The CyberWire Daily Podcast 8.21.20
Ep 1157 | 8.21.20

Transparent Tribe upgrades Crimson RAT. More countries interested in influencing US elections. University pays ransom.


Dave Bittner: Transparent Tribe updates Crimson RAT. Cuba, North Korea and Saudi Arabia are also interested in influencing the upcoming U.S. election. The University of Utah restored from backups after a ransomware attack but paid the ransom to prevent the crooks from publishing stolen data. Uber's former CSO has been charged with allegedly covering up a hack the company sustained in 2016. Justin Harvey from Accenture on how the pandemic has affected incident response. Gerald Beuchelt from LogMeIn on how secure remote access may or may not be. And a popular fertility app was found to be sharing data with advertisers without users' permission.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 21, 2020. 

Dave Bittner: Kaspersky has released a report on the continuing activities of Transparent Tribe, also known as ProjectM and Mythic Leopard, a cyber-espionage group actively deploying the Crimson RAT against its targets. Crimson RAT has been upgraded for the current campaign, with server-side management of infected machines and a newly discovered component dubbed USBWorm that infects and steals files from removable drives. 

Dave Bittner: Attribution of Transparent Tribe, which has been active since at least 2013, remains murky, but Palo Alto Networks and others have seen signs of an association with Pakistan. In the past, the group has primarily targeted Indian military and government personnel, but Kaspersky says this recent campaign shows an increased interest in targets in Afghanistan. 

Dave Bittner: William Evanina, the director of the National Counterintelligence and Security Center at the Office of the Director of National Intelligence, has added a few governments to the list of those who appear interested in influencing U.S. elections, CyberScoop reports. He said Cuba, North Korea and Saudi Arabia want to be able to provide their optics for discord in the United States. Evanina added that efforts by those countries aren't rising to the level of the big three, namely Russia, China and Iran. His comment about discord is suggestive. 

Dave Bittner: After a ransomware attack that hit its College of Social and Behavioral Sciences on July 19, the University of Utah paid its extortionists, BleepingComputer reports. The university said in its disclosure that the decision to pay was reached in close consultation with its insurance carrier and that the amount it turned over to the attackers was $457,059.24. ZDNet says the university was able to restore systems and data from backups but that it decided to pay the ransom to prevent the criminals from releasing the personal data they'd stolen in the course of the attack. The disclosure said in part, quote, "the university's cyber insurance policy paid part of the ransom, and the university covered the remainder. No tuition, grant, donation, state or taxpayer funds were used to pay the ransom," end quote. 

Dave Bittner: Which ransomware gang was behind the attack remains undisclosed, but Emsisoft told ZDNet that the attack looked like the work of NetWalker, which has made a specialty of hitting universities. It's hard to see how paying the ransom would keep criminals from releasing data. The agreement seems unenforceable. After all, it's not really the sort of contractual transaction one could enforce in civil court, and stolen data can quickly find their way into other hands, so there's a great deal of hope behind the decision. Emsisoft called the agreement a pinky promise made by criminals. How this high degree of uncertainty and forced misplaced trust figured into the cost-benefit calculus is unclear. 

Dave Bittner: There's also the problem that paying ransom encourages the growth of a bandit economy. But on balance, the insurer's involvement seems a positive sign. Security informed by actuarial insight is likely to be better security. Good building fire codes, for example, came more from the insurance industry than from government action. Government action was the final result, but it followed the underwriters' lead. 

Dave Bittner: The U.S. attorney for the Northern District of California has filed a criminal complaint charging Joseph Sullivan with obstruction of justice and misprision of a felony in connection with the attempted cover-up of a 2016 hack of Uber Technologies Inc. When he was chief security officer of Uber, Mr. Sullivan is alleged to have paid hackers a six-figure payment in exchange for their silence about their undisclosed theft of personally identifying information connected to some 57 million Uber drivers and passengers. 

Dave Bittner: Mr. Sullivan is said to have channeled the payment through a corporate bug bounty program with a view to concealing information about the breach from the Federal Trade Commission. The payment is reported to have been $100,000 in the form of Bitcoin, the criminal recipients of which were asked to enter into a nondisclosure agreement that included a false representation that the hackers did not take or store any data. The two hackers were eventually arrested and prosecuted, and they accepted guilty pleas. Mr. Sullivan is also alleged to have kept information about the hack from the new management team that arrived at Uber in 2017. 

Dave Bittner: Android Headlines reports that Mr. Sullivan's attorneys say the charges are without merit and that any decisions about disclosure were reached collaboratively by the company's leadership as a whole. Himself a former federal prosecutor, Mr. Sullivan is currently chief security officer of Cloudflare. This case is believed to represent the first prosecution of a CSO on charges of concealing a data breach. 

