The CyberWire Daily Podcast 10.16.20
Ep 1195 | 10.16.20

Misdirection and redirection. Content moderation, influence operations, and Section 230. Money-laundering gang taken down. And no wolves in Nova Scotia.

Transcript

Dave Bittner: Hey, everybody. Dave here. Are you one of those people that skips ads in podcasts? Of course, we like the ads because we have a lot of great sponsors and they help keep the lights on and great content coming to you every day. But we've got great news for the ad skippers among you. A CyberWire Pro subscription now gives you access to all your favorite CyberWire podcasts ad-free. That's right - ad-free. And you can still listen to them on your favorite apps. Visit thecyberwire.com/pro to subscribe and go ad-free and get all the other great benefits of a Pro subscription, too. That's thecyberwire.com/pro.

Dave Bittner: Phishing through redirector domains. Content moderation, influence operations and Section 230. A Twitter outage is due to an error. QQAAZZ money laundering gang members have been indicted. Johannes Ullrich tracks Mirai bots going after Amanda backups. Our guest is Richard Hummel from NETSCOUT with research on cybersecurity trends and forecasts and some ruminations about range safety for cyber exercises. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Friday, October 16, 2020. 

Dave Bittner: Researchers at security firm GreatHorn report that a massive phishing campaign is propagating to a significant extent through open redirector domains. They say it's a comprehensive and multipronged attack with multiple hosting services and web servers being used to host fraudulent Office 365 login pages. Malicious links delivered via phishing emails to regular users worldwide are bypassing their email providers' native security controls. The attackers, whom GreatHorn think represent a single group, are after two things - corporate email credential theft and malware installation that could serve to prepare further attacks. 

Dave Bittner: Twitter takes a second run at clarity and enumerates its reasons for blocking the New York Post story on what purports to be emails to be from Hunter Biden's laptop. Specifically, the story violated two of Twitter's standing policies against, first, posting another person's personal and confidential data and, second, distributing information obtained by hacking. The policy doesn't prohibit, Twitter says, discussion or commentary about such material, just distribution of the material itself. In the meantime, NBC News reports that the FBI is investigating whether the Post's sources can be traced to placement by a foreign intelligence service. The Washington Post says the intelligence community has considered the possibility of such a Russian operation for some time. Social platforms' content moderation policies remain as controversial as the content those policies seek to moderate. The Wall Street Journal writes that the U.S. Senate Judiciary Committee is opening an inquiry into the matter, and the U.S. Federal Communications Commission announced its intention of moving forward with a rulemaking on Section 230 of the Communications Decency Act. 

Dave Bittner: In other unrelated Twitter news, the social medium says a widespread outage yesterday was due to an inadvertent change Twitter made to its internal systems, not an attack. Service was restored later in the day. 

Dave Bittner: The U.S. Department of Justice announced yesterday that it had indicted 14 members of QQAAZZ. We're just going to go with that pronunciation since it's spelled Q-Q-A-A-Z-Z. So your guess is as good as mine. It's an international money laundering gang that makes its principal home in Russophone criminal sites. The accused are from Bulgaria, Latvia, Georgia and Romania. The operation that took down QQAAZZ was, as such operations usually are, an international one, with raids conducted across Europe. QQAAZZ, which was among the gangs involved in serving Dridex and Trickbot operators, was rolled up as police followed the trail of what CyberScoop calls one of its "more flamboyant operators" - one Maksim Boiko, whom you may recall being arrested with $20,000 in cash as he transited through the airport in Miami. Mr. Boiko took a not-guilty plea in a U.S. court back in May. For their work on the case, the U.S. Department of Justice thanks Europol and national police agencies in Portugal, Spain, the U.K., Latvia, Bulgaria, Georgia, Italy, Switzerland, Poland, Czech Republic, Australia, Sweden, Austria, Germany and Belgium. Should Mr. Boiko, by the way, be acquitted, he has a career waiting for him. He's a rapper, they say, and goes by the stage name and hacker name gangass, which our linguistics desk says sounds better in Russian than it does in English. 

Dave Bittner: And finally - what? What's that? Wolf, wolf. No, honest - gray wolf, gray wolf, gray wolf. All right, not really. There are no wolves. Whatever you may have heard from the Halifax Rifles, no wolves have been released in Nova Scotia. It's all a misunderstanding, apparently deriving from a misfiring live-fire information operations training exercise. Here's what happened, according to the Ottawa Citizen. Nova Scotia residents received a letter - snail mail - that looked as if it were from the province's Department of Lands and Forestry, Wildlife Division. The letter apprised them of progress in a gray wolf reintroduction program. Wolves had been released into the neighborhood and were now on the prowl, as wolves are wont to be on the prowl, around the Annapolis Valley. And that's when people heard wolves howling. But no, no wolves. What happened was this - the aforementioned Halifax Rifles, a reserve regiment that traces its lineage back to the empire loyalist side of the War of 1812, was conducting an information operations exercise. They'd forged the letter from the Department of Lands and Forestry and then used a loudspeaker to broadcast what Count Dracula would have called the sweet music of the children of the night. So, success - people were spooked. Lock up the house pets, and, Katie, bar the door. 

