The CyberWire Daily Podcast 3.24.21
Ep 1296 | 3.24.21

Trends in phishbait. Ransomware exploits vulnerable Exchange Servers. Purple Fox develops worm capabilities. Attacks on industrial production. Third-party risk. What’s on your mind, crooks?


Dave Bittner: COVID-themed phishbait has shifted to vaccines. Notes on the ransomware exploiting vulnerable Exchange Servers. Purple Fox gets wormy. Sierra Wireless halts operations to remediate a ransomware incident. Notes on ICS vulnerabilities. More victims of third-party risk. Joe Carrigan looks at SMS security issues. Our guest is Ron Brash from Verve Industrial with takeaways from their 2020 ICS vulnerabilities report. And what are the cybercriminals thinking?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 24, 2021. 

Dave Bittner: Palo Alto Networks' Unit 42 this morning released a report describing the ways in which cybercriminals are taking advantage of the COVID-19 pandemic. The nature of the phishbait has shifted over the course of the pandemic. It began with come-ons for testing kits and personal protection equipment, moved on to government stimulus and relief programs, and now, in what one hopes is a sign of an approaching endgame, it's shifted to vaccine availability. 

Dave Bittner: Their reliance on hurrying the victims with a sense of urgency is a familiar social engineering tactic. As the report says, quote, "we found that at each step along the way, attackers have continued to change their chosen tactics to adapt to the latest pandemic trends in hopes that maintaining a timely sense of urgency will make it more likely for victims to give up their credentials," end quote. The criminals are now exploiting confusion and concern over vaccine availability and vaccination scheduling. As is so often the case, much of the phishing is angling for the victims' credentials. 

Dave Bittner: Along with some specific recommendations for defense, Unit 42's general advice is, individuals should continue to exercise caution when viewing any emails or websites claiming to sell any goods or services or provide any benefits related to COVID-19. If it seems too good to be true, it most likely is. Employees in the health care industry in particular should view links contained in any incoming emails with suspicion, especially from emails trying to convey a sense of urgency. 

Dave Bittner: DearCry and Black Kingdom ransomware continue to be deployed against vulnerable Microsoft Exchange Servers, but the execution is slovenly, suggesting that even for criminals, haste makes waste. 

Dave Bittner: WIRED notes that DearCry's relative lack of sophistication renders it a less dangerous threat. It's a bare-bones operation, pretty retro by today's prevailing ransomware standards - no command-and-control server and no automated countdown timers. It uses, instead, old-school human interaction to hustle its marks. It lacks obfuscation, and it even engages in some self-jamming, encrypting files that make it difficult or even impossible for the victim to operate their computer, even if the victim wants to pay the ransomware. 

Dave Bittner: So the DearCry hoods seem to have been better at jumping aboard the vulnerabilities exposed and exploited by Hafnium than they were at writing good - by which we mean bad - ransomware. 

Dave Bittner: Still, there's a risk associated with DearCry, and it's also the case that the operators could learn and evolve their tools into more effective forms. That's already happened with another ransomware strain. 

Dave Bittner: The operators of Black Kingdom ransomware, first seen active last summer, have also taken note of the opportunity unpatched Exchange Servers present criminals. The Record reports that Black Kingdom's kickoff of its own operations against Exchange Servers was also, in some respects, sloppy. They'd failed to encrypt victims' files. By yesterday, however, Black Kingdom had rectified their mistake, Sophos reports. 

Dave Bittner: Guardicore describes Purple Fox, an active malware campaign targeting Windows machines. It's backed by an extensive infrastructure and it includes a rootkit with worm capabilities. Guardicore wrote, quote, "throughout our research, we have observed an infrastructure that appears to be made out of a hodgepodge of vulnerable and exploited servers hosting the initial payload of the malware - infected machines, which are serving as nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns," end quote. 

Dave Bittner: In a Form 6-K filed yesterday with the Securities and Exchange Commission, Sierra Wireless disclosed that on March 20, it discovered a ransomware attack that led it to suspend manufacturing. The company believes only internal systems were hit, with customer-facing products and services unaffected. 

