almost identical ID/Sub ID model, and some of its top affiliates display very similar behavior to the top-performing GandCrab groups.
The researchers observe that RaaS is vulnerable to the same weaknesses facing any other business model, and they see two primary ways to disrupt it. The first would be arresting the most profitable affiliates, which would lower income for developers and lead to an overall drop in morale. The second method is developing and releasing free decryptors for ransomware.
Do you know where the bad guys are getting in and what they are doing to put you at risk?
Today, it’s not enough to know what’s happening IN your network. Organizations must have situational intelligence as to what’s happening outside their environment - who’s targeting them, how are they behaving, and who’s working together to put your company at risk? Wherever those bad actors are, we’ll find them. We provide expert endpoint protection, risk management, and threat intelligence for large enterprises and government agencies worldwide.
Researchers at Recorded Future describe the results of an experiment with disinformation-as-a-service providers on Russian-speaking underground forums. The researchers hired two different disinformation vendors to run opposing campaigns in relation to a fabricated company, which they refer to in the report as "Tyrell Corporation." The first vendor, which the researchers refer to under the pseudonym "Raskolnikov," was asked to run a positive PR campaign for the company. The second vendor, referred to as "Doctor Zhivago," was instructed to carry out a negative information operation against Tyrell. (Recorded Future was in a literary mood when they chose the names.)
Raskolnikov began the positive campaign by creating various social media accounts for the company, each of which gathered at least one hundred followers. The researchers believe these followers were a combination of trolls and bots with some real users mixed in. Raskolnikov then wrote articles praising the company, which they rewrote several times based on feedback from the researchers until the articles' use of the English language felt natural. The vendor managed to get one of these articles published by a media outlet which the researchers describe as "a very reputable source that had published a newspaper for nearly a century."
Next, the researchers hired Doctor Zhivago to tear down the reputation of the fake company. This vendor offered a variety of services, including filing false criminal accusations against targets. Recorded Future asked the group to write some negative articles about Tyrell, and Doctor Zhivago delivered. The group then propagated the articles through its network of several thousand social media accounts.
Recorded Future stresses that sponsoring both of these disinformation campaigns was "alarmingly simple and inexpensive," costing a total of $6,050. Both disinformation vendors were responsive to feedback and easy to work with, and the content they created still shows up in search results related to the fabricated company.
Join Dragos and the CyberWire on October 22 to hear how threat intelligence can help your organization reduce risk by improving detection, response and prevention of critical infrastructure. We’ll share real world insights from hunting some of the most sophisticated threats and cover vulnerable assets that need protection. Register today.
Malware in the energy sector.
Kaspersky's ICS CERT report warns that the company's products blocked malware on 41.6% of ICS computers in the energy sector during the first half of 2019. The computers affected include SCADA servers, historians, HMIs, data gateways, stationary and mobile workstations, and computers used for ICS software development.
Most of the attempted attacks involved malware that wasn't tailored to an ICS environment, including cryptominers, ransomware, worms, and spyware. The researchers emphasize that these types of malware still represent a serious threat, as they can impact availability or provide information and access to be used in further attacks. Kaspersky also identified some ICS-specific attacks, which are still under examination.
The three types of malware the firm calls out specifically are the AgentTesla spyware, the Meterpreter backdoor, and the Syswin wiper worm.
Checkm8 can bypass boot security on most iOS devices, but isn't much of a threat to users.
An iOS researcher who goes by axi0mX released an open-source tool dubbed "checkm8" that can be used to exploit a bootrom flaw in any iOS device using A5 through A11 chips, which includes all devices from iPhone 4S through iPhone X. The bug can't be patched by a software update, so these devices will probably be vulnerable until they're decommissioned.
As SentinelOne notes, however, the exploit doesn't present much of a security risk, since an attacker would need physical access to a device and because the changes will be wiped out as soon as a compromised device is rebooted. Additionally, in an interview with Ars Technica, axi0mX explained that the exploit still won't grant access to data protected by Apple's Secure Enclave unless an attacker already has a device's PIN or Touch ID.