Dave Bittner: The Department of National Defence spokesman, Dan Le Bouthillier, says it was a mistake. The Halifax Rifles were conducting an information operations training exercise. And the letter wasn't meant to actually be mailed to anyone. And he added - we paraphrase - who the heck knows where that loudspeaker came from? The whole thing was a big snafu. And the embarrassed department is investigating how the weekend warriors' enthusiasm got the better of them. Various woofing over Twitter called the whole thing a propaganda "live fire" exercise. That got us thinking. And so we asked our own range safety desk how such things ought to be managed. 

Dave Bittner: The desk told us, along with a lot of other stuff we really didn't need to know, that you always want to confine the effects of live fire to the range itself. So, they explained at length, a Rhein-Metall 120-millimeter smoothbore tank main gun has a 20-kilometer ricochet fan, which means that a depleted uranium penetrator can hit the ground and bounce into the next county. That's fine if you've got plenty of room in a comfortable place like Fort Irwin's north corridor. But in the more intimate confines of say, oh, I don't know, Fort Meade, heaven forfend, that would be no bueno. So thanks to our range safety desk. But here's the point - when you're conducting influence exercises or other cybersecurity training, are you taking steps to confine the effects to the training area? There's a reason, after all, that a lot of these things are called tabletop exercises. And what goes on atop the table should stay on top of the table. Check the ricochet fans for your hacks, friends. 

Dave Bittner: My guest today is Richard Hummel, manager of threat research at Arbor Networks, the security division of NETSCOUT. He brings details from their new research report on cybersecurity trends and forecasts. 

Richard Hummel: So this is our fifth edition of the Threat Intelligence Report. And we've been doing this specifically to bring what we're seeing in the threat landscape as it pertains to DDoS. We want to generate some awareness for what's actually happening, how adversaries are changing their tactics, what they're doing attack wise, vector types, the different complexity that they're adding to things, how many attacks, what countries are being targeted regions? Is there global trends? Do we see vertical industry targets? What does it look like year over year? I mean, that's basically what we do - is we walk through all of the high-level statistics. I've got some very specific stats I'll pull out for you, as well as some changes in different metrics that we are incorporating that we've never done before, and then why this should matter to individuals. 

Dave Bittner: Well, let's dig into some of your findings here. I mean, what are some of the things that caught your eye? 

Richard Hummel: Sure. So predominantly this report focuses on the pandemic time period. And that necessarily happens because things changed radically, things that we didn't expect to change. And when we first started looking at this year over year report, we anticipated, you know, January, February timeframe, we're like, oh, this is going to be business as usual. So January and February are typically low months, which they were again this year. And so when we first started looking at this at the beginning of the year, we're like, all right, this is going to be how it is. But then the pandemic happened and that radically changed how we live and breathe. Starting in mid-March, we saw massive increases in the number of attacks. 

Richard Hummel: In fact, if you fast-forward a couple of months to May, we saw 929,000 DDoS attacks in a single month. That's the largest we've ever seen in one month period of time. And so even though we experienced this kind of peak, the hockey stick never really went back down. It maybe fluctuated a little bit, but it feels like we're at the kind of new baseline right now as things are in their current form. And that really leads into this new metric that we're putting forward, what we're calling the DDoS attack coefficient. And what we wanted to do is we wanted to summarize what the impact of this DDoS attack traffic is having across the internet for any given organization, a region, a country a vertical. 

Richard Hummel: And then from there, the final theme here is the complexity. We're seeing radical changes in the way that attackers are actually launching these things. It used to be that I pick a protocol. This is the one I want to exploit, so I'm going to launch attack. It's going to use that protocol. And that's it. Right? Memcached was a good example of this - a single protocol that launched at 1.7 terabit per second attack. However, we're not seeing those single vectors being as potent as they used to be. That's not to say they don't exist. They still very much do. 

Richard Hummel: But if you look at some of the metrics that we have here, attacks utilizing 15 or more vectors - and when I say a vector, I'm referring to a very specific protocol or a type of attack, so that could be NTP, it could be ARMS, it could be DNS, so and so forth. And so we're seeing attacks leveraging 15 or more of these in a single attack. Since 2012, we saw an almost 3,000% increase in their usage. And then for single vectors, year over year, we saw a 43% decrease. Now, 43% doesn't seem like a lot when you're comparing it to nearly 3,000. But the nearly 3,000 is talking about tens, if not hundreds of thousands, whereas the single vectors, we're talking about millions. So a 43% decrease is fairly significant for getting rid of those less sophisticated attacks. 

Richard Hummel: And so those are a lot of the really key highlights here. So you have people exploiting the pandemic. You have this impact that everybody pays for. And then you have that complexity factor thrown into the midst of that, and you're presented with a very real DDoS problem. 

Dave Bittner: So who's making the money here? Is it the folks who are providing the DDoS-ing, you know, as a service? I hire them to go after the gaming company or my rival or something like that. 

