The CyberWire Daily Podcast 10.5.20
Ep 1187 | 10.5.20

Maritime shipping hacks remind observers of NotPetya. Spyware through the firmware. New ransomware strain. Huawei in Europe. Go ahead, Lefty, give ‘em your fingerprints.


Dave Bittner: Attacks on maritime shipping organizations raise concerns about global supply chains. Someone's pushing spyware through firmware. Someone else is messing with the heads of TrickBot's masters. A new ransomware, Egregor, shows again that a ransomware attack amounts to a data breach. Huawei may be losing ground in Europe. Mike Benjamin from Lumen on DDoS ransoms, Scott Algeier from IT-ISAC looks back on 20 years of information sharing, and criminals give their fingerprints to police virtually.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 5, 2020. 

Dave Bittner: Shipping company CMA CGM continues to work through the Ragnar Locker ransomware attack that hit its business systems a week ago, gCaptain reports. While CMA CGM has in public statements said that it continues to move cargo and that it's working to restore the affected IT systems to resume fully normal operations, the shipper's recovery is still apparently far from complete. This morning, CMA CGM's site offered the following updates - quote, "We have decided to temporarily suspend all access to our e-commerce websites to protect our customers. All communications to and from the CMA CGM group are secure, including emails, transmitted files and electronic data interchange. Maritime and port activities are fully operational. We are providing alternative and temporary processes for your bookings and are committed to processing them as quickly as possible," end quote. 

Dave Bittner: Some in the industry, notably in Australia, have complained of hack-related bottlenecks, particularly where administrative downtime affects scheduling. In severity and potential impact, the incident is being compared by Bloomberg and others to Maersk's 2017 NotPetya infestation. Bloomberg also takes note of Thursday's disclosure by the International Maritime Organization that its own systems had been disrupted as marking a new phase of maritime trade's vulnerability to hacking. The IMO and CMA CGM attacks are probably unrelated, the timing coincidental, and neither affects safety of navigation. But they are being taken as a warning of how global trade and the supply chains that depend on it, so much of which is seaborne, have become susceptible to disruption. 

Dave Bittner: Kaspersky researchers report, according to WIRED, that spyware leaked from the now-defunct and controversial-when-active lawful intercept shop Hacking Team has turned up in malware being run by Chinese-speaking threat actors. The malware they're deploying is also unusual in that it alters its targets' Unified Extensible Firmware Interface. Installation in the UEFI renders this attack harder to detect and eradicate than more conventional malware. 

Dave Bittner: The malware currently in circulation is said to be based on VectorEDK, whose code was obtained from Hacking Team in 2015 by Phineas Phisher and leaked online along with a great deal of other company information. VectorEDK has since been repurposed to drop spyware Kaspersky calls MosaicRegressor as its payload in targeted machines. VectorEDK was originally designed to be installed by someone with physical access to the targeted device, but Kaspersky is unsure how it's currently being installed. The connection the researchers draw between the code and a Chinese group is, so far, principally linguistic, although even that evidence retains a degree of ambiguity. But there's other evidence, notably in phishbait and command-and-control servers, that points to APT41, a group generally believed to work for China's Ministry of State Security. 

Dave Bittner: KrebsOnSecurity describes, with credit to researchers at security intelligence shop Intel 471, a campaign designed to disrupt TrickBot. On September 22 and again on October 1, someone sent bogus configuration files to TrickBot-infected devices, effectively disrupting the botnet's command and control. Who's responsible is unknown. Disgruntled insider, competing criminal gang, law enforcement or intelligence agencies or vigilantes are all possibilities. TrickBot is closely associated with the gang that runs Ryuk ransomware. The effect of the disruption, Krebs says, seems, for the most part, to have been to enrage the hoods as they chatter in their markets, which many of them are woofing their intent of upping their ransom demands and so forth. The story is still developing. Who's messing with TrickBot remains to be seen. 

Dave Bittner: Appgate Labs have analyzed a new strain of ransomware, Egregor. The researchers think it looks like a Sekhmet spinoff, and they note that Egregor has been following the recent, now-routine ransomware trend of stealing information before it's encrypted, the better to yield leverage over the victim and diversify the illicit revenue stream. We'll, unfortunately, probably hear more of Egregor in the near future. 

