The CyberWire Daily Podcast 1.28.21
Ep 1258 | 1.28.21

Advice on Supernova and encouragement to patch Sudo. NetWalker taken down. Influencers tighten a big short squeeze. And charges are brought in a 2016 case of alleged US voter suppression.


Dave Bittner: Updates from CISA on SUPERNOVA. US Cyber Command recommends patching Sudo quickly. US and Bulgarian authorities take down the NetWalker ransomware-as-a-service operation. Influencers drive a big short-squeeze in the stock market. Thomas Etheridge from CrowdStrike on recovering from a ransomware event. Our guest Zack Schuler from NINJIO examines the security challenges of work-from-anywhere. And another influencer is charged with conspiracy to deprive people of their right to vote.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 28, 2021. 

Dave Bittner: The US Cybersecurity and Infrastructure Security Agency has published updated information on several malicious artifacts affecting the SolarWinds Orion product, which have been identified by the security company FireEye as SUPERNOVA. SUPERNOVA, remember, isn't the malicious backdoor inserted into and propagated through the supply chain of SolarWinds' Orion platform. Rather, as CISA points out, SUPERNOVA is not embedded within the Orion platform as a supply chain attack; rather, it is placed by an attacker directly on a system that hosts SolarWinds Orion and is designed to appear as part of the SolarWinds product. CISA's assessment is that SUPERNOVA is not part of the SolarWinds supply chain attack described in Alert AA20-352A. 

Dave Bittner: Their Malware Analysis Report includes descriptions and indicators of compromise that security teams should find useful. And as usual, CISA concludes its report with a long list of best practices, briefly stated and easily understood. 

Dave Bittner: US Cyber Command strongly recommends that organizations patch the Baron Samedit bug in Sudo, disclosed this week by Qualys researchers. Sudo, to recap, is a widely used - nearly ubiquitous, as Qualys puts it - utility found in Unix and Linux systems. Fixes for Baron Samedit are available, and Cyber Command thinks you should apply them. 

Dave Bittner: A joint US-Bulgarian operation has taken down dark web sites used by the NetWalker ransomware-as-a-service operation. BleepingComputer reports that it's not yet clear whether the FBI or the Bulgarian National Investigation Service recovered decryption keys in the course of their operation. NetWalker's choice of targets was opportunistically reprehensible, even by criminal standards. The ransomware's affiliates hit a lot of health care facilities. 

Dave Bittner: The dark web site taken over in the operation had been used by NetWalker ransomware affiliates, the Department of Justice says, to provide payment instructions and communicate with victims. All that's now gone. Visitors currently find a splash page telling them, this hidden site has been seized. 

Dave Bittner: Bravo, FBI and the National Investigation Service. This will put a crimp in NetWalker for a while. But it's notoriously difficult to drive a stake through the heart of a criminal network. NetWalker may be back, but one hopes it stays down for a good, long time. 

Dave Bittner: The rest of today's stories are tales of trolls, influencers, and the direction of online crowds. 

Dave Bittner: Individual retail investors loosely organized around the Reddit forum WallStreetBets drove shares of brick-and-mortar retailer GameStop very high, CNBC reports, forcing short-sellers to cover their bets at a very dear price. GameStop shares traded at $42.59 last Friday, and that already represented a considerable gain. And they'd reached $469.42 by 10 o'clock this morning and have since fallen off a bit. Some of the coverage manages to make the Wall Street hedge funds caught in the short squeeze sound almost like the Bailey Brothers Building and Loan in Bedford Falls

Dave Bittner: It's an interesting and unprecedented case in which a large swarm of individual investors, mobilized by influencers and motivated at least as much by lulz and resentment as by the usual fear and greed, show themselves able to move markets. 

Dave Bittner: In the case of GameStop, The Wall Street Journal thinks the episode indicates a power shift in the investment world away from Wall Street and toward Main Street. As the Journal puts it, quote, "war has broken out between professionals losing billions and the individual investors jeering at them on social media," end quote. Social media have now joined passive and quantitative trading among the forces disrupting traditional markets. 

Dave Bittner: So is all this stuff illegal? Probably not, although a lot of big players think it ought to be. A great deal apparently hinges on whether the influencers urging investors on constitute a "group" under Securities and Exchange Commission guidelines. If they do, then they may have a problem. If they don't - that is, if they're a bunch of people woofing public information at each other - then it's hard to see what the legal problem is. But expect a fair amount of lobbying of the new US administration urgent that there ought to be a law. 

Dave Bittner: We should say that, in this precise form, this episode is largely unprecedented. From the historical perspective of, oh, the last two-and-a-half weeks or so, other stocks have been spontaneously pumped in social media.

