The CyberWire Daily Podcast 4.22.21
Ep 1317 | 4.22.21

VPN users remediate systems. New Supernova infection. Cryptojacking botnet afflicts vulnerable Exchange Servers. Facebook takes down spyware groups. Ransomware. Cellebrite bug found.


Dave Bittner: Agencies continue to respond to the Pulse Secure VPN vulnerabilities. Updates on the SolarWinds compromise show that it remains a threat and that it was designed to escape detection and especially attribution. A cryptojacking botnet is exploiting vulnerable Microsoft Exchange Server instances. Facebook takes down two Palestinian groups distributing spyware. Ransomware draws more attention. Craig Williams from Cisco Talos looks at cheating the cheater. Our guest is Bruno Kurtic from Sumo Logic on their Continuous Intelligence Report. And a Cellebrite vulnerability is exposed.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 22, 2021. 

Dave Bittner: U.S. organizations continue to recover from the cyber-espionage campaign, probably Chinese in origin, that exploited vulnerabilities in Pulse Secure's VPN. CyberScoop reports that at least two dozen U.S. agencies are known to run the VPN, but how many of those were compromised remains unclear. A number of those users are national laboratories involved with defense and national security work. Most U.S. government agencies have until tomorrow to report their self-scrutiny and remediation to CISA. 

Dave Bittner: The SolarWinds supply chain compromise, which has been partially eclipsed in the news by more recent incidents like the aforementioned VPN exploitation, is far from over. The U.S. Cybersecurity and Infrastructure Security Agency this morning released an alert warning that it had found instances of the SUPERNOVA malware during a CISA incident response. The affected entity is addressing the attack, and CISA says its own engagement with this incident is continuing. SUPERNOVA is the backdoor associated with the SolarWinds compromise. 

Dave Bittner: RiskIQ has a rundown of the SolarWinds incident to date. One of the things they note is the difficulty of attribution. The U.S. government, from the White House to CISA and NSA, has been pretty unambiguous in calling out Russia's SVR as the bad actor behind the campaign, and those last two mentioned agencies published some of the malware used in the incident that they say they've traced to the Russian organs. 

Dave Bittner: RiskIQ points out that the private sector has generally been more tentative in its attribution. It's not that the private sector thinks the Russian services innocent, but rather that the kinds of similarities in tactics, techniques and procedures private sector analysts look for were, in this case, ambiguous. RiskIQ thinks this ambiguity was deliberate, and they agree with the U.S. officials who attributed the campaign to the SVR. They say, quote, "pattern avoidance was a tactic used in all aspects of the SolarWinds campaign," end quote. The threat actors use different command-and-control IP addresses for each victim, and that in itself makes the correlation analysts like to use more difficult. The researchers found that Cozy Bear's infrastructure was registered under varying names and at different times over several years to avoid establishing a traceable pattern. The SVR probably bought the domains from resellers or at auction. 

Dave Bittner: Cozy Bear also hosted its campaign infrastructure, at least their first-stage infrastructure, entirely within the U.S. That's not only likely to lend an air of innocence to their traffic, but it also means that they may be more likely to escape the attentions of the U.S. National Security Agency, whose remit is of course foreign intelligence and not domestic surveillance. We note in passing that General Nakasone, director NSA, yesterday again told the Senate that he didn't want his organizations given authority to monitor domestic traffic. Defense Systems quotes General Nakasone as saying, quote, "I'm not seeking legal authorities either for NSA or for U.S. Cyber Command," end quote. 

Dave Bittner: The second stage of the campaign was still mostly hosted in the U.S., but by the third stage, Cozy Bear was largely working from overseas. The shifts were probably intended, at least in part, to avoid falling into the sort of pattern that would alert observers. The threat actor also had its first-stage implant beacon to its command-and-control servers with random jitter after two weeks. The second stage used the familiar penetration testing tool Cobalt Strike, and the malware used in the third stage looked nothing like the tools used earlier in the campaign. Analysts who found one stage's malware would have found it difficult to follow the attack into other stages. 