Dave Bittner: The Wall Street Journal sees the international mood shifting against Huawei as Germany moves toward restricting the Shenzhen company's participation in its 5G infrastructure. Other European nations are also shying away from Huawei. Sky News summarizes a report from the U.K.'s Huawei Oversight Group to the effect that GCHQ had discovered what it characterized as nationally significant vulnerabilities in Huawei kit. Nikkei Asia reports that Greece is also joining the anti-Huawei camp. If it's true that all politics is local, it might be equally said that all conflict is regional. Greece is apparently motivated by tensions with its inveterate rival Turkey to move closer to the U.S. in its own security policies. 

Dave Bittner: And finally, Forbes calls a Darktrace reminiscence of a hacker it once tracked as exposing "the world's dumbest hacker." Back in 2018, Darktrace was monitoring an attempt to gain access to a luxury goods company. The attackers had gained the ability to exploit a fingerprint scanner, and so far, so good, from the crooks' point of view, at least. But then it occurred to the criminal masterminds that what they should do to gain access was upload their own fingerprints to the database the scanning system used while deleting other legitimate fingerprints. Darktrace AI, of course, noticed the changes. Good idea, peeps - give the cops your fingerprints. Not all online criminals are Lex Luthor or Professor Moriarty, are they? 

Dave Bittner: It has been reported by many - and on this one, I have to agree personally - that since the pandemic started, many people's sense of time has been distorted. It's not uncommon to see someone quip on Twitter that, man, last week was the longest month of my life. It is in that context that Scott Algeier joins us. He's executive director of the IT-ISAC, and they are marking 20 years of information sharing. In the cyberworld, that is a long time, and it's an achievement worth celebrating. 

Scott Algeier: The concepts of the ISACs - information sharing and analysis centers - originated back in the late '90s, the PDD 63 with President Clinton. And the idea was we wanted a way for the critical infrastructure owners and operators to share threat information with each other, both from a cyber perspective as well as physical security. And the whole concept back then was that the critical infrastructures are owned and operated by the private sector, but there's a national security component to securing them as well. There's a - it's important for the government, from a national security perspective, that they be secure. 

Scott Algeier: So the concept was to figure out a way to get industry and government to share information with each other, and the way to do this was to set up industry-specific forms for private sector information sharing and then connect those forms to government organizations. And since then, the information sharing community has grown. Back in 2000, there were two or three information sharing organizations, and now there are some 26 organizations that belong just to the National Council of ISACs. And there are probably dozens of more information sharing organizations throughout the country that are operating independently and on their own. 

Dave Bittner: Where do you suppose we're headed? What's the future of ISACs? 

Scott Algeier: Well, I think with - the future of the ISACs, there's a couple of things. No. 1 is we need to continue to help make sense of the information we're providing for members. Right? So I think the ISACs will continue to focus on information sharing, but I think we're seeing more and more of the ISACs diverting resources to the analysis component, helping members make sense of what's being shared, helping to prioritize the information. 

Scott Algeier: I think the other area where the ISACs are working for - or looking to enhance their capabilities is this collaboration, which also helps with the analysis. Right? So one of the things we're talking about within the IT-ISAC is there's - a lot of our member companies are monitoring some of the same actors, which is great. But is there a way that we can free up some resources by having some other member companies take other actors? Right? So let's monitor other actors and then bring the analysis from those actors into the larger ISAC community. So instead of having the - you know, multiple companies focus on the same actors, there's a way that we can spread out the analytical resources and the analytical capacity where we can look at more actors and then share the analysis from that member company or across the other members within the ISACs. 

Dave Bittner: That's Scott Algeier from the IT-ISAC. 

Dave Bittner: And joining me once again is Mike Benjamin. He's the head of Black Lotus Labs, which used to be under the company known as CenturyLink. But Mike, there's been a name change there. Before we dig into today's topic, can you give us a quick little update there? 

Mike Benjamin: Yeah, absolutely. So on September 14, the company is now changing its name to Lumen Technologies. And it's really an acknowledgement of all the technology we've been working so hard on for the last 10 years to help our customers with networks and compute and security and talking a bit more about where we're going to take that technology platform to the future and to help our customers build their technology and really deal with this new world of data analytics and robotics. It's really an exciting place to bring our technology to our customers. 

Dave Bittner: All right. So CenturyLink is now Lumen. Well, I hope the transition goes well. Our topic for today is DDoS ransoms. So that's an interesting combination of a couple of things there. What can you tell us about that? 

