The CyberWire Daily Podcast 8.24.20
Ep 1158 | 8.24.20

Crooks and spies, together again? Hiding ad-fraud malware in an SDK. A turn to the DarkSide.


Dave Bittner: Iranian wannabes successfully use Dharma ransomware against soft targets. SourMint hid an ad-fraud and info-stealing package in an SDK. A former U.S. Army officer and sometime government contractor is charged with working for the GRU. DarkSide ransomware rises as affiliates go into business on their own. Awais Rashid from the University of Bristol on aligning cybersecurity metrics with business goals. Rick Howard talks data loss prevention with members of the Hash Table. And copycat DDoS extortionists pretend to be - who else? - Fancy Bear.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 24, 2020. 

Dave Bittner: Group-IB reports that a new and inexperienced group of hackers from Iran are using Dharma ransomware against easily attacked businesses in Russia, India, China and Japan. They're greeners, in Group-IB's description, and BleepingComputer calls them low-skilled, using commodity tools and well-worn approaches, but they've been successful nonetheless. They use Masscan to look for organizations with internet-facing RDP and weak credentials. Again, Group-IB thinks they're a collection of noobs buying ransomware as a service to grab the easy pickings indifferently protected enterprises offer even noobs, grifters and skids. 

Dave Bittner: The group's emergence is noteworthy, Group-IB thinks, because it suggests that Iran - like other aggressive cyber powers - now harbors an underworld of financially motivated cybercriminals. Russian cyber gangs have long operated at the sufferance and under the close scrutiny of the security services. Chinese government hackers are widely believed to be allowed to moonlight with some cybercrime after the factory whistle blows, but this is a relatively new development for Iran. 

Dave Bittner: Snyk has identified malicious code in the Mintegral software development kit, an SDK, widely used by applications in Apple's App Store. The SourMint malware is adapted to ad fraud and data collection. 

Dave Bittner: Mintegral is a mobile advertising platform based in China. Developers sign up as publishers and download the SDK from Mintegral. The SDK injects code into standard iOS functions within the application it's used to develop. The malicious code executes when the application opens a URL. At that point, the malware has access to what Snyk describes as a significant amount of data and even potentially private user information. 

Dave Bittner: SourMint includes various anti-debugging protections that Snyk believes are designed to cloak the application's behavior. This evasiveness may have helped the SDK pass Apple's review process without being flagged. 

Dave Bittner: A former U.S. Army officer, Peter Rafael Dzibinski Debbins, has been charged with conspiracy to gather or deliver defensive information to aid a foreign government. The indictment alleges that Mr. Debbins worked for Russia's GRU between 1997 and 2011. After leaving the Army in 2011, Mr. Debbins worked for several government contractors, The Washington Post reports, but the indictment is confined to his period of military service. 

Dave Bittner: The very detailed indictment suggests that a lot of sources contributed to the investigation, and the Justice Department's press release makes a point of thanking the United Kingdom's Metropolitan Police and MI5. 

Dave Bittner: Mr. Debbins, who is of course entitled to the presumption of innocence, allegedly first contacted Russian intelligence services while he was still an undergraduate at the University of Minnesota, two years before he was commissioned. He's also alleged to have traveled to Russia several times, to have been in and out of hot water for security issues while on active duty with the U.S. Army and to have married a Russian citizen - hometown Chelyabinsk of meteor fireball fame - whose father was a Russian officer. 

Dave Bittner: Unless there's been some long-running attention to and exploitation of Mr. Debbins by U.S. counterintelligence and intelligence organizations, one wonders what one would have to do to attract security manager's attention. Fire flares and holler, I'm working for the GRU, through a bullhorn? Allegedly, of course. 

Dave Bittner: And here's some research by press release. A cyber gang that says it's composed of former affiliates who've already made a pile through extortion has announced that it's now working its own strain of ransomware, which it calls DarkSide. According to BleepingComputer, the gang's press release says, quote, "We are a new product on the market, but that does not mean that we have no experience and we came from nowhere. We received millions of dollars' profit by partnering with other well-known cryptolockers. We created DarkSide because we couldn't find the perfect product for us. Now we have it," end quote 

Dave Bittner: So there you go. It's like an ad announcing a new brand of razors. We always appreciate a good shave and wish we could find the right blades - and so on. 

