Patch by midnight, and reply by endorsement. Cerberus is howling; Rampant Kitten is yowling. TikTok and WeChat both get reprieves. German police want ransomware operators for homicide.
Dave Bittner: CISA tells the feds to patch Zerologon by midnight tonight. Cerberus surges after its source code is released. Rampant Kitten, an Iranian surveillance operation, is described. The U.S. bans on WeChat and TikTok were both postponed. Justin Harvey from Accenture marks three years since WannaCry with a look at ransomware. Our own Rick Howard on red and blue team operations. And police in Germany are looking for ransomware attackers on a homicide charge.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 21, 2020.
Dave Bittner: Late Friday, the U.S. Cybersecurity and Infrastructure Security Agency directed all federal agencies to apply August's patch to Microsoft Windows Server. Emergency Directive 20-04 requires that mitigations of the Zerologon privilege-elevation vulnerability, CVE-2020-1472, which Microsoft addressed in August, be applied by midnight tonight and that all agencies report completion by midnight Wednesday. The directive applies only to federal agencies under CISA's oversight, which is most of them but with certain national security exclusions. As Forbes notes, if the matter is serious enough for CISA to take this action, then the private sector would be wise to do the same.
Dave Bittner: The release of Cerberus source code has, as predicted, been followed by an increase in attacks using the banking Trojan, Kaspersky reports. Apparently, despairing of getting their reserve price in an online auction that didn't work out to their satisfaction and faced with the difficulty of maintaining the malware as the gang broke up, the managers of Cerberus last week released their source code online. Kaspersky said, quote, "The result has been an immediate rise in mobile application infections and attempts to steal money from consumers in Russia and across Europe as more and more cybercriminals acquire the malware for free," end quote. Researchers are seeing the same sort of jump in functionality and usage they observed when Anubis went similarly public last year.
Dave Bittner: Check Point describes what it's seen of Rampant Kitten, an Iranian threat group that's been keeping tabs on that country's dissidents for six years. Rampant Kitten has used four Windows infostealers, an Android backdoor that pulls two-factor authentication codes from SMS messages and records the infected device's audio surroundings and Telegram phishing pages. Rampant Kitten has prospects domestic opponents, but it's taken an even closer interest in certain organized dissident groups in the Iranian diaspora.
Dave Bittner: U.S. bans on transactions involving TikTok on WeChat scheduled to take effect yesterday didn't happen due to, first, eleventh-hour agreements about control over tick tock and, second, to a temporary injunction a federal magistrate issued to keep WeChat running as it has. In outline, according to the Wall Street Journal, the agreement reached Saturday would give Oracle a 12.5% stake in the new company to be called TikTok Global. And Walmart would purchase 7.5% of the venture. That would leave ByteDance with about 80% of TikTok Global. But as it happens, ByteDance is 40% owned by American investors. And the companies hope that this would constitute sufficient U.S. control to allay U.S. security fears. Oracle also intends to provide the new company with secure cloud service for TikTok's data. And Walmart would agree to provide e-commerce, fulfillment, payments and other services to TikTok Global. The agreement that would establish TikTok's American operations as a standalone company with partial U.S. ownership remains under evaluation. And the Commerce Department says the ban has therefore been postponed a week.
Dave Bittner: The Wall Street Journal reports that a U.S. federal magistrate has granted a temporary injunction stopping the government's intention of similarly stopping transactions involving WeChat. A group of the app's users filed an emergency motion seeking to block the government's plans on First Amendment grounds. The government, they argue, has insufficient grounds for blocking their access to the Chinese-made and -operated app and that this constitutes restraint of their freedom of speech. The government has said that it intends to take no action against anyone using WeChat to communicate either personal or business information but that the app's data collection practices represent a threat to national security.
Dave Bittner: Should one or both bans eventually go through, the Chinese government has signaled that U.S. companies are in for some rough treatment of their own. The Washington Post reports that, Saturday, China's Commerce Ministry announced plans for adding some companies to its unreliable entities list. While the ministry didn't specify exactly who would make the list, Chinese state media have for some time been calling for retaliatory bans on Apple and Google - so those two, probably, for starters at least.
Dave Bittner: The sad case last week of a woman who died when ransomware at a Dusseldorf University Hospital required that she be diverted to a hospital some 30 kilometers away and too far to give her the prompt emergency treatment she needed has prompted prosecutors in Nord-Rhein Westfallen to open a criminal inquiry into negligent homicide against unknown persons. Reuters reports that the loss of data so interfered with hospital admissions that it was unable to take patients arriving by ambulance.