Dave Bittner: For its part, Honeywell, which had also suspended operations after sustaining an unspecified cyberattack, announced yesterday that it had resumed normal operations. CyberScoop says that Honeywell has remained tight-lipped about the incident. It's not known, for example, whether the attack the company sustained involved ransomware. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency yesterday released six advisories on industrial control systems. Claroty published its own research on one of those advisories, the one affecting Ovarro TBox, which the researchers believe illustrates the risks of connecting unprotected control systems to the internet. Such unprotected control systems are readily discoverable through Shodan searches. 

Dave Bittner: Federal News Network reports that the third-party breach that affected AFCEA this week has also affected another organization that used the compromised Spargo conference registration software. The U.S. Geospatial Intelligence Foundation has also notified individuals whose data may have been compromised in the incident. 

Dave Bittner: And finally, suppose you were a criminal working in cyberspace - not that you are or would ever be, of course, but just suppose. You'd want to avoid getting caught, right? Sure you would. 

Dave Bittner: Anyhoo, in the spirit of jailhouse lawyering and age-old traditions of master-apprentice mentoring, cybercriminals are offering advice to one another about how to avoid getting collared. The security firm Digital Shadows - and we hasten to add that they're the good guys here, not the crooks - says it got interested in how the underworld views its relations with law enforcement. Do they worry about being arrested? Does the prospect of getting caught deter them? 

Dave Bittner: Digital Shadows snooped its way through various online underworld communities and found a lot of chatter about the importance of separating your criminal, online identity from your in-real-life, physical, personal, kinetic identity - the identity that brings home beer for example, that will take a shower every now and then. A lot of that discussion seems folkloric as opposed to technical. 

Dave Bittner: The crooks also advise each other to be cautious in their dealings. You can't have friends in the darknet, one representative comment said. That's tough because, of course, most crime involves some sort of collaboration, but cooperation with other crooks also brings risk, a "Catch-22," Digital Shadows observes. 

Dave Bittner: A theme in Russophone circles is to avoid hitting victims in the near abroad - that is, in former Soviet Republics. Go after the British and the Americans and you're jake, but mess with the near abroad, and especially with the Russians, and you'll wind up in the slammer. This advice has been tempered recently by the Ukrainian authorities' recent arrest and prosecution of criminals who thought they enjoyed a degree of immunity. 

Dave Bittner: And once you've embarked on your life of crime, forget about foreign travel, except maybe to places that don't have a lot of extradition treaties in place. That's a downer for vacation plans because, after all, there's only so much to do in Transnistria. 

Dave Bittner: There's other advice on what to do when the cops show up, what to expect from prosecutors and what the realities of prison life might be. The hoods have a lot of worries. 

Dave Bittner: So, fellow youths, the best advice is to stay in school and stay on the straight and narrow. If you don't, you'll break your mother's heart. 

Dave Bittner: Verve Industrial are providers of OT and ICS security services, and they recently published their "ICS Advisory Report." Ron Brash is director of security insights at Verve Industrial. 

Ron Brash: These advisory reports are a bit table stakes, I think, in the industry nowadays. I think every vendor and their grandmother is producing one. But why we chose to do it and to do it in a slightly different way is I came from an embedded systems engineering background. And one of the reasons that we wrote it and we wrote it the way we did was we don't believe that, you know, CVs and CVSS scores and all that stuff are perfect, and they're definitely not perfect in OT. So what we wanted to do is to look at the advisories and add more nuance to the discussion, right? 

Ron Brash: For example, you know, we had 200 - there was actually slightly more, but we honed it in a bit. But it was 248 advisories in 2020, which was up something like 50% from the year before. But we wanted to talk about it in a different way, right? 

Ron Brash: You know, when - how do you identify that an advisory's referring to third-party code or supply chain problems? How do you talk about all those other devices that are - that don't have advisories but should have advisories? How do you talk about it from multiple perspectives? You know, there's the asset-owner perspective, then there's the cybersecurity professional, if you will, and then there's just, this year looking at it, which vendor might be better than another or not. So there's multiple perspectives there, and we tried to put all that into something cohesive. And I think it turned out pretty good. 

