The CyberWire Daily Podcast 4.6.21
Ep 1305 | 4.6.21

Watering holes, from Kiev to Canada. File transfer blues. What’s up in the criminal-to-criminal market. And an update on the old Facebook breach.


Dave Bittner: A watering hole campaign compromised several Ukrainian sites and one Canadian one. File transfer blues. A couple of looks into the criminal-to-criminal marketplace. Ben Yelin has details on a privacy suit against Intel. Our guest is Steve Ginty from RiskIQ on the threat actors behind LogoKit. And notes on the big and apparently old Facebook breach, including why people care about it.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 6, 2021. 

Dave Bittner: Lumen Technologies' Black Lotus Labs this morning announced their discovery of a watering hole campaign that compromised a number of Ukrainian websites and at least one Canadian site. The campaign affected a range of sectors, including manufacturing, oil, media, sport and investment banking. The unidentified attackers used malicious JavaScript on the site to induce victims to send their NTLM hashes to an attacker-controlled server via Server Message Block protocol. That's SMB. The technique is similar, Black Lotus Labs noted, to one used in the compromise of the San Francisco International Airport's website in 2020. ManageEngine described the SFO incident last April. 

Dave Bittner: The Accellion FTA compromise continues to claim victims, many of them universities. And MSSP Alert has a rundown of the current state of that incident. FTA, however, isn't the only file transfer application to undergo exploitation. Avanan reports that a phishing campaign has been active, in some cases successfully, against users of WeTransfer, another popular file transfer app. The attackers are phishing, as one might expect, for user credentials. And their phishbait is a bogus message telling recipients, you have received some files. 

Dave Bittner: Sophos researchers have discerned a connection between the Mount Locker Ransomware Group and a new gang, the Astro Locker Team, the latter a relative newbie in the criminal space. The precise nature of the connection remains to be determined. But it may be an underworld branding exercise, with Mount Locker using the new group to give it the requisite cachet to become a player in the ransomware-as-a-service sector. Having a big affiliate or apparent affiliate can do that for a gang. If Mount Locker can claim a biggish-appearing gang as a customer, so much the better for its street cred and presumably for its sales. 

Dave Bittner: Elsewhere in the underworld's criminal-to-criminal markets, Intel 471 is observing EtterSilent, a tool for building malicious documents that's achieving significant market share. EtterSilent, first available on Russophone hacking forums, typically creates a bogus DocuSign template. It's been used to spread TrickBot, the BazarLoader and three banking Trojans, BokBot, Gozi ISFB and QBot. Those last three also use bulletproof-hosting services from Yalishanda, one of the world's most notorious BPH providers, Intel 471 writes. As is often the case with phishbait, this one is more visually convincing than it is linguistically credible. While not the laugh-a-minute low level we used to see from The Shadow Brokers, it's still got a whiff of Hollywood Hekawi (ph) idiom. Why can I not open this document? - it asks, for example, and offers to suggested answers. You are using iOS or Android. Please use desktop PC. Or, you are trying to view this document using Online Viewer. Well, what's a viewer for? In any case, the goal is to get the hasty, the curious and the unwary to click. 

Dave Bittner: That big and old Facebook breach remains in the news. Business News points out that Mr. Zuckerberg himself was among the 533 million users affected. Among the Facebook founder's compromised data were his name, birthdate, location, marriage details, Facebook user ID and the fact that he was a Signal user. Ireland's Data Protection Commission, whom the EU has stuck with the thankless task of supervising whatever it is that the Americans are up to, has, according to the BBC, opened an investigation into the incident. The commission is looking into whether the data recently made freely available on a site catering to low-end skids are, in fact, identical to those compromised in 2019. nineteen. The timing is important for GDPR enforcement. An early leak would've occurred before the EU's privacy regime was fully in effect. So far, the commission says it seems as if, indeed, the data are from the older leak, as Facebook has said. But the investigation is still young. Observers find the leak, old as it may be, troubling for several reasons. First, much of the data is of the sort that's unlikely to change. Second, as Vice sourly observes, Facebook doesn't appear to have been particularly diligent about notifying its affected users back in 2019 when the company detected and fixed the breach. That also shows, The Washington Post's Cyber 202 thinks, the limitations of current data breach disclosure rules. Third, SC Magazine sees the incident as illustrating the problems that any business model dependent on collecting and selling user data will present. And finally, the data is now readily available to be used by a range of operators one might not particularly wish to meet online or in real life, whom WitFoo's Charles Herring characterizes for SC as telemarketers, sales personnel, debt collectors, stalkers, con men and the rest of the world. Some of our best friends or sales personnel, but our editorial desk doesn't like the sound of that rest of the world. 

Dave Bittner: The SolarWinds attack has put a spotlight on third-party security risks. And one element people are pointing out is that third-party risks are nothing new. Mark Lance is former head of incident response at RSA and now senior director of cyberdefense at GuidePoint Security. He sees a strong similarity between the SolarWinds attack and the RSA hack from 10 years ago. 

Mark Lance: Yeah. I mean, I would say that, you know, we see targeted attacks and have seen targeted attacks historically at a large scale and with advanced threat actors going on for obviously an extended period of time, going all the way back to the RSA breach and prior. And so, you know, very specifically with what occurred with SolarWinds, which was a supply chain attack, you know, this isn't necessarily the first time we've seen something like this. And so when you start taking into account trying to access somebody who is, you know, part of the supply chain or a vendor or somebody else as opposed to targeting an environment directly, again, it's something that we've seen historically and was reminiscent of the RSA attack where, you know, RSA being breached and getting access to the data there was not necessarily specifically for the end result of trying to access RSA, but subsequently to attack other environments. And so, again, it's reminiscent from the sense that, you know, there is initial motivation to get into that specific environment, but predominantly for subsequent access into a larger target or more targets. 

