Disrupting Trickbot. Questions of content moderation. Ryuk resurfaces with new tactics.

US Cyber Command and the private sector disrupt Trickbot.

KrebsOnSecurity reported last week that unknown operators were disrupting the Trickbot botnet, and these operators turned out to be US Cyber Command, the Washington Post reports. Cyber Command had been concerned that Trickbot’s use in deploying ransomware made it a potential threat to the November elections. Anonymous US officials told the Post that the operation was part of Cyber Command's strategy of persistent engagement, which was honed during the 2018 midterm elections. While the operation wasn't expected to deal a lasting blow to Trickbot, it did create some friction for the attackers during the lead-up to the elections. One official told the Post, "At a time when ransomware is eating the world, this is an operation against one of the biggest and most active threat streams. Is this permanent? Of course not."

The disruption took the form of hacking Trickbot's command-and-control servers and sending updates to infected systems that set their new command-and-control addresses to 127.0.0.1 (localhost), effectively severing communication with the criminals' servers. This happened twice—first on September 22nd, and again on October 1st. In both cases, the crooks recovered relatively quickly, but Alex Holden from Hold Security told KrebsOnSecurity that the disruptions caused a great deal of frustration for the criminals. Additionally, Krebs said someone was stuffing Trickbot's databases of stolen information with millions of phony records, creating further confusion.

During the same time period, Microsoft and industry partners also took action against Trickbot, obtaining a court order from the United States District Court for the Eastern District of Virginia to disable key infrastructure used by the botnet. The New York Times says Microsoft and its partners had been unaware of US Cyber Command's activities against the botnet, and that the two actions don't appear to have been coordinated.

Tom Burt, Microsoft's Corporate Vice President of Customer Security & Trust, described the effort in a blog post on Monday:

"During the investigation that underpinned our case, we were able to identify operational details including the infrastructure Trickbot used to communicate with and control victim computers, the way infected computers talk with each other, and Trickbot’s mechanisms to evade detection and attempts to disrupt its operation. As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.

"To execute this action, Microsoft formed an international group of industry and telecommunications providers. Our Digital Crimes Unit (DCU) led investigation efforts including detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen our legal case from a global network of partners including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec, a division of Broadcom, in addition to our Microsoft Defender team. Further action to remediate victims will be supported by internet service providers (ISPs) and computer emergency readiness teams (CERTs) around the world.

"This action also represents a new legal approach that our DCU is using for the first time. Our case includes copyright claims against Trickbot’s malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place."

Like Cyber Command, Microsoft and its partners don't expect the disruption to be permanent, but their goal was to hamper the botnet's operations ahead of the US elections. As Lumen's Black Lotus Labs explained, "While our work might not remove the threat posed by TrickBot, it will raise the cost of doing business for the criminal gang behind the botnet because they will be forced to divert resources away from exploitation activities in order to rebuild the parts of their infrastructure that we disrupted."

Potential influence operations and questions of content moderation.

Reports by the New York Post that alleged "smoking gun" emails involving US-Ukrainian relations have been found on a computer belonging to Hunter Biden, son of former US vice president and present Democratic presidential candidate Joe Biden, raise questions of influence operations (potentially foreign, arguably domestic).

At issue is the long-running and much-investigated nature of the relationship between Biden-fils and various foreign business interests, notably Ukrainian energy firm Burisma, and whether such relationships amounted to influence peddling, or at least the appearance of such. The elder Biden has denied detailed knowledge of his son’s business relationships; his son has periodically regretted any appearance of impropriety. 

The emails' provenance is disputed, coming as they did from a laptop of uncertain origin, but with some appearance of connection to the younger Biden. The Johns Hopkins University's Thomas Rid points out ways in which the emails could amount to a disinformation operation. The story's details have been difficult, so far, to corroborate, and some of the emails give the appearance of having been either reconstructed or fabricated.