Dave Bittner: The Washington Post reports that the popular fertility app Premom was sharing customer data with three Chinese advertising companies without users' permission or knowledge. Researchers at the International Digital Accountability Council, IDAC, found that Premom was sharing IP and MAC addresses, Android IDs, hardware identifiers, Bluetooth information and geolocation data. IDAC said in a letter to the U.S. Federal Trade Commission, quote, "non-resettable hardware identifiers are personally identifiable information because they are tied to a user's device and it is almost impossible for a user to reset them or erase their digital footprint, thereby allowing companies with this information to infer who the individual users are. Additionally, by sending multiple device identifiers and geolocation data together, third parties can infer who Premom's users are," end quote. 

Dave Bittner: Premom told the Post that it does not currently use two of the advertising companies, and it said on August 6 that it was in the process of removing the third company's access to the app. IDAC confirmed that the data transmissions had ceased after the app was updated on August 7. The researchers note that users who haven't updated the app may still be sharing data. 

Dave Bittner: Researchers at Mitiga identified cryptomining malware embedded in a community Amazon Machine Instance, or AMI, used to spin up an AWS EC2 server. The malware had been running for years on a server owned by a financial institution. The researchers say the incident highlights the risk of using community AMIs, which can be created by anyone and placed in the AWS Marketplace. Threatpost notes that Amazon itself urges caution when deploying community AMIs, saying "you should treat shared AMIs as you would any foreign code that you might consider deploying in your own data center and perform the appropriate due diligence. We recommend that you get an AMI from a trusted source," end quote. Mitiga similarly notes that AMIs provided by trusted vendors on the AWS Marketplace do not present any such risk. 

Dave Bittner: The folks at identity and access management firm LastPass recently released the results of their study looking at the security of remote access, which, of course, has received increased scrutiny since the pandemic. Gerald Beuchelt is CISO at LogMeIn, parent company of LastPass, and he joins us with their findings. 

Gerald Beuchelt: We found that about 96% of all IT decision-makers that we were able to work with found that there is a huge impact of their IAM strategy with the requirement - with the recent requirements to fully support a remote workforce. Pretty much every organization has started to look at their identity and access management strategy across the board and wanted to make sure that they are doing the right things by their employees, but also, obviously, for their own interests as an organization. 

Gerald Beuchelt: I think what's really interesting in this kind of context is that once you start to go into a highly scalable zero trust kind of environment where you're leveraging software as a service, where you're managing remote proxies in order to move forward and really deemphasizing the firewall - the traditional perimeter, the traditional firewall around the organization, it is the identity of the user that interacts with the services that ultimately is the last and best way of defending what is going on and making sure that folks are properly authorized. 

Gerald Beuchelt: So I think what's - what we're seeing here is like the renewed interest - the renewed high interest in optimizing IAM strategy is really born out of the need that the traditional kind of network-based segmentation for users of perimeters - trusted perimeters, et cetera, are really - have crumbled now. It's like they're no longer crumbling. They have crumbled. And we have to adapt to this new situation that we're facing ourselves and that we've been moving to for quite a few years, to be honest with you, now through much strengthened and improved IAM programs. 

Dave Bittner: Now, one of the findings here that caught my eye was that 62% believe multifactor authentication is the most effective way to secure a remote workforce. Two thoughts there. I mean, obviously good that multifactor is on people's minds, but I guess I was a little surprised that the number was that low. 

Gerald Beuchelt: Yes. That's just kind of hard to really get - wrap my head around, like especially since we've seen in other reports that the adoption of multifactor authentication technology in the workplace versus, like, private activity actually lacks, right? So there's less businesses that have enabled MFA versus individuals securing their banking accounts or their other important accounts across the board. 

Gerald Beuchelt: So I think it's just still taking time. The idea that business leaders have not fully embraced MFA is an unfortunate reality at this point in time, and I think it dates back to the days when rolling out MFA was really hard, right? It's like if you think back, it's like setting up, like, a secure ID or something like that. It requires server infrastructure. It requires distribution of physical tokens, et cetera, et cetera. And I think that is still burned into the back of a lot of IT decision-makers' mind that, like, MFA is hard, it's costly, it is not easy to do. 

Gerald Beuchelt: It's like we have now technologies that we offer from LogMeIn, actually, like, that do make it very easy for IT departments, even small ones, to roll out multifactor as a service and, as such, get running very quickly. So I would hope that these types of technologies really are going to be - aggressively being adopted across the industry very soon so that we're getting from 62 to somewhat for the other questions like to close to 100. 