Dave Bittner: The most recent such odd online stampedes happened earlier this month. We've seen one case in which a similar name drove an unrelated stock share's price up. When concerns of the privacy of WhatsApp surfaced, Elon Musk tweeted, "use Signal" - that is, use the other messaging app that's not encumbered by Facebook. This tweet apparently caused the stock of a very surprised Signal Advance to pop into triple-unicorn territory. Signal itself is not a publicly traded company, but that didn't deter enthusiasts from reading "use Signal" not as privacy advice but as a stock pick, and apparently Signal Advance was close enough. 

Dave Bittner: Oh, and just one more thing - a man has been arrested in Florida on charges related to fraudulent attempts at voter suppression. One Douglass Mackey, sometimes going by the nom de influence Ricky Vaughn, an apparent homage to the Charlie Sheen Wild Thing character in the movie "Major League," has been charged with conspiring to deny people the right to vote. 

Dave Bittner: The alleged offenses actually occurred during the 2016 elections. In that year, Mr. Mackey had established a Twitter following of some 58,000 - pretty good. The Department of Justice in its announcement helpfully benchmarks Mr. Mackey's audience against other influencers and says he did better than NBC News, Stephen Colbert and Newt Gingrich. 

Dave Bittner: The prosecutors say that between September and November of 2016, Mr. Mackey, quote, "conspired with others to use social media platforms, including Twitter, to disseminate fraudulent messages designed to encourage supporters of one of the presidential candidates," simply called the candidate in the release, to text their votes in. You can't vote by text. The tweets identified themselves as associated with the candidate's campaign, but obviously, since they were designed to convince likely candidate voters to think they'd voted when, in fact, they hadn't, they were not in the candidate's interest. 

Dave Bittner: NBC News identifies Mr. Mackey as a pro-Trump internet troll. And if they're right, it would seem that candidate would have been the other candidate - the one who wasn't Donald Trump. 

Dave Bittner: If he's convicted of conspiracy, Mr. Mackey could see a sentence of 10 years. And remember, the alleged offense took place in 2016, not 2020. The mills of justice grind slowly. 

Dave Bittner: The global pandemic forced countless organizations to hastily adopt a work-from-home strategy, the better to protect the health and safety of their employees. It's quite likely the largest shift to work-from-home that we've ever seen. And as workers settle into this new reality, it's becoming clear that for many, returning to the office every day no longer holds the appeal it once did. But now that we're at the onset of widespread vaccine distribution and the real possibility of relief, some are predicting that work-from-home could shift to work-from-anywhere. 

Dave Bittner: Zack Schuler is founder and CEO of cyber awareness and education firm NINJIO, who recently published a special report on work-from-anywhere cybersecurity. Zack, welcome to the CyberWire. 

Zack Schuler: Thanks so much for having me. 

Dave Bittner: So let's start with some basic stuff here on this report. First of all, what prompted the creation of the report? 

Zack Schuler: Well, I think it's the fact that, you know, we were looking into the future, and, you know, everybody's working from home now. And we were thinking about, you know, what's life going to look like after the vaccine is widespread and everything else? And we started doing some research. And the research showed that post-COVID, according to a PWT (ph) survey, that almost 90% of executives say they expect many or most of their employees to work remotely at least once per week, and 72% said at least two days per week. And that overall, three-quarters of companies plan to shift some basic employees to remote work on a permanent basis after the pandemic. 

Zack Schuler: And so, you know, we start really thinking about that and what that looks like. And now that people - you know, it's post-COVID - you can go to Starbucks, you can go to the library - there are a whole host of new security threats that now pop up. And so we wanted to get ahead of the game, kind of cancel the word working from home and erupt the word working from anywhere because that's where we see the future. 

Dave Bittner: Is your sense that the security folks are ready for this, or is this shift something that's on their radar, this shift to work-from-anywhere? 

Zack Schuler: I don't think it is. And the reason that I don't think it is is that, you know, every IT individual that I speak with, they're scrambling. They're trying to do more with less. Departments have been downsized due to COVID, and they've had to scramble just to get the working-from-home stuff straightened out. 

Zack Schuler: And so, you know, they're concerned about employees' home networks and what those look like. I honestly don't think the vast majority have had the time to strategically think about what it's going to look like when people start taking their devices all over the place. You know, people that would normally be in the office could now potentially be sitting at a hotel lobby doing their work. I'm just not sure that they've thought about that. 

Dave Bittner: So in your report here, what are some of the recommendations that you presented here for folks? 