Dave Bittner: It's been widely reported that, should charges eventually be filed, it would be the first time a death had been linked to a cyberattack. That depends, of course, on how narrowly one construed the words linked to a cyberattack, since there have certainly been deaths induced by swatting, where a phone call's origins were spoofed. But it is an unfortunate reminder that for all the disinhibition cyberspace tends to produce in those who live and move and have their being there, cyberattacks do have real consequences for real people.
Dave Bittner: Security firm Emsisoft, which has made a reputation providing decryptors to ransomware victims, thinks that the Dusseldorf case ought to put an end to the payment of ransom. One of the objections to paying ransom, however much of a bargain it might be in any particular case for any particular organization, is that doing so fuels a bandit economy and encourages future attacks. The argument parallels one that's long been made against negotiating with terrorists. If payment encourages ransomware gangs and if their attacks are growing in frequency and consequence, then it's time, Emsisoft thinks, to stop feeding the beast. In the meantime, all we can do is offer condolences to the victim's family and friends and to wish the German police good hunting.
Dave Bittner: And I'm joined again by Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. But more importantly than either of those things, he is the host of "CSO Perspectives" over on CyberWire Pro. Rick, it's always great to have you back.
Rick Howard: Thanks for the plug, sir. I appreciate that (laughter).
Dave Bittner: Of course, of course. You know, last week, you and I were discussing the history of pen tests. We were talking about red team and blue team ops and purple teams and all that stuff. This week, you continue that. You take it to the next level. You brought in some experts to your hash table, and you discuss how practitioners handle this stuff in the real world. So what kind of stuff did you find out?
Rick Howard: Yeah, you're right. So if you recall from last week's show, back in the early '70s, the good-guy hackers, these - our white hats, our ethical hackers, you know, we started to use our own skills against our own systems. And, eventually, those exercises became known as penetration tests. These were separate teams. You know, they would attempt to poke holes in the technology deployed to protect the enterprise, right? Now, these weren't trying to emulate any adversaries, OK? They were just trying to find, you know, the unknown open windows and doors. And I was surprised that, you know, when I did the research, that it went back as far as the '70s.
Rick Howard: What I discovered, though, when I was talking to the hash table experts is security experts have different ideas on how to use these teams, and it's on the spectrum of activity. On one end, it's sitting the team somewhere on the internet and telling them to find a way in, any way they can, to - on the completely opposite side of the spectrum - giving the team extremely specific parameters about what they're supposed to do and from where they are supposed to do it. Now, this kind of stuff's been going along for a long time, and for my part, I never thought that former part - you know, kind of willy-nilly, do whatever you want - was that valuable, right? Because, you know, can a pen test find their way in? Of course, they can, OK?
Dave Bittner: (Laughter).
Rick Howard: That's what they get paid to do (laughter).
Dave Bittner: Right, right.
Rick Howard: So I was talking to Rick Doten about this. He is the CISO for Carolina Complete Health. And before he was the CISO, he ran a commercial pen testing. And his clients would ask him to see if the pen test team could get into the client's network. And so this is what they would tell him.
Rick Doten: So when I was a consultant, I would often have customers who'd call and say, hey, I'd like a penetration test just to see if you can get in. And I would always tell them, save your money. Yes, we can. There's no question about it (laughter). You know, it's like - if you have a specific reason that you want us - something to focus on or you just updated a system or you have a new monitoring or you want to test the way that these controls are acting, that would be something. But if it's just a general - can you get in? Yes, we can always get in.
Rick Howard: I think his point is that pen tester activity should not be free-for-alls. OK? They should be highly tailored to test something specific, like, you know, a newly deployed S3 bucket or a change in firewall settings or maybe even newly deployed server farm or something like that.
Dave Bittner: You know, it kind of reminds me of - like, I don't know. If I were testing the security of my home - if I were to go to a pro, if I were to go to a locksmith and say, could you get into my house? Well, of course, a locksmith's going to be able to get into my house, right?
Rick Howard: (Laughter).
Dave Bittner: But I suppose that's different than saying, hey, I want to bring someone in to make sure my alarm system is functioning the way I expect it is.
Rick Howard: Or, yeah, that I am turning it on the correct way - OK? - when I go to bed at night, you know, those kinds of things.
Dave Bittner: Right.
Rick Howard: Right.
Dave Bittner: Right, right. That's really interesting. Well, last week, we ended on a bit of a cliffhanger.
Rick Howard: (Laughter).
Dave Bittner: And it was a little bit up in the air if red team and blue team ops were considered an essential function. Has there been any clarity in the meantime? Have you made up your mind?