Dave Bittner: Well, let's go through some of the details together. I mean, what are some of the things from the report that stood out to you? 

Ron Brash: Well, interestingly enough, if you look at just the sheer number of advisories, 36 both in - the ones that I just identified on initial analysis, 36 out of the 248 were supply-chain-related, and that number coincides with 2019 by sheer fluke. Now, again, this is a thumb-in-the-wind strategy that stood out to me because of those 30 supply-chain-related vulnerabilities in products or those advisories, there - that accounted for something like 17% or 18% of all of the vulnerabilities out there. 

Ron Brash: And for me, that was the main point that we were trying to make across is, you know, you thought SolarWinds was bad. Well, wait till you start looking at software bill of materials and stuff like that, which will be part of the solution. But that was probably one of the most surprising things there. 

Dave Bittner: Is there a general - I don't know - lack of visibility when it comes to ICS security? 

Ron Brash: Well, yes - yes and no. I think there's a lot of awareness on vulnerabilities these days because cybersecurity is an uroboros, a snake eating its own tail, right? So you have multiple agendas competing for marketing FUD (ph) and, you know, generating all sorts of awareness for their own purposes - right? - 'cause it increases their bottom line. That's not what we try to do at Verve, and that's - the company is not like that, and I'm not like that. 

Ron Brash: But for right or wrong, there has been increased visibility on these things because of things like the Treck IP Stack or URGENT/11. We call those - or even like Heartbleed, for example, if you look at the IT world problems. Those are what we call branded vulnerability families. And often, they have very overreaching claims, but - well, fortunately and unfortunately. Fortunately, they get to the boards of large companies, which means that there's awareness at the top of the company, which is good. Nobody was doing that before. Same with ransomware. 

Ron Brash: But the bad is that it's - determining whether or not those vulnerabilities are in products is a very, very nuanced discussion. For example, I always say - I always quote this, is, the presence of a vulnerability does not mean exploitability. So there's awareness at the top levels of organizations, but when it comes to knowing what's inside of your products and then what to do about them, we're really off the mark there. 

Dave Bittner: That's Ron Brash from Verve Industrial. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Hey, Joe. Good to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We had this article come by from Vice, written by Joseph Cox. And this is titled "A Hacker Got All My Texts for $16." This one's been making the rounds, and I wanted to check in with you on it. I mean, this is the kind of thing that we talk about over on "Hacking Humans," these potential issues with SMS. So what - describe to us what's going on here, and give us your take. 

Joe Carrigan: So anybody who's been a longtime listener to this show has heard me talk many times about multifactor authentication and how you should use multifactor authentication and the most secure form that you can wherever you can use it. 

Dave Bittner: Right. 

Joe Carrigan: Unfortunately, the most common form of multifactor authentication is also the least secure - at least the most common form that I found in my experience, right? 

Dave Bittner: Yeah. 

Joe Carrigan: And that is authentication via SMS message. And there are a number of issues with it. You can be the victim of a SIM swapping attack, which is where someone calls into your mobile provider and assigns your account to a new SIM, which is the little device in your phone that identifies your phone to the telephone network. 

Dave Bittner: Right. 

Joe Carrigan: They can also use it for social engineering - or via social engineering, they can get the code out of you, which is also something that is true with other, like, pre-shared keys, pre-shared secret keys. But this new attack actually doesn't require a lot of that. We don't really know if it's a new attack, actually. 

Dave Bittner: Right. 

Joe Carrigan: That's one of the things this article says is this has been a capability for a very long time. 

Dave Bittner: Right. 

Joe Carrigan: And what Joseph Cox is talking about is, for $16, you can sign up with a company for a new - this service that allows text messages to be redirected to a new location. And they ask you to fill out this letter of authorization, right? But in order to fill out the letter of authorization, there's really not a lot of security checks on it. They just - you can put in fake information, and this company that this hacker who called himself Lucky225, who is - who works with a company called Okey Systems, was able to do this for, you know, buying a prepaid plan for $16 a month. And he was able to transfer all the texts that came from Joseph's providers to him. And Joseph got no notification of this. 

