Emotet takedown. Solorigate updates (and President Biden tells President Putin he’d like him to knock it off). Vulnerabilities and threats discovered and described.
Dave Bittner: Europol leads an international public-private takedown of Emotet. Four security companies describe their brushes with the compromised SolarWinds Orion supply chain. Solorigate is one of the issues US President Biden raised on his first phone call with Russian President Putin. New vulnerabilities and threats are described. Our guest, Michael Hamilton of CI Security, questions how realistic CISA's latest guidance on agency forensics may be. Joe Carrigan looks at bad guys taking advantage of Google Forms. And the internet is back in business on the US East Coast.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 27, 2021.
Dave Bittner: Europol this morning announced a takedown of Emotet. A cooperative operation in which Europol and Eurojust acted in concert with authorities in the Netherlands, Germany, the United States, the UK, France, Lithuania, Canada, and Ukraine took control of Emotet's infrastructure earlier this week.
Dave Bittner: Ukraine's Cyber Police say that steps have been taken to detain persons suspected of running Emotet. And so by this time, some arrests are either imminent or accomplished.
Dave Bittner: Emotet has bounced back before, so it would be premature to call it as dead as Al Capone, but the operation will at least bring some respite from the malware. Team Cymru, one of the security companies that assisted with the takedown, emailed us some comments on this week's operation - quote, "it's important to note that only time will tell how long-lasting the takedown will be. The law enforcement, security vendor and network operator communities will continue to track, monitor and collaborate in the continuous effort to defend against these ever-evolving threats," end quote.
Dave Bittner: That's a good counsel of prudence, and organizations would do well to keep their guard up. Still, any respite is welcome, and there's a good chance some of the perpetrators will be brought to justice. So bravo, Europol and all of your international public and private-sector partners.
Dave Bittner: Those interested in whether their email address was among those found in Emotet's haul may consult a database the Dutch police have made available.
Dave Bittner: The known extent of Solorigate continues to expand. Four security firms - Mimecast, Palo Alto Networks, Qualys and Fidelis - have acknowledged that they had installed Trojanized versions of SolarWinds' Orion application. Some of the disclosure was prompted by NETRESEC's report Monday that identified 23 targets of what most observers regard as a Russian cyber-espionage campaign.
Dave Bittner: Of all of the compromises, Mimecast seems the most worrisome, although it also seems to have been contained. The company said that a certificate it had issued turned out to have been compromised but that its customers have been warned and provided new keys, the former, compromised connection keys now having been disabled.
Dave Bittner: Palo Alto Networks noticed suspicious behavior on two servers last autumn, stopped it and retrospectively connected that behavior with the SolarWinds campaign.
Dave Bittner: ZDNet reports that Qualys says that only an isolated test system was affected. Fidelis also said that a test system had downloaded a Trojanized version of Orion but that the company is still investigating the possibility that there may have been some further compromise.
Dave Bittner: On Tuesday, US President Biden made his first official call to Russian President Putin. Defense One reports that President Biden brought up Russian complicity in Solorigate. Russian statements characterize the call as open and businesslike. The Wall Street Journal quotes Russian sources as emphasizing President Putin's interest in normalizing ties between the two countries. Russia has categorically denied any involvement in Solorigate, and Moscow didn't mention it in their public statements about the chat between the two heads of state.
Dave Bittner: There are several new reports of vulnerabilities or malicious activity. To take the vulnerability first, security firm Qualys warns of a heap overflow vulnerability they've found in the widely used Unix and Linux utility Sudo. They've given it the voodoo-inspired name of Baron Samedit in an apparent allusion to Baron Samedi, the loa of the dead, only giving their baron vulnerability a final "t" in its name.
Dave Bittner: The Sudo utility allows users to run programs with the security privileges of another user. Qualys has concluded that Baron Samedit has been hiding in plain sight for a number of years. Qualys disclosed their discovery to Sudo's author and open source distributers before making it public, and fixes should be available. Qualys recommends patching as soon as possible.
Dave Bittner: Researchers at RiskIQ describe a phishing kit they're calling LogoKit, which they assess as having been developed and deployed with an eye to simplicity of deployment and range of targeting. They've found some 700 sites hosting LogoKit over the past 30 days.
Dave Bittner: LogoKit's simplicity is said to make it easy for criminals to compromise sites. RiskIQ describes its operation as follows - quote, "a victim is sent a specially crafted URL containing their email address. Once a victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google's favicon database. The victim email is also autofilled into the email or username field, tricking victims into feeling like they have previously logged into the site. Should a victim enter their password, LogoKit performs an Ajax request, sending the target's email and password to an external source and, finally, redirecting the user to their corporate website," end quote.