Dave Bittner: The DarkSide gang says it won't hit health care organizations, specifically hospitals or hospices, schools or universities, not-for-profits and government organizations. This, they say, is an expression of their principles, but unless those principles are self-interest and calculation of criminal marketing, one is reluctantly moved to skepticism. Forbes reminds its readers that Maze and Doppelpaymer made similar promises back in the early days of the pandemic, but those really didn't stand the test of time. 

Dave Bittner: There's more. They say they select their victims with discrimination and price their extortion demands accordingly. They want their targets able to pay, not bankrupt or defiant. They promise to provide a fully effective decryptor upon payment and also to destroy the data they've taken. As is now the norm with ransomware, DarkSide steals data before encrypting them. We take our reputation very seriously, say the hoods. And if they're paid in full, you can count on them. All guarantees will be fulfilled. The gang has been active for a couple of weeks, and they appear to have secured at least one million-dollar score. 

Dave Bittner: And, finally, remember those scareware screens that used to pop up from time to time, telling you that the FBI was on to you and that you could settle the matter by paying your fine right now, cash on the virtual barrelhead? There's a new name in this low-grade grift. It's occurred to someone that since Fancy Bear is in the news, why not go with that? 

Dave Bittner: Anyhoo, security firms Akamai and Link11 independently report that, since mid-August, these characters are sending extortion emails with subject lines like, DDoS attacks on your network, coming from - guess who? - Fancy Bear herself. Akamai, who called the crooks copycats, says they've also impersonated the Armada Collective. 

Dave Bittner: Unlike the we're-from-the-FBI stuff, which were best simply ignored, there does appear to be some risk of an actual denial-of-service attack. So be on your guard, accordingly. But Fancy Bear? Not likely. 

Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief analyst, also our chief security officer. Rick, always great to have you back. 

Rick Howard: Thank you, sir. 

Dave Bittner: You have another episode of your "CSO Perspectives" podcast, and this time you're talking about data loss prevention again, but you've brought a bunch of CISOs to the Hash Table this week, going to be talking about data loss prevention and, I guess, going to be talking about a lot of tools? 

Rick Howard: Yeah. Well, you know, when you ever talk about DLP - which is the big acronym. It's for those in the know, Dave. So, you know, when we talk about it... 


Dave Bittner: Right. Yeah. Exactly. All the cool kids are using them, yeah. 

Rick Howard: Yeah, all the cool kids, right? So tools obviously came up. And what we discovered is that the typical vendor-supplied DLP tool, you kind of get these features, all right? Rule-based matching like, you know, looking for Social Security numbers, as network traffic traverses your networks. So Social Security numbers or PII - things like that. You get fingerprinting or looking for user-supplied structured data. So if you have something specific in your organization, you tell the tool what to look for, and it finds it. You get file-name matching - OK? - which is anything you might think is material to the business. You can give it actual names. All right? 

Dave Bittner: (Laughter) Here's the spreadsheet with our payroll. 

Rick Howard: That's right. 

Dave Bittner: Yeah. 

Rick Howard: With our super-secret recipe for a Coke recipe, right? 

Dave Bittner: Right. OK. Yeah, yeah, yeah. 

Rick Howard: Got it? And more and more machine learning to identify unknown sensitive data. And for what they do, they're pretty good at the traditional perimeter protection like, you know, web traffic and email. But check your vendor before you buy 'cause - make sure they cover your other data islands like SAS and hybrid cloud deployments and even your employees' devices, both company-provided and personal. 

Dave Bittner: Well, OK, so what part do things like encryption play in this, things like that and deception - those kinds of things? 

Rick Howard: We did talk about those tools, and the consensus was that most people think that encryption is the most important, but what the CISOs brought to the Hash Table was - they don't solve all of your data loss problems, but for your material data, it's probably the most effective. And then for deception, the commercial market has definitely made it easier to deploy these kinds of things. But all of our CISOs this week said that they would not tackle deception as a key plank in their infosec program until they got a handle on some of the more important strategies, like intrusion kill chains and zero trust and resilience. The one tool that popped up that I wasn't aware of before is something called UEBA tools or user and entity behavioral analytics. Have you heard of that before? 

Dave Bittner: Go on. 

Rick Howard: (Laughter) Well, I'm not smart enough to explain it. 

Dave Bittner: (Laughter). 