Dave Bittner: Yeah. It strikes me that it's an opportunity to - I don't know - instill a sense of ownership in your users that, you know, you're working from home now. You know, you can't rely on the physical building that you used to come to to be your defensive, you know, framework, that it's - you know, we're relying on you to help us here. I think just from a mindset point of view, that's an opportunity, it seems to me. 

Gerald Beuchelt: I totally agree. It's like - and, like, it goes back to the old bad adage that users are the weakest thing in the chains. Like, I disagree with this wholeheartedly. A badly trained user is probably the weakest link in your chain, but a well-trained user or somebody who is just reasonably aware of what's going on in their world, they're actually your strongest assets that you can have because, ultimately, they know best what is OK and what is not OK. 

Gerald Beuchelt: And starting from that point, I think you really need to structure your overall security program around those kind of, like, educational tasks and making sure that everyone gets the right level of understanding about how their respective work ultimately can affect the overall security posture of the company. Whether it's an end user that really does not have a lot of technical responsibility or background or whether it's somebody who is architecting or managing a large complex environment, having those folks properly enabled and making sure that they understand what kind of expectations we would have for them from a security posture perspective ultimately makes the overall program so much stronger than just relying on traditional kind of controls or centralized teams that are aiming to do everything but really can't due to resource constraints. 

Dave Bittner: That's Gerald Beuchelt from LogMeIn. There's an extended version of our interview available on CyberWire Pro. Check it out on our website, 

Dave Bittner: And I'm pleased to be joined once again by Justin Harvey. He is the global incident response leader at Accenture. Justin, it's always great to have you back. I wanted to check in with you to see how your incident response team have had to adjust the work you're doing since so many of us are working remotely now when it comes to this pandemic. What's going on with you and your team? 

Justin Harvey: Well, luckily, we had a head start because we were already a remote team. So globally, we do have Cyber Fusion centers in D.C. and London and in various other cities around the globe, where our incident responders would occasionally go into. And I'm sure we had some full-time employees there going in and out. But for the most part, our incident response team was already working from home. But that doesn't mean that the industry has all gone to virtually remote incident response. I know that from previously, from before the pandemic, we would go on site probably about 20% to 30% of the time. Of course, that 20% to 30% now has gone to zero. We haven't gone on site anywhere globally since the pandemic began. 

Justin Harvey: But we've seen a huge uptick in ransomware and various other types of attacks over the last few months. It's been a challenge adapting to this not because of our work environment but because we do send equipment out. We have a network sensor, and we have various other system-type tools that we typically send to our clients in the event of an incident. And that's more difficult because previously, we've stockpiled those in our Cyber Fusion centers, and, lo and behold, we don't have anyone at those Cyber Fusion centers. So we do need to ship something, then it takes a little bit longer to get someone into the office. And I think because of that, you know, we've had to make do. We've been more reliant upon the cloud and on virtual machine technologies with our clients. And I think that's actually been turning out pretty positively 

Dave Bittner: Have you been given any insights on how you might approach things even when the pandemic is over? Does this inform any adjustments that you might make on the other side? 

Justin Harvey: I believe so, yes. There - we're probably looking at moving toward a completely virtual model where we can actually use a supplier that has a imaging facility so if we want to send a network sensor out to the other side of the country, we could just pick up the phone or go on the web and do a virtual order and then have our image burned onto a drive, which then would go into another piece of hardware that this other company would maintain. So I think it's forcing us to address a more layered approach to our supply chain. 

Justin Harvey: I also know that previously, our clients, many times, would have physical war rooms and have everyone there on site for some of the larger investigations. And we've done a few of these major-type operations over the last few months not only in the United States, but in Brazil, in Italy and Germany, particularly around critical infrastructure. And it's been harder on our clients adjusting to a fully remote environment than we have. And I think that's probably easing a little bit now. Everyone's kind of understanding how to work from home and all of the difficulties, like coming off of mute on a... 

Dave Bittner: (Laughter). 

Justin Harvey: ...On a conference call. 

Dave Bittner: Right. Buying good microphones and headphones and all that stuff. 

Justin Harvey: Yeah, I can't tell you how many times I get nailed with that because I've got two mutes, one on my speaker phone... 

Dave Bittner: Right. 

Justin Harvey: ...And one on my Microsoft Teams, and that's - it's a little embarrassing with clients occasionally. But I think that more enterprises are going to be fully remote on IR, and I think it's just going to be part of the new normal, Dave. 

Dave Bittner: All right, well, Justin Harvey, thanks for joining us. 

Justin Harvey: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: If you're looking for something to do over the weekend, be sure to check out "Research Saturday." This week, I speak with Craig Williams from Cisco Talos on adversarial use of current events as lures. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.