Mike Benjamin: Yeah. So I think everybody is familiar with ransomware. And, you know, a general concept is they take away your files and then demand money to get it back. So in the DDoS ransom space, the threat is they're going to take away your internet connection. Now, in some cases, they will knock it offline for a couple minutes as a warning shot to prove that you should pay the ransom. And other times, it's no more than just an email saying, pay us some money, and then we'll do it. And so it varies in sophistication. But the general premise is we're going to knock you off the internet if you don't give us some amount of money. 

Dave Bittner: And what sort of ransom notes are they sending out here? How menacing are they being? 

Mike Benjamin: So this has been going on for a number of years, and they vary in level of sophistication. The latest wave that we've seen uses two names that they've used for a while. They use the names Armada Collective and Fancy Bear - now, the latter obviously referencing a nation-state actor group from Russia. We don't have any reason to believe they're actually associated with the Russian government. They just like the name... 

Dave Bittner: (Laughter). 

Mike Benjamin: ...It sounds menacing, like you said. So the notes, on the more sophisticated side, will be delivered in line with an actual attack, and they will actually list components of the potential victim infrastructure and say we are going to attack you at these exact places, thus sharing that they've done their homework, they know about the organization and that there's a real reason to have fear. On the low end of sophistication side, they'll reuse Bitcoin wallets, they'll list nothing, and they'll just spam email out. 

Mike Benjamin: So it does vary in terms of how much homework the actors do. But when they do attack, we've seen attacks of over 100 gigabit. So their attacks here in the last few weeks have not been nothing. Of course, in many cases, 100 gigabit can be absorbed by the right protections in place. But for those that don't have mitigations in place, that's a lot of traffic and can absolutely impact infrastructure. 

Dave Bittner: If you find yourself receiving, you know, one of these warnings, one of these threats, I mean, is this the kind of thing where you could go and order yourself up some DDoS mitigation? 

Mike Benjamin: Yeah, absolutely. Especially at volumes of 100 gigabit, DDoS mitigation will take care of that. It's also important to note the actual attack types they're using are UDP reflection and amplification. So for those that aren't familiar, effectively, they spoof the origin of a packet to, say, an open NTP server. And when the NTP server responds, it responds with a larger data volume than the request, thus amplifying their request data. And they send it to the where the spoofed packet says it came from, which is really the victim. And so they bounce it off there. 

Mike Benjamin: And now, the nice part from a DDoS mitigation perspective is a lot of these protocols aren't widely used by companies or even home users. SSDP is not widely used across the land of the internet. Even NTP, where it is widely used, it's OK if you filter it for a few minutes, in general, while an attack's going on. The one that gets kind of sticky is DNS, where you really do need DNS to, you know, do your day-to-day browsing or run your business. So when they use DNS, it gets a little more difficult. But there's relatively easy ways in order to stop a UDP-based DNS attack by forcing (ph) it to flip to TCP and other stateful things where spoofing is no longer an option. 

Dave Bittner: So what are your recommendations here? If I get a ransom note like this in my inbox, what should my course of action be? 

Mike Benjamin: Well, the question we always get asked is, should you pay? And so I will give my opinion for a moment here, which is no. 

Dave Bittner: (Laughter). 

Mike Benjamin: It's - the recommendation here is - in the security market, everybody here is trying to raise the cost of an actor being successful. We want to make it harder. Therefore, they can be successful less often, and less people will enter that trade. And so by paying them, we're doing - we're going the wrong direction, so to speak, in regards to raising the cost for an actor. 

Mike Benjamin: And so the other thing to keep in mind is if you followed the ransomware market, they've become rather sophisticated with their customer service and their predictability to payments. They've almost become a business. Now, I again don't recommend paying in the ransomware space. But with the right ransomware actor, you do have a certain predictability to the fact that you're going to get your files back. In this space, the DDoS actors are in a position where, generally, they're not really knocking people offline. A lot of times, they don't even follow up on their threats. And so there's even less of a reason to make that payment. 

Mike Benjamin: So really, what my suggestion would be, make sure you understand how you're protected, make sure that things are either in highly distributed environments where attacking them is difficult or that there is a DDoS mitigation of some sort in front of that asset that can't be highly distributed, and work with other people in the industry to help find who these folks are and let's lessen their ability to make those attacks happen. 

Dave Bittner: All right - good advice there. Mike Benjamin, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Plus, there are two scoops of raisins in every box. Listen for us on your Alexa smart speak, too. 

Dave Bittner: Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.