Dave Bittner: The RiskIQ researchers write, quote, "taken together, the threat actors implemented their TTPs in this campaign to avoid resemblance to prior patterns associated with APT29 or any of the other known Russian APT groups. Researchers or products attuned to detecting known APT29 or other Russian APT activity would fail to recognize the campaign as it was happening. And they would have had an equally hard time following the trail of the campaign once it was discovered," end quote. But they're confident that their own telemetry also points to APT28, the SVR, Cozy Bear herself. 

Dave Bittner: The Record talked with SolarWinds' CISO, and it's a cautionary tale for organizations who may think they have their security bases covered. SolarWinds' CISO, Tim Brown, said, quote, "a nation-state attack of this level and sophistication meant it was very patient, deliberate, targeted. That type of campaign isn't your general attack that you prepare for. Now what we have to do is prepare for more of those as a community," end quote. 

Dave Bittner: Cybereason has found the cryptojacking botnet Prometei exploiting unpatched Microsoft Exchange Server instances. Prometei, which uses victim machines to mine Monero, was discovered last summer, but Cybereason believes the Prometei gang has been in action since 2016. 

Dave Bittner: Prometei is random and unselective, its goal apparently being the infection of as many systems as possible. It's been active in North America, Europe, South America and East Asia, but it does appear to systematically avoid hitting targets in former Soviet bloc countries, which suggests that its operators are leery of attracting adverse Russian attention and would rather stay on the good side of Russian law enforcement. The sectors affected are equally wide-ranging, including financial services, insurance, retail, manufacturing, utilities, travel and construction. 

Dave Bittner: Prometei is evidently a criminal operation. It has, however, been happy to make use of the Exchange Server exploits first deployed by China's Hafnium threat actor. 

Dave Bittner: Facebook announced yesterday that it's taken down two Palestinian groups who'd been using the social network for a politically motivated surveillance campaign. The two actors have been identified as the Preventive Security Service - the PSS - and the Gaza-based threat actor Arid Viper. They seem to have been particularly interested in prospecting and impersonating journalists and other gadflies. Some of their content presented itself as solicitation for complaints of human rights violations. 

Dave Bittner: The PSS-associated group used both Windows and Android malware as well as social engineering campaigns to install spyware in targets' devices. Arid Viper used bespoke and hitherto unidentified iOS surveillanceware. And they, too, relied on social engineering to distribute their malware. 

Dave Bittner: Bloomberg reports that Apple supplier Quanta Computer, a Taiwan-based manufacturer of MacBooks, has been hit with a $50 million extortion demand by the REvil ransomware gang, a well-known criminal enterprise based in Russia. 

Dave Bittner: Ransomware as a whole continues to be a pervasive criminal threat to both data availability and data security. The U.S. Justice Department, according to The Wall Street Journal, is establishing an anti-ransomware task force. It hopes thereby to increase training, devote more resources to the problem and increase intelligence sharing. It also seeks, significantly, to work toward gaining more clarity about links between criminal actors and nation-states. 

Dave Bittner: And finally, Moxie Marlinspike, developer of the secure messaging app Signal, has released information about a vulnerability in Cellebrite's digital forensic products. The vulnerability exposes Windows devices that run Cellebrite to the possibility of remote code execution. Cellebrite has been widely used by law enforcement organizations in both nice and nasty regimes. It had recently announced its development of a forensic tool for analyzing Signal communications, so reports are treating Marlinspike's announcement as a case of the biter being bit. 

Dave Bittner: Sumo Logic is a real-time analytics and security company. And for the past five years, they've published their Continuous Intelligence Report, which focuses on cloud-based cyberattacks. Bruno Kurtic is founding VP at Sumo Logic, and he joins us to share this year's findings. 