But the treatment of the Post's reporting has also raised questions about content moderation. Ars Technica has a summary of the issues the case raises for social media content moderation. Twitter and Facebook were quick to inhibit sharing of the Post's coverage, and that's aroused more questions about the ways in which they attempt to control alleged disinformation or misinformation. Twitter simply blocked the content, and blocked some accounts that shared the story. Twitter CEO Jack Dorsey tweeted regrets about his company's handling of the material: "Our communication around our actions on the @nypost article was not great. And blocking URL sharing via tweet or DM with zero context as to why we're blocking: unacceptable."

Facebook didn't block sharing or discussion of the content, but deprecated sharing to reduce the likelihood that the platform's algorithm would amplify the story.

In any case the platforms seem to have enmeshed themselves in a lose-lose approach to the story, with Republicans incensed by what they characterize as censorship, and Democrats upset by what they see as an instance of the Streisand Effect where an attempt to downplay information has the unwelcome and paradoxical effect of drawing attention to it. The Wall Street Journal writes that the US Senate Judiciary Committee is opening an inquiry into the matter, and the US Federal Communications Commission announced its intention of "moving forward with a rulemaking" on Section 230 of the Communications Decency Act. The Republican National Committee has also filed a complaint with the Federal Election Commission over Twitter's interdiction of the Post story.

In the meantime, NBC News reports that the FBI is investigating whether the New York Post's sources can be traced to placement by a foreign intelligence service. The Washington Post says the Intelligence Community has considered the possibility of such a Russian operation for some time.

For more, see the CyberWire Pro Disinformation Briefing.

Twitter updates content moderation policies.

Twitter, in response to feedback and criticism surrounding its handling of the New York Post story, has changed its content moderation policies. Earlier this week CEO Jack Dorsey said he thought the platform could have handled its treatment of tweets about the story on what purport to be emails from Hunter Biden's laptop. Twitter took a second run at clarity and enumerated its reasons for blocking messages that shared the story. Specifically, the story violated two of Twitter's standing policies against, first, posting another person's personal and confidential data, and, second, distributing information obtained by hacking. The policy doesn't prohibit, Twitter says, discussion or commentary about such material, just distribution of the material itself. Twitter subsequently changed even those clarified policies in two respects:

"1. We will no longer remove hacked content unless it is directly shared by hackers or those acting in concert with them," and

"2. We will label Tweets to provide context instead of blocking links from being shared on Twitter."

Twitter executive Vijaya Gadde explained, "We want to address the concerns that there could be many unintended consequences to journalists, whistleblowers and others in ways that are contrary to Twitter’s purpose of serving the public conversation."

Ryuk resurfaces with new tactics.

Sophos warns that the Ryuk ransomware operators have launched a fresh wave of attacks after seemingly going quiet earlier this year. Sophos observed an attack last month in which an employee fell for a spearphishing email, opened a malicious document, and enabled macros. The attackers then used Cobalt Strike and publicly available malware to perform reconnaissance and compromise Active Directory administrator accounts, eventually gaining access to more than ninety systems. The attackers failed to deploy their ransomware and the attack was largely thwarted, but Sophos was able to discern noticeable changes in tactics from the last time the gang was observed:

"The tactics exhibited by the Ryuk actors in this attack demonstrate a solid shift away from the malware that had been the basis of most Ryuk attacks last year (Emotet and Trickbot). The Ryuk gang shifted from one malware-as-a-service provider (Emotet) to another (Buer Loader), and has apparently replaced Trickbot with more hands-on-keyboard exploitation tools—Cobalt Strike, Bloodhound, and GMER, among them—and built-in Windows scripting and administrative tools to move laterally within the network. And the attackers are quick to change tactics as opportunities to exploit local network infrastructure emerge—in another recent attack Sophos responded to this month, the Ryuk actors also used Windows Global Policy Objects deployed from the domain controller to spread ransomware. And other recent attacks have used another Trickbot-connected backdoor known as Bazar. The variety of tools being used, including off-the-shelf and open-source attack tools, and the volume and speed of attacks is indicative of an evolution in the Ryuk gang’s operational skills."

For more, see the CyberWire Pro Privacy Briefing.

New Russophone threat actor conducts corporate espionage against Russian targets.