Dave Bittner: Late yesterday, Proofpoint announced that its researchers had found a new version of DanaBot active in the wild. DanaBot is a modular malware that's been traded in the criminal-to-criminal underground market since 2018, but whose usage fell off last summer. Now, it's returning. The banking malware seems now bent on regaining lost market share.
Dave Bittner: AT&T Alien Labs has been tracking the TeamTNT threat actor, and they've found that the group is now using a new detection evasion tool that they've evidently copied from open source repositories.
Dave Bittner: TeamTNT is best known for its cryptojacking. They're now using the libprocesshider tool to hide from process information programs. Alien Labs thinks it would be worth a security team's while to keep an eye out for libprocesshider and to regard it as an indication that TeamTNT may be active in their systems.
Dave Bittner: And finally, if you're on the US East Coast, did you notice some connectivity issues yesterday? We did. Verizon experienced an outage that disrupted internet connectivity in the Northeastern US for a couple of hours yesterday, the Verge and others report. Service was substantially restored yesterday afternoon. The cause remains under investigation, but not every outage is a cyberattack. This one, according to WRAL, seems to have been an issue, not an attack.
Dave Bittner: In the aftermath of the SolarWinds Orion software breach, CISA gave marching orders to federal agencies requiring that they conduct a forensic analysis by the end of the month. Michael Hamilton is former vice chair for the DHS Coordinating Council, former CISO of Seattle and currently CISO of incident response firm CI Security. I spoke with him about whether or not CISA's guidance is realistic.
Michael Hamilton: Well, the SolarWinds events, which I guess we'll just call it that - as the covers are peeled back from that, we're finding that there are more and more compromised pieces of software that are used in federal agencies and there have been multiple tools used to gain persistence that are outside the initial compromise. And so it's going to take a bit of a deep cleaning, you know? Some of the recommendations that we all saw - you know, you need to nuke from orbit and start over, you know?
Dave Bittner: (Laughter) Right, right.
Michael Hamilton: Well, short of that, you know, which is going to be an expensive and lengthy undertaking.
Dave Bittner: Well, so the Cybersecurity Infrastructure and Security Agency sent out some guidance for these organizations. And one of the things that they've given them is a deadline to do what they call a forensic analysis. What are your thoughts on that?
Michael Hamilton: Well, if their definition of forensic analysis is the same as mine, I just don't see any way that they can complete a body of work like that by the deadline that they set. The human resources required to do that and the technology footprint required to do that is substantial.
Michael Hamilton: So, you know, the federal government has a lot of resources, you know, and they can go out and hire contractors to do this, but let's remember, even the contractors, all of these resources are in such short supply. And I can tell you with a good deal of authority that, you know, based on what's happening here in my company, the phone's ringing off the hook with incidents that need to be cleaned up. And so the practitioners that do this kind of work are in even shorter supply right now.
Michael Hamilton: So, you know, it's - I won't say it's impossible. I will say that there's maybe a definitional difference. You know, when they're talking about doing forensics, they may be talking about going through and searching deeply for indicators of compromise. I don't think they mean creating legally defensible forensic images that are moved around with chain of custody paperwork and then exposed to a deep forensic analysis. I just don't think they mean that because if they do, there is no chance they will get this done by the end of the month.
Dave Bittner: How would you come at this? I mean, what are your thoughts on a practical, possible way to come at a problem like this?
Michael Hamilton: Well, I think what they're doing is the right thing. Again, you know, definitionally, we're not entirely sure what they mean there. But while they go through a process of - let's just call it deep cleaning, and there's a variety of ways to do that all the way from scanning with a tool that's not the same as your regular endpoint security tool to see if there's something that it missed, you know, all the way to, you know, flatten and reimage.
Michael Hamilton: So while that process is going on - because that is the process - implementing compensating controls around the network to make sure that, for example, if your preventive controls lapsed and let this in the environment, your detective controls you're monitoring should be way tuned up to make sure that any aberrational behavior, especially aberrational behaviors that map to known behavior of these, you know, pieces of malware - that needs to get tooled way up as they go through this process so they have not only a way to do this deep cleaning, but a way in the interim to be watching the network to make sure that they can identify anything that starts to look weird and then focus on that, prioritize that. So that would be the way I would go about it.
Dave Bittner: That's Michael Hamilton from CI Security.
Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Interesting story from the folks over at Proofpoint. They did some research that they published on their blog. It's titled "BEC Target Selection Using Google Forms." Some interesting stuff going on here. What can you describe for us here, Joe?