Bruno Kurtic: We always wanted to find out kind of how our enterprise is leveraging technologies as they transform from traditional business model to digital business models and as part of that, as they migrate their workloads to the cloud. So about five years ago, we conceived of creating a report that's not based on a survey, but rather based on actual data because we have a multitenant platform that helps our customers manage those technologies. And we started monitoring to understand what type of data is flowing through our system - you know, what kind of technologies are people using, what kind of architectures - and decided that it would be a very valuable piece of information to share with the world. As companies embark on this transformation, they can learn from others and essentially sort of not just do it in their own silo. 

Dave Bittner: Let's dig into some of the security things that you're tracking. What sort of things have you found there? 

Bruno Kurtic: Yeah, interesting stuff. So, you know, we've been tracking the adoption of security technologies over the years steadily - right? - and what our people in the cloud are using, how are they defending their cloud workloads and on-premise workloads. And what we've discovered is that, you know, as people move to the cloud - and I'll talk about some examples here - they're consuming sort of the data, the outputs of the data that are available for them to understand their own security, technologies like AWS CloudTrail and VPC Flow data, Google Audit, Azure Audit, all of these technologies that essentially, you know, provide you with a trail of what is happening inside of your account, which is what is to be expected. That is what companies do on premise when they have technologies right. 

Bruno Kurtic: Then we wanted to understand what kind of vendors are being used, right? What kind of vendors do you expect to find in cloud security, you know, operations versus on-premise security operations? And so we actually found that - you know, we have a whole page on this in our report that looks at traditionally on-premise technologies - right? - companies that, you know, were in hardware, like Palo Alto and some companies that grew out on-prem like Carbon Black, continue to kind of have a significantly more deployment on premise than in the cloud. 

Bruno Kurtic: And then other companies that are "cloud native," quote-unquote, like Okta, CrowdStrike or Zscaler, all of those have significantly more workloads appearing in the cloud-native customers, right? And so - which is, again, not surprising, but it does sort of show you that companies with the cloud architectures tend to win in cloud workloads and companies that don't have - that have sort of, you know, deploy-yourself architectures end up, you know, being deployed on premise. So that's what we find in technology adoption. And then we've also investigated quite a bit these sort of - what types of attacks are people experiencing? Where are those attacks coming from? What are they attacking? And so on. 

Dave Bittner: That's Bruno Kurtic from Sumo Logic. 

Dave Bittner: And joining me once again is Craig Williams. He is the director of Talos outreach at Cisco. Craig, always great to have you back. You guys have done some really interesting research here lately about how some bad actors are taking advantage of some of the collaborative platforms like Discord and Slack and so on. Can you take us through what y'all have been looking at here? 

Craig Williams: Sure. You know, one of the things we look for at Talos is the abuse of services. You know, depending on how long you've paid attention to threat on the internet, one of the things you'll find true is that if it's free to use on the internet, someone will abuse it, right? I mean, it holds true for everything. And so when we had a significant number of collaboration apps all vying for more users, we expected it would be something that was abused. And sure enough, we saw in our telemetry actors using those apps to distribute malware. And the further we dug in the hole, the more cool stuff we found. 

Dave Bittner: Well, let's dig in specifically to Discord. I mean, just give me a brief overview. I mean, what's the intended use of Discord? And then how did you find folks taking advantage of that? 

Craig Williams: Sure. So Discord is like Slack or WebEx Teams or any of those chat apps, right? The overall goal is to allow users to connect to a server and to separate into rooms and, within the rooms, communicate with one another, exchange files, you know, organize... 

Dave Bittner: My son uses it to play D&D. 

Craig Williams: Right. Yeah. We use it to play Rainbow Six Siege - Matt Olney and I over at Talos. 

Dave Bittner: Yeah. 

Craig Williams: We're super not toxic, I promise. 


Craig Williams: But so Discord is incredibly popular, and it's installed on a massive number of systems. I would say it's probably one of the favorites out there. And so as a result, actors have been looking at that user base and looking at the services it offers to find a way to abuse it. And sure enough, they were able to find some things that they found attractive. 

Dave Bittner: What specifically are they doing here? 