As a result, the exploit is primarily useful for iOS researchers as it allows them to develop jailbreaks to examine the software running on their own devices. SentinelOne predicts that in the coming months checkm8 will bring about "quite a few startling revelations of devious behaviour by so-called ‘reputable’ apps as more and more researchers begin jailbreaking devices and reverse engineering apps to examine how particular applications behave at runtime."
Have Your Users Made You an Easy Target for Spear Phishing?
Many of your organization’s email addresses and identities are exposed on the internet, and are easy for cybercriminals to find. With email’s enormous attack surface, cybercriminals are able to launch potentially devastating social engineering, spear phishing and ransomware attacks on your organization. Try KnowBe4’s Email Exposure Check Pro for free today, and see how you can identify the at-risk users in your organization by crawling business social media information and hundreds of breach databases.
ODT files used to evade antivirus detection.
Cisco Talos says attackers are using the OpenDocument (ODT) file format to deliver malicious documents created with Microsoft Office, Apache OpenOffice, and LibreOffice. ODT files are ZIP archives and aren't treated as documents by many antivirus engines, allowing malicious macros to remain undetected. This technique isn't widespread, but Talos believes the method is being tested out and could increase in the future. In the attacks observed by Talos, the macros delivered RevengeRAT and njRAT. (Talos offered more insight into this attack technique on the CyberWire Daily Podcast on 10.3.19.)
Ransomware hits hospitals.
School systems and city governments in the US have sustained a wave of ransomware attacks. They're being joined in the victim pool by hospitals, and this is a trend that extends beyond the US to include Australian and Canadian hospitals at least. Computing reports that hospitals in both the US and Australia have been forced to delay elective surgery and otherwise turn patients away because of infestations in their systems. The CBC reports that three hospitals in Ontario have been infested with the Ryuk strain of ransomware.
The trend extends to for-profit organizations as well. The insurance industry publication Claims Journal notes that corporate risk managers are increasingly aware of, and concerned about managing, the threat of ransomware. It's not just the direct expense of paying ransom (which the FBI advises you not to do), but also the threat of costly business interruption.
Crime and punishment.
Anonymous sources have told the Canadian Broadcasting Corporation that the raid on Mr. Cameron Ortis's Ottawa condo turned up “dozens” of encrypted devices that police may not be able to break. Mr. Ortis is the RCMP intelligence director who’s been arrested on charges related to alleged violations of the Information Security Act. Reports say that he may have intended to pass sensitive information to either organized crime groups like the Sinaloa Cartel, or to unspecified foreign governments. Encryption of course isn’t illegal, but it does make investigators’ lives more difficult. One interesting piece of paper was found in Mr. Ortis's quarters: a handwritten note headed "The Project", followed by the words, "John Lemon's blog removing your pdf metadata." The blog post mentioned offers a step-by-step guide to removing metadata from a pdf. A scan of Mr. Ortis’s accessible devices indicated that between September 8th and 9th some twenty-five documents (or more) "had been processed and sanitized to remove identifying information.” The RCMP announced Mr. Ortis’s arrest on September 13th; thus the pdfs were scrubbed less than a week before he was taken into custody. Mr. Ortis's bail hearing began Friday, and CTV says it's expected to last some time.
Police in the German Land of Rhein-Pfalz last week raided and shut down a bulletproof-hosting data center in Traben-Trarbach, Deutsche Welle reported. The action crossed both Land and international boundaries, with arrests near Frankfurt and other police action in the Netherlands, Luxembourg, and Poland. The data center, located in a surplus NATO facility acquired by a Dutch national in 2013, is thought to have been involved in both contraband markets and in the 2016 distributed denial-of-service attack on Deutsche Telekom. Hosting contraband-trading websites isn’t a crime under German law, at least provided you don’t really know that’s what the sites are up to, but the authorities think the people running the show at Traben-Trarbach knew perfectly well what was going on, and were themselves members of an organized criminal group.
The oligarch behind the Internet Research Agency that worked its influence mischief from St. Petersburg has come under new sanctions imposed by the US Treasury Department. Yevgenyi Prigozhin is variously described as "founder," "financier," or "owner" of the troll farm. Mr. Prigozhin has indeed been sanctioned before, but this isn't just Treasury making the financial rubble jump. Now Mr. Prigozhin's yachts and private jets are specifically mentioned in dispatches. He may find it difficult to ride them into non-Russian ports-of-call, Fifth Domain notes.