Dave Bittner: Yes. 

Joe Carrigan: There was no authorization. There was no, first let me send a text to your existing phone... 

Dave Bittner: Right (laughter). 

Joe Carrigan: ...And let me make sure this is OK with you. 

Dave Bittner: Right. 

Joe Carrigan: Right? There was none of that. It was just like... 

Dave Bittner: Yeah. 

Joe Carrigan: ...OK, we started sending it. And the phone was still connected to the T-Mobile network, which is really scary. So this is just another attack on this SMS - this two-factor authentication. 

Dave Bittner: Yeah. 

Joe Carrigan: Now, of course, the question comes that everybody's going to ask, and ask me in particular 'cause I'm still an advocate for this, should I continue to use SMS multifactor authentication? And I still say yes if that's the best that you can get from the institution you're dealing with or from the website you're dealing with. 

Dave Bittner: Right. 

Joe Carrigan: If they offer anything else, now is the time to move on, (laughter) right? 

Dave Bittner: Yeah, right. 

Joe Carrigan: But... 

Dave Bittner: So it's way better than nothing. 

Joe Carrigan: Right. 

Dave Bittner: But there are things that are way better than it. 

Joe Carrigan: Right, exactly. Exactly. 

Dave Bittner: Yeah. 

Joe Carrigan: And it's going to be way better than nothing, especially with this attack, because there is a cost associated with this attack. So this attack is not scalable - right? - like credential stuffing is scalable. I can take a million credentials and try them on a million websites, and I can automate that... 

Dave Bittner: Right, right. 

Joe Carrigan: ...To do that. But I can't go out and perform this attack on a million people without $16 million, which... 

Dave Bittner: Right, right, right. 

Joe Carrigan: ...I may not be willing to spend. I'm sure I can do it for less, actually. 

Dave Bittner: Yeah. 

Joe Carrigan: But there's some limit to this. There's got to be some limit to this as well with the companies that allow - that provide these kind of services. 

Dave Bittner: Yeah. And the company who's mentioned in this article, as Joseph Cox points out, you know, they say that they've cracked down on this, which since it was pointed out to them, they've... 

Joe Carrigan: Right. 

Dave Bittner: ...Made it more difficult to do, so that's good. But the article also points out they're not the only company who does this, so... 

Joe Carrigan: Right. And there are some companies I get the feeling out there that might be doing this with a wink and a nod, right? Yeah, we get it. 

Dave Bittner: Right. 

Joe Carrigan: Yeah. 

Dave Bittner: Right, right, right. And I think the bigger issue here, which is something that drew the attention of Senator Ron Wyden, which is that he says that the FCC needs to crack down on this sort of thing, that there's - things are too loosey-goosey when it comes to SMS. Just that the companies are even capable of doing this sort of thing... 

Joe Carrigan: Yeah. 

Dave Bittner: ...That's a problem, and it's a long time coming. It's way too - been way too long since the FCC took a closer look at this, from Senator Wyden's point of view. So... 

Joe Carrigan: I would agree. 

Dave Bittner: ...Maybe this will draw some attention to it. 

Joe Carrigan: Yeah, hope so. Hope so. And I hope that the FCC is paying attention. I hope they are thinking about putting in some new regulation to make this more difficult. And I don't like the idea that somebody can just pay another company 16 bucks to take all my text messages. 

Dave Bittner: Yeah. 

Joe Carrigan: And I really don't like the idea that that can happen without me getting any notification or any way for me to find out. You know, at least with a SIM swapping attack, my phone stops working, right? 

Dave Bittner: Right, right. 

Joe Carrigan: I can bring in my phone and go, hey, something's wrong. 

Dave Bittner: Right. 

Joe Carrigan: And - but this, you get none of that. 

Dave Bittner: Yeah. 

Joe Carrigan: You just stop receiving texts. 

Dave Bittner: Yeah, it's an interesting revelation for sure. Again, it's over on the Vice website, written by Joseph Cox. It's titled "A Hacker Got All My Texts for $16." Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It's the pause that refreshes. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.