Rick Howard: So here's Dawn Cappelli - she's the Rockwell Automation CISO - explaining what these tools do. 

Dawn Cappelli: So UEBA is user and entity behavioral analytics. Basically, it's a tool that you can bring in diverse data sources and integrate them together, sort of on the order of a SIEM, but it's people-based or entity-based. So you can go in to Dawn Cappelli and look at all of my activity from all of these various logs, and you can bring in contextual data about the person or about the organization. So, for instance, if my termination date - if I have a termination date set, that greatly increases my insider risk. And so the risk models, once they see a termination date set, it increases my risk score, especially if there's any suspicious activity associated with me. You also can build watch lists. If you have something happening in your organization, like a reduction in force, you can integrate that into those risk models. So it's a very comprehensive technology for an insider risk program. 

Dave Bittner: All right. Well, that is interesting indeed. So what happens from the vendor's point of view? How are they delivering these sorts of things? 

Rick Howard: Well, like other security services, you can get these UEBA - and I slowed down to say that acronym - either on-prem devices or from SAS providers. But what's interesting is the market for UEBA tools has been shifting these past few years. More and more, you're starting to see the functionality of UEBA end up in SIEM vendors, which I think is interesting. 

Dave Bittner: What are the implications of that? 

Rick Howard: It just means that for something we thought was going to be a, you know, standalone tool, the bigger tools - like SIEMS and I'm guessing you're going to see it pop up in SOAR also, right? - that it's just going to be sucked up into those bigger platforms as a feature and not just a point product that you buy. 

Dave Bittner: All right, interesting stuff. Well, you can check out the entire episode of "CSO Perspectives." Head on over to Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I'm pleased to be joined once again by Professor Awais Rashid. He's a professor of cybersecurity at Bristol University. Awais, it's great to have you back. You know, it seems to me like quite often there's a little bit of tension between cybersecurity and the goals of a business, you know? You want to have as little friction as possible, but things need to be secure as well. What are your thoughts on that? 

Awais Rashid: So, you know, there is the old cliche that, you know, the security investment - if there are no attacks, then does that mean that you were not going to face any attacks anyway or that the security investment actually made sure that those attacks couldn't take place? So the key challenge with regards to security tends to be the investment in security is not always visible in terms of business benefit. So while a regular product can make the case that, you know, this will, for example, bring in an investment and that product will bring in a tenfold increase in revenue, that is not something that security has been able to do. 

Awais Rashid: I think the other challenge comes from the fact that a lot of the security metrics that we use are very, very low-level. So we often talk about, you know, sort of for example the number of viruses detected, the number of, you know, potential malicious scans and things like that. And when we are talking about security for an organization, they don't always easily translate into those kind of top-level strategic goals and how do they relate to them. So, for example, you know, if you had 1,000 viruses detected, what does that mean overall in terms of business strategy and business goals? And I think one of the key things is that work needs to be done to try and understand what the overall business objectives are and how they relate to particular security actions that an organization might be taking and then how do those things actually translate into those low-level metrics. 

Dave Bittner: Well, and isn't that something that is really the responsibility of the security team, of being able to translate all of that into language that the business leaders can understand? 

Awais Rashid: Yes and no. So yes, there is the responsibility of the security team, but one of the things that we always say to - with regard to risk management and, you know, the sort of thing we teach in risk management 101 nowadays - is that, you know, cybersecurity risk should be a board-level concern, right? And as a result, I think it's very important for boards to think about the problem in a strategic fashion and actually highlighting as to what they are trying to achieve with regards to their cybersecurity posture, what is the level of risk that is acceptable, what kind of risks they are trying to mitigate. 

Awais Rashid: And then, of course, it's - part of the job of the cybersecurity team is to actually implement those strategic directions, but then also be able to then feed back as to how the metrics that they collect align with those strategic-level goals. So I think the key here is that this is a two-way relationship. So there has to be a top-down strategy setting from all the way from the board level to the C-suite down to the security team and actually throughout an organization and its culture. But then there has to be systematic ways of actually collecting that information and reporting back towards those strategic goals as to whether those strategic goals are being met and whether the risks that the organization was trying to mitigate are being effectively mitigated. 

Dave Bittner: All right. Well, Professor Awais Rashid, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. And it'll keep your hair nice and shiny. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.