Zack Schuler: You know, if you are forced to use public Wi-Fi, I would always go to an authority figure at the place that is delivering the Wi-Fi. Ask them very specifically, what is the SSID that I'm supposed to connect to and what is the password? And so you don't accidentally connect to, you know, the wrong Wi-Fi. 

Zack Schuler: Then, you know, I think imperative is to use a VPN software. You know, whatever is going across the public wire there is encrypted. 

Zack Schuler: You know, next would be, you know, make sure you really look after your physical security and that your devices are kept close to you. Maybe put on protection screens on your laptop that don't allow people to view the screen. Be very careful when, you know, connecting to other foreign devices for printing or scanning or anything of that nature. 

Dave Bittner: Zack Schuler is founder and CEO of cyber awareness and education firm NINJIO. Zack, thanks so much for taking the time for us. 

Zack Schuler: Hey, thanks so much for having me. I really enjoyed it. 

Dave Bittner: And joining me once again is Thomas Etheridge. He's senior vice president for services at CrowdStrike. Tom, it's great to have you back. I wanted to touch base today on what happens when an organization gets hit by ransomware, what the recovery process is like. When you're working with folks, what happens? Can you walk us through what that's like? 

Thomas Etheridge: Sure, absolutely. One of the things that we've been reporting on, and we published a blog on this recently, is the whole recovery process in general needs a little bit of an uplift. The traditional approach of tearing down and rebuilding extensive infrastructure in order to recover from an incident, including a ransomware incident, is a very costly and time-consuming effort. In many cases, organizations do not have a procedure or policy pre-planned for recovering from a ransomware incident. 

Thomas Etheridge: So one of the things we've been talking to organizations about currently is how do you embed intelligence into the recovery process, understanding threat actor tactics and techniques, the type of malware they may be deploying to carry out their financially motivated crimes and how to recover from those incidents. Organizations can be building playbooks in order to respond to that without having to reimage hundreds, let alone thousands of endpoints. 

Dave Bittner: So I suspect - I mean, if you can use that type of approach, you're going to be saving both time and money. 

Thomas Etheridge: Absolutely. The cost associated with reimaging and building from the ground up hundreds or thousands of systems and the impact and disruption that has on business and operations is very, very impactful. One of the things that we've seen from a cost perspective is that the time to reimage and rebuild hundreds, maybe thousands of machines could take months. And the disruption to business and operations is very impactful. 

Thomas Etheridge: We're still, as we reported before, in 68% of the cases we responded to in this year's Front Lines Report, the threat actor has made a second attempt at trying to regain access, infiltrate and/or ransom that organization. So recovery is critical to making sure the right controls are in place and the systems are clean and that the threat actor has been removed from the environment. 

Thomas Etheridge: And when we talk about intelligence-led recovery, we're talking about taking a tactical approach. Using real-time response capabilities to reverse malicious operations, kill bad processes, delete infected files, restoring registry keys to their original settings and removing any and all persistence mechanisms with speed and surgical precision allows for a reduced time to recover from an incident. 

Dave Bittner: Now, do you find that folks are taking the threat of ransomware seriously to the degree that it deserves? Are folks still kind of, you know, whistling past the graveyard, or is this getting the attention it deserves out there? 

Thomas Etheridge: I think it's getting a lot of attention, and I think it's getting the - a lot of attention because it's been such a successful tactic deployed by e-crime threat actors over the past year. We are seeing and talking to a lot of organizations about how they can improve being able to prevent ransomware. We focus in on ensuring they build a bulletproof backup strategy, making sure that organizations have multifactor authentication implemented for their backup systems, keeping a copy of backups offline or on air gap networks and then closely monitoring your backup solution for evidence of data exfiltration. 

Thomas Etheridge: Certainly something we've seen attackers do over the past year is not just look for that critical information within the core infrastructure, but also looking to delete backups before deploying ransomware. So really focusing in on having a solid, bulletproof backup strategy is critical. 

Thomas Etheridge: Multifactor authentication for internet-facing protocol such as RDP and server message blocks, implementing next-gen endpoint protection solutions that take advantage of machine learning and artificial intelligence and looking at your privileged account management solution and making sure that, you know, you're rotating credentials and that you have good visibility into expired accounts and managing your privileged accounts much more effectively - these are things we see customers really focusing on to try to improve their capabilities to defend against a ransomware attack. 

Dave Bittner: All right. Well, Thomas Etheridge, thanks for joining us. 

Thomas Etheridge: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. And by the way, happy Privacy Day. Do you know where your information is? For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Feel like a million. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.