Richard Hummel: It's a little bit of both. Right? So it's going to be the actual operators as well as those that are paying for the service. Let's think about it from a gamer's perspective. And let's just say I'm part of some esports underground and a lot is relying on a particular match that I'm in. Now, a lot of these times these matches are super high-speed internet access. The latency is, like, nonexistent. And so every single little glitch or hang up or anything can cost the match for somebody. And there's millions of dollars riding on some of these matches. And so if I can launch a DDoS attack to disrupt my adversary for even a 30-second window, I can throw that match and win the money. 

Richard Hummel: So you have these individuals that are actually participating in this or maybe people betting on those participants that are launching these attacks. And so you have that person who stands to gain a lot of money. Plus, you also have the booter, stressors or DDoS-for-hire services that are making money as a result. And so you have both of these parties that have a vested interest in making sure that they take networks down. And so that's kind of where that is. And the motivation, really, for launching these DDoS attacks doesn't always have to be monetarily focused. Yes, that's a predominant reason, but you also have geopolitical reasons. You have hacktivist reasons. You have people that just like to cause chaos. And so there's a lot of different motivations behind these, even though often it tracks back to some type of monetary or financial gain. 

Dave Bittner: That's Richard Hummell from NETSCOUT. There's more to this interview. You can check it out over on our website, thecyberwire.com, in the CyberWire Pro section. 

Dave Bittner: And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute, also the host of the ISC "StormCast" podcast. Johannes, it's always great to have you back - got some interesting stuff to talk about today. You and your team have been looking at some interesting developments when it comes to the Mirai botnet. What are you tracking here? 

Johannes Ullrich: Yeah. I mean, Mirai botnet is sort of one of those, you know, botnets that keeps on giving for the last four years now. I think was about August, four years ago or so when it came out. And one thing we actually spotted in some recent samples is some references to Amanda backup. If you're not familiar with Amanda, it stands for - actually, well, something up from your neck of the woods - the Advanced Maryland Automatic Network Driver Archiver. 

Dave Bittner: (Laughter). 

Johannes Ullrich: I think they came up with the acronym first, but (laughter)... 

Dave Bittner: I see. OK (laughter). 

Johannes Ullrich: ...But it's a very popular, Linux mostly backup system. I think there are some Windows clients as well. And apparently what's happening here is that these Mirai variants start looking for these Amanda clients, so essentially some kind of lateral movement or - we haven't really quite figured out yet what they're trying to do here. But they're definitely looking - after they attack essentially your gateway - that's what they're usually going for - they're looking for this Amanda backup system inside your network. 

Dave Bittner: And what do you suppose they're after there? I mean, what are the possibilities? 

Johannes Ullrich: Well, a backup is, of course, always a great target. And just like they get into the initial firewall, you know, going sort of after these home routers and such, they're probably expecting the same big password being used in these Amanda clients. And once you have access to an organization's backups, well, you got everything, you know? You don't need to hack the actual systems anymore. You can now delete those backups. So that would be great, like, you know, for ransomware, for example. And there have been some indications that some Mirai variants kind of mutate that way. It could also just be to exfiltrate the data. Once I exfiltrate your backups, again, I don't really need to exfiltrate anything else. I got everything I need. 

Dave Bittner: Is it likely that folks may be keeping a more casual eye on their backups than their primary data? Could that be in play here? 

Johannes Ullrich: That's certainly in play. And, of course, you know, you are getting past a lot of the permission issues once you go after backups. Your backup system always has to have access to all of your files. So it's running as an administrator as route instead of just hacking one particular account, then having to contend with all of the limitations of that account. Once you have access to backups, you have access to all the files, and permissions don't really matter that much anymore. And I think another lesson we sort of learned from some of these ransomware cases is that people don't watch their backups, you know? (Laughter) In some cases, they don't know that they don't have some because they thought they were running. 

Dave Bittner: Right. 

Johannes Ullrich: But so these systems are set up once and then people sort of tend to forget about it. 

Dave Bittner: Yeah. No, it's a lesson hard learned sometimes. So what are your recommendations here for folks to be on the lookout for this? 

Johannes Ullrich: Well, definitely bring about how these backups are authenticating. Now, backups are so important these days with everybody worrying about ransomware. And that's sort of your last line of defense when it comes to ransomware. And, of course, a lot of the disaster recovery and such always hinges on backups. So definitely make sure that, first of all, they're working, and then how are your backup systems authenticating? How is that backup server authenticating when it connects to clients or vice versa, to download backups, to upload backups? Depending on the system you're using, all of them have some form of authentication. Try to make - create unique passwords for each workstation, if that's possible. Try to use random keys, you know, not just the same simple password for everything. 

Dave Bittner: All right. Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro to save you time, keep you informed. And it keeps going and going and going. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Be sure to check out Research Saturday this weekend and my conversation with Liviu Arsene from Bitdefender. We're talking about APT hackers for hire used for industrial espionage. That's Research Saturday. Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. See you back here next week.