Kaspersky has discovered a previously unknown malware toolset that's been "used in highly targeted industrial espionage attacks dating back to 2018." The researchers have dubbed the malware "MontysThree," and they believe the threat actor behind it is newly discovered. Based on language artifacts in the code, Kaspersky thinks the group is Russian-speaking, despite the presence of apparent false flags pointing to a Chinese threat actor. The actor also appears to be focused on Russian-speaking targets, since the malware is configured to run on Windows systems using Cyrillic language settings. Additionally, some of the phishing lures referred to a Russian medical lab.

The malware appears to be built from the ground up, with a mixture of both amateurish and shrewd features. The researchers do note that "the amount of code and therefore effort invested, in MontysThree is significant," although the "overall campaign sophistication doesn’t compare to top notch APT actors in terms of spreading, persistence method."

For more, see the CyberWire Pro Research Briefing.

IBM will spin off IT infrastructure business.

IBM is spinning off its legacy IT infrastructure business as a new public company (provisionally being called "NewCo" for convenience, but it will receive a proper name at the right time) which will have 90,000 employees, the BBC reports. The spin-off is expected to be completed by the end of 2021. IBM will concentrate on its hybrid cloud platform, stating, "With tighter integration and focus on its open hybrid cloud and AI solutions, IBM will move from a company with more than half of its revenues in services to one with a majority in high-value cloud software and solutions."

More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.

Patch news.

Microsoft's Patch Tuesday included fixes for 87 security flaws, eleven of which were rated "Critical," KrebsOnSecurity reports. The worst of these seems to be CVE-2020-16898, a vulnerability in the Windows TCP/IP stack that could allow an attacker to achieve remote code execution by simply sending a specially crafted ICMPv6 Router Advertisement packet to a computer. McAfee says Microsoft's private proof-of-concept exploit is "both extremely simple and perfectly reliable," and the security firm "[expects] to see working exploits in the very near future."

Another serious flaw is CVE-2020-16947 in Microsoft Outlook, which could be exploited to install malware after a user simply previews a malicious email. Krebs quotes Dustin Childs from Trend Micro’s Zero Day Initiative, as saying, "The Preview Pane is an attack vector here, so you don’t even need to open the mail to be impacted."

Adobe patched a single critical flaw in Flash Player for Windows, macOS, Linux, and Chrome OS that could lead to remote code execution. The vulnerability (CVE-2020-9746) "requires an attacker to insert malicious strings in an HTTP response that is by default delivered over TLS/SSL."

SonicWall released patches for a critical flaw in the SonicOS operating system running on its Network Security Appliances. Tripwire, which uncovered the vulnerability, explains, "An unskilled attacker can use this flaw to cause a persistent denial of service condition. Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible. This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet. As of the date of discovery, a Shodan search for the affected HTTP server banner indicated 795,357 hosts." SonicWall commented in an email, "At this time, SonicWall is not aware of a vulnerability that has been exploited or that any customer has been impacted."

Crime and punishment.

The US Department of Justice announced on Thursday that it had indicted fourteen members of QQAAZZ, an international money laundering gang that makes its principal home in Russophone criminal sites. The operation that took down QQAAZZ was an international one, with raids conducted across Europe. QQAAZZ, which was among the gangs involved in serving Dridex and TrickBot operators, was rolled up as police followed the trail of what CyberScoop calls one of its “more flamboyant” operators. That’s one Maksim Boiko whom you may recall being arrested with $20,000 in cash as he transited through the airport in Miami. Mr. Boiko took a not-guilty plea in a US court back in May.

Courts and torts.

Health insurance company Anthem has reached settlements with forty-two US states and the District of Columbia over its 2014 data breach, JDSupra reports, to the tune of $48.2 million. This brings Anthem’s total paid for legal action concerning this breach up to $179.2 million.

Policies, procurements, and agency equities.

On Sunday representatives of the Five Eyes, India, and Japan issued a joint "International Statement" on "End-To-End Encryption and Public Safety." The statement affirmed support for strong encryption, but deplored "counter-productive and dangerous approaches that would materially weaken or limit security systems," and then called upon companies to design systems so that law enforcement could, with proper authorization, access encrypted communications.

For more, see the CyberWire Pro Policy Briefing.