Reyes Daniel Ruiz took a guilty plea Monday in the US District Court for the Northern District of California to one charge of computer intrusion. Mr. Ruiz was formerly an engineer at Yahoo!, where he worked his mischief by poking through some six-thousand Yahoo! accounts, mostly looking for salacious pix of coworkers. He'll be sentenced this coming February, and could face up to five years in Club Fed.
Courts and torts.
The New York Times reports that the European Court of Justice ruled today that national courts may order Facebook to take down and restrict access to content globally. The case originated with an Austrian Green Party politician who requested removal of unflattering comments an unnamed individual had posted to a personal page. (The plaintiff, Eva Glawischnig-Piesczek, alleged that three bits of content were impermissibly objectionable. Specifically, she objected to "traitor to the people," "corrupt clod," and "fascist.") Columbia Global Freedom of Expression has an overview. A Telegraph opinion piece thinks the EU ruling against Facebook may have gone too far, effectively giving the most repressive regimes a global heckler's veto over content they dislike.
Policies, procurements, and agency equities.
The National Security Agency launched its Cybersecurity Directorate on October 1st, the Washington Post reports. The new Directorate will absorb the mission and functions of NSA's old Information Assurance Directorate, and it will assume additional missions as well. NSA describes the new Directorate's mission as to unify NSA’s foreign intelligence and cyber defense missions, and with "preventing and eradicating threats to National Security Systems and the Defense Industrial Base."
An open letter from US Attorney General Barr, UK Home Secretary Patel, Australian Home Affairs Minister Dutton, and acting US Homeland Security Secretary McAleenan, issued Friday in conjunction with the Justice Department's Lawful Access Summit, specifically asks that the social network not make it impossible for authorities to legally access content relating to child sexual exploitation and abuse, terrorism, and foreign interference in democratic institutions.
Fortunes of commerce.
UK-based chip design licensor ARM told the Telegraph that it will continue providing support for its Armv8-A architecture to Huawei, after ARM determined that the architecture was "of non-US origin." EE Times cites ARM China's spokesman as saying that, contrary to some reports, they never entirely stopped doing business with Huawei, Forbes notes that US-based Qualcomm has also resumed trade with Huawei, presumably after receiving a license from the US Commerce Department.
Antivirus provider PC Matic is consolidating with its parent company, PC Pitstop, which will be rebranded as PC Matic, Inc.
Hardware manufacturer HP Inc. has a new CEO, and he's restructuring the company and laying off up to 16% of its workforce, approximately 9000 headcounts, the Wall Street Journal reports. Other tech companies take note: there will be some talented people on the job market soon.
A piece in Forbes offers an obvious approach for companies concerned about the cybersecurity labor shortage: businesses, grow your own talent.
Florida-based security awareness training company KnowBe4 has acquired the US and UK-based video production company Twist and Shout Group, which includes Twist and Shout Media and Twist and Shout Communications.
PS&C has sold its security unit to Melbourne-based security firm Tesserent, CRN reports. Tesserent sees the acquisition as giving it a full range of security offerings and access to markets in Australia, Asia, and the United Kingdom.
Investments and exits.
FireEye stock jumped 5.4% Wednesday after Business Insider reported rumors that the company had retained Goldman Sachs to put itself on the block. The word is that private equity firms are the likeliest suitors of the publicly traded company, but 24/7 Wall Street offers speculations on acquisition by an industry player while cautioning against mistaking rumor for solid information.
Today's issue includes events affecting Australia, Austria, China, European Union, Russia, Singapore, Switzerland, United Kingdom, United States.
ON THE PODCAST
Research Saturday is up. In this episode, "The fuzzy boundaries of APT41," researchers at FireEye review their recent report detailing the activities of APT41, a Chinese cyber threat group notable for the range of tools they use, their origins in the world of video gaming, and their willingness to shift from seemingly state-sponsored activity to hacking for personal gain. Nalani Fraser and Fred Plan contributed to the report, and they join us to share their findings.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.