Joe Carrigan: It is interesting, Dave. It's - actually, this ties in nicely with the - last week's episode of "Hacking Humans," where we had our guest talking about this exact same kind of thing.
Joe Carrigan: These - the folks at Proofpoint have found a campaign where people are using Gmail and Google Forms in tandem. And they're using these to bypass their email security content filters based on keywords.
Joe Carrigan: And what they do is they send emails in. And what's interesting is they're not sending emails from a spoofed name. They're just - it's just the email address in the name. It doesn't have any name associated with it like you can do with a Gmail address. But they're putting that name, the name of the C-level suite of the target organization, in the subject line, right? And then it's a typical, almost like a gift card scam, the way it's opening up with a very short thing - hey, I'm going into a meeting, and I need your help, right? And that's...
Dave Bittner: Oh, OK.
Joe Carrigan: ...The end of the discussion. But the idea is to get people to respond back to that. And then they send a link to a form. It's a Google Form. And it's just an empty form. There's nothing set up on it. And they're trying to get people to interact and say - maybe even submit the form, the empty form, as it is.
Joe Carrigan: And Proofpoint is speculating that the reason these actors are doing this is because they're trying to select who they're going to send business email compromise phishing emails to so they can get their credentials. Because if I send you an email impersonating someone from your C-suite and it's not from a recognized email address - I don't even spoof the person's name; I just put it in the subject line - and you click on the Form link I send you and you fill out a blank form, you're probably a prime candidate for clicking on links in emails.
Dave Bittner: Right, right.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: I mean, this is a really astute observation, I think. And what's interesting is they're using these existing services to get around all the filters that are out there. There are filters that these companies pay thousands of dollars a year to use, and this just bypasses all of them.
Dave Bittner: Because everything here is coming from Google...
Joe Carrigan: Right.
Dave Bittner: ...Who is a legit entity.
Joe Carrigan: Yep, absolutely.
Dave Bittner: Now, when you go to the Google Form, is that how - can they tell that it was you that went to the Google Form? Is that how they're tracing it back to you?
Joe Carrigan: You know, I don't know. I'm not a Google Forms user. I mean, I could be. I have a Google account. But I did some quick research, and I can't find a definitive answer that says, yes, you can tell that this person went to the form or loaded the form. But you can certainly tell when they submit the form. You can get that information from them.
Dave Bittner: I see.
Joe Carrigan: If you go through the trouble of building a form for each person that you send an email to, then you can easily tie those two together - the form submission and the email address - no problem.
Dave Bittner: Yeah.
Joe Carrigan: You can put images on the form. If you can put an image on the form, you can track that image using another web service.
Dave Bittner: Sure, sure. Yeah, it's interesting how these are - more and more, they're multitiered, you know?
Joe Carrigan: Yes.
Dave Bittner: You've got to put some - the first level of bait out there to see who's susceptible to that. And then once we get that group of people...
Joe Carrigan: Right.
Dave Bittner: ...Who have proven themselves susceptible to this first level, then we will - then we know who to really spend our time, attention and resources on.
Joe Carrigan: Exactly. This is very much like the Nigerian prince scams, right? The Nigerian prince scams are ridiculous and far-fetched, and as well as the benefactor scams. There are a lot of scams out there that are just so ridiculous and far-fetched that - they're engineered to be that way so that the people that respond to them are the people that are more likely to be susceptible to believing it and you can lead them along.
Joe Carrigan: In other words - I don't want to use the word dumb, right? But if you're the kind of person that responds to an email from a Nigerian prince, you're also the kind of person who sends money to someone you don't know, right?
Dave Bittner: Right, right.
Joe Carrigan: There's a higher probability of that.
Dave Bittner: Right.
Joe Carrigan: So this is the same kind of research. These guys are honing their craft. And you and I have watched this evolve over the past - what? - six years, seven years. But these guys are part of the sales organization. I like to make the business analogy 'cause these operations are run like businesses, and these guys are taking - these are the lead generation. These guys are taking the vast list of emails from a company, and they're condensing it down to the people who are most likely to respond to the next step in the sales chain.
Dave Bittner: Yeah.
Joe Carrigan: And they're going to pass that information on to the next group of people.
Dave Bittner: Yeah, yeah. Well, again, it's an interesting bit of research here from the folks over at Proofpoint. So if you want to get the details, you can head over to their website and check out the blog there. Yeah, interesting development, for sure. All right, well, Joe Carrigan, thanks for joining us.
Joe Carrigan: It's my pleasure, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Sock it to me. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.