Rick Howard: I think I finally have. You know, I was on the fence. And I don't think that red team-blue team operations are essential. They're kind of expensive to do, and I definitely would not pull that lever first. If I was beginning to set up a new infosec program, that's not the first go-to move. But if I am mature and I've put in these other strategies - and we've talked about them on this show, right? It's resilience and zero trust and intrusion kill chains and being able to assess risk in your organization. If you can get all that stuff going and it's relatively mature, then the next lever you might pull is red team-blue team operations. And so they're not essential to your infosec program. I will say, though, that the training opportunity by doing those are pretty decent. You know, you put a brand-new SOC analyst hunting down a red team in real time, there's some real live training going on there. So there may be some benefit there but, again, maybe not essential to any infosec program.
Dave Bittner: All right. Well, check out "CSO Perspectives." That is over on CyberWire Pro on our website, thecyberwire.com. Do check it out. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it's always great to have you back. You know, we recently passed the third anniversary of WannaCry. I want to check in with you on some of the things that you've been tracking when it comes to ransomware and how it's evolved over the past three years.
Justin Harvey: Sure. Well, the third anniversary of WannaCry was just last month. And I've got to say, WannaCry was a pivotal moment in cybersecurity history, not because of some of the damage that it created - we've seen damage for 10, 15, 20 years - what really was surprising was that WannaCry was going to be the first of many type of destructive attacks. Now, in my experience, I define ransomware as destructive malware because there's really no difference. With destructive malware, you don't have a means to get your data, and with ransomware, you may have a means if you're willing to take that risk.
Justin Harvey: And so with WannaCry creating so much damage three years ago, it really started a cascading of events in ramping up ransomware. I believe that adversaries saw this as an opening for them to exploit victims and get a big payday.
Dave Bittner: And we've seen - I mean, since then, ransomware has sort of expanded their scope of operations to include exfiltrating data to kind of turn up the heat on the folks that they're ransoming.
Justin Harvey: That's exactly right. We at Accenture are seeing a lot of cases. And in fact, since the pandemic started in early March, we have seen over a 50% increase in ransomware cases. And many of them are following the same incident lifecycle. It's the adversaries that are doing a quick phish to get in, get a landing spot, quickly escalate privileges. And they're installing a persistence mechanism like Cobalt Strike.
Justin Harvey: Now, Cobalt Strike is an interesting tool because it is a commercially available tool out there. Primarily, it is intended for use by red teams and friendly offensive security teams. But Cobalt Strike has been adopted by many adversaries out there, even nation-states, as a remote access Trojan. So these adversaries are getting in. They are installing Cobalt Strike, and then they're just kind of listening for a while. They're mapping the environment. They're understanding who's who and where the goods are.
Justin Harvey: And then, of course, once they find the goods, they are encrypting them in place as well as stealing credentials and other data. So they've kind of got a bird in the hand. And the bird in the hand is they're stealing the data first, and then they're extorting. So if they don't get their extortion money - boom - they can already probably monetize the first set of data that they've exfiltrated.
Dave Bittner: And in the time since WannaCry, how has your playbook grown more sophisticated? When you're called out to help an organization who's dealing with ransomware, have things changed over the past couple of years?
Justin Harvey: Yes. We have moved from being primarily an investigation team that's heavily focused on understanding the who, the what, the why and then moving toward expulsion and then transformation. We've moved from that model to quickly triage and help recover an environment because before, the cases that we were running, both cybercriminal and nation-state, it was really a bug hunt. You have an adversary. They are hidden in the environment, and they are mostly passively stealing intellectual property and exfiltrating it.
Justin Harvey: And what we're seeing now is something different. We're seeing a an adversary get in, be quiet, exfiltrate that first set of data. Then, of course, they're doing the extortion. But through this extortion, they're also taking out the entire enterprise. They're taking down active directory. They're taking down applications and databases and things that are necessary to create revenue or to fulfill the obligation of the enterprise. So for us, we are seeing more and more of that. And it's less about, well, whodunit and how do we get them out of the environment? - to how fast can we restore services?
Dave Bittner: It's interesting to me that - you know, I remember it felt like we we might see a shift away from ransomware toward cryptomining for a little while. But that really didn't play out. The cryptomining kind of ran out of steam.
Justin Harvey: Yeah. I think that with these cryptominer adversaries, I think they were primarily looking to make a quick buck off of the new types of cryptocurrencies out there. But I think that they're having a hard time monetizing these quasi-unofficial currencies out there, so it's very difficult for them to make money. And if you're already in an environment, you already have administrative access, why not just put in ransomware rather than do a mining expedition? Now, clearly, mining is less destructive. But it can also take down an environment, as we've seen with a few of our clients over the last two to three years.
Dave Bittner: Yeah. All right. Well, Justin Harvey, thanks for joining us.
Justin Harvey: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it'll pick you up when you're feeling down. Listen for us on your Alexa smart speaker, too.
Dave Bittner: Don't forget to check out "The Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is security intelligence. Every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. See you back here tomorrow.