Dave Bittner: Is it fair for folks to express some some frustration that, you know, 10 years out or so from the RSA hack that here we are again? 

Mark Lance: I think that, you know, this is something that is going to continue to happen. I mean, I think when you've got motivated attackers who are - really have an objective they're trying to accomplish, they're going to find one way to do it or another. So if it wasn't RSA or if it wasn't SolarWinds, they're going to find some other potential access point within the supply chain or, you know, whether it's through a subsidiary or whether through a partner or vendor relationship, they're going to find a way in. 

Mark Lance: So I would say that, you know, there, you know, can certainly be frustration in some of the qualities associated with the way that things are being secured. But I think overall, these attackers are very creative, especially when you're talking about, you know, your nation-state-sponsored actors that, again, when they've got an objective, they're going to find one way or another to get in. And it just happened to be that they were the ones that were impacted. And you would like to think that there are additional controls being put in place and things to prevent similar things from happening in the future. 

Dave Bittner: That's Mark Lance from GuidePoint Security. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland's Center for Health and Homeland Security and also my co-host on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting story about a lawsuit against Intel - and this is a lawsuit that was filed in February and made its way from a Florida state court and has shifted to a federal district court. And evidently, a plaintiff, one Holly Landers, has claimed that she visited Intel's website in the year prior to January of 2021, and during those visits on the website, Intel had tracking, recording and other session replay software to intercept her use and interaction with the website, including mouse clicks and movements. And this lawsuit is being brought saying that this violates wiretapping statutes. What's going on here, Ben? 

Ben Yelin: Sure. So we've seen a number of these cases pop up in both state courts and federal courts across the country. We've seen cases based in California, New York and now Florida. What's interesting about these cases is they are all courses of action brought under different state laws related to secure communications or the privacy of one's own software or devices. So it's not technically illegal in any of these states to do what Intel is doing here, which is temporarily intercepting some information - mouse clicks, movements, et cetera. Session replay software, per se, is not prohibited. It often comes down to this question of consent. The Florida law, which is the 2020 Florida Security of Communications Act, makes it a crime to intentionally intercept another person's electronic communications without prior consent. 

Ben Yelin: So much of the outcome of this case is going to hinge on whether this plaintiff had informed consent. Informed consent in these types of cases is very difficult to adjudicate. You know, if you put something in tiny typing at the bottom of the screen that nobody would ever see, are you actually - you know, is that actually enforceable consent? You know, most of the time it is. But if lawyers are able to properly allege that there wasn't an opportunity for this plaintiff, Miss Landers, to understand how, you know, this session replay software was working, how frequently it was deployed and the risks of the use of this software on the privacy of her information, and that would seem to be a violation of this Florida Security of Communications Act statute. And that's why at least the analysts cited in this article think that this Florida case has a better chance of proceeding than some of the other cases we've seen on this topic across the country because the law in question, the law under which this cause of action has been brought, is more robust than other laws we've seen across the country. 

Dave Bittner: That's interesting. I mean, I have to admit that my - I tend to raise my eyebrows whenever I see someone calling on a wiretapping law because my sense, certainly from things I've seen here in my home state of Maryland, is that wiretapping laws are often, you know, sort of brought in to come at people for things that perhaps the wiretapping laws were never intended for, you know, whereas the wiretapping laws, in my mind, tend to be a relic of an earlier time, when we were all communicating on landlines. And... 

Ben Yelin: Right. We were literally tapping the wires, yeah. 

Dave Bittner: Right. Exactly, exactly. And it's not that anymore. So, for example, you and I both live in Maryland, which is a two-party consent state, which means if you record something, you have to have permission from all parties involved. And I suspect that's what they're getting at here in Florida. But I don't know. I guess, you know, if - wasn't she a guest on Intel's site, right? (Laughter). 

Ben Yelin: Yeah. Yeah, she was. But that doesn't defray the importance of informed consent. Now... 

Dave Bittner: Right. 

Ben Yelin: ...There's no guarantee that, you know, in court or in a motion to dismiss, Intel and their army of probably extremely accomplished lawyers can argue that there actually was informed consent. I mean, they did have a kind of standard warning that comes with this script that says, you know, we're using a session recorder; it tracks user mouse movement, clicks, taps, scrolls or even network activity. So, you know, there's something there. 

Dave Bittner: Yeah. 

Ben Yelin: But, you know, whether that satisfies the requirements of this statute, I think, is in question. 

Dave Bittner: Right, right. So it could be - I mean, for example, if Intel had - the first thing that you saw when you went to this website was an opt-in that said... 

Ben Yelin: Yes. You have to click agree, yep. 

Dave Bittner: Yeah. Yeah, then they'd probably be off the hook. 

Ben Yelin: And that might be the end result of this case. I mean, I think, first, Intel will try and succeed on a motion to dismiss. If they do not, they might be interested in settling, saying, all right, if we're going to use this script, we will agree to have some sort of opt-in parameter. 

Dave Bittner: Yeah. 

Ben Yelin: So it's not something being sprung onto the consumer without their consent. 

Dave Bittner: Right, which I suspect in that case, they'd probably just do away with it because how many people are - just the friction that that opt-in would create is probably... 

Ben Yelin: Right. I mean, certainly, they're trying to avoid that outcome. 

Dave Bittner: Yeah, yeah, yeah. Interesting. All right, we'll keep an eye on this one, see how it plays out. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. We give you lots of reasons to love us. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.