Craig Williams: Well, one of the really common ones is that Discord allows files to be downloaded by anyone using a URL. So, for example, the way this would work, if I'm the bad guy, I'm going to go register a Discord account with a throwaway email. I'll go upload a file, and then I'll, you know, get the link to share that file to others. But instead of sending it to people just on Discord, I'll send it out in a million email messages to victims saying it's a new shiny thing that they want. 

Dave Bittner: And so are they playing off of the fact that the domain name - it's going to be coming from a Discord domain name, and that lends it a bit of legitimacy? 

Craig Williams: You know, that could be the case. Honestly, that's not something I really even considered because we see so many random URLs. 

Dave Bittner: Right. 

Craig Williams: I think it's more the fact that it's reliable, free hosting. Right? 

Dave Bittner: What else are they - yeah. What else are you seeing here in terms of - I know one of the things you looked into was - it's like the types of - even the types of compression systems that they're using was popular. 

Craig Williams: Exactly. That kind of surprised me. You know, when you think about malware attachments in the Windows world, you know, there are file formats that not every antivirus engine can process. And so typically, you see a lot of common ones, but sometimes you see unusual ones. And this was one of the cases where we saw a variety of unusual ones. And I think what was most surprising about it was the frequency at which we saw the unusual ones. You know, for example, you know, we saw ACE compression more often than we saw ZIP compression. 

Dave Bittner: Yeah. What - any insights there? What's behind that? 

Craig Williams: Well, ACE is a compression format that's very popular with, you know, video game mods and things like that. And so I think they assume that a lot of people have it installed. And if they don't, perhaps they'll go get the tool to undo it. And because it's so infrequently used in the normal world, most antivirus engines may not be able to process it. And so effectively, by using ACE compression, they're evading file attachment scanning on the way to the victim. 

Dave Bittner: So what are the take-homes here? I mean, in terms of how people should keep an eye out for these sorts of things, what are you guys recommending? 

Craig Williams: Well, I think there's a couple of things here, right? As far as home users, don't click on links in emails, you know? 

Dave Bittner: (Laughter). 

Craig Williams: I mean, saying that is almost pointless because we know everyone clicks on links in emails, right? It's like saying, just patch. Like, there's some people who can't, and there's some people who can't stop clicking on links in emails. 

Dave Bittner: Right. 

Craig Williams: So I think what you really have to change that to, if people aren't going to follow proper instruction, is when you download an email attachment, scan it with your antivirus engine, and make sure that you scanned the uncompressed data, right? Or do the lazy thing, and if it's not a normal format, just delete it (laughter). 

Dave Bittner: Yeah. That's interesting. In terms of the things that they are trying to put out there in the world, I mean, would your typical endpoint protection detect them? Once they're downloaded and unzipped or, you know, decompressed from whatever they are, is there - are we talking about a high degree of sophistication or not? 

Craig Williams: It depends on the sample. Honestly, we've seen the entire variety. I think, you know, the compression alone will probably prevent some scanning. You know, if you have any sort of network monitoring security tool that's trying to scan email attachments, it may see the URL, try and fetch it and not be able to scan it. But once it's on the end user's system, if they have good security software, it should be able to scan it. Hopefully it will provide that intelligence to the user. 

Craig Williams: But at the end of the day, it really is going to come down to the fact that they should not be running links from unknown sources, right? I mean, this type of threat isn't new. This is just applying the same old lesson to a new medium because Discord basically is offering free hosting so that it's more useful to users. And unfortunately, you know, any time it's free, someone's going to abuse it. And that kind of goes to the rest of the paper where we document, you know, people actually going as far as using Discord for C2 in the organization of the crimeware, right? And this isn't just Discord. Discord is just the most popular one. We also see it on Slack and some others. But it comes back to that age-old thing, right? If it's free, people are going to abuse it. And so... 

Dave Bittner: Yeah. 

Craig Williams: ...You know, there's a separate set of take-homes here for developers, right? If you're going to try and allow users to access files from people they don't know - right? - without logging in, you've got to try and add some protection mechanisms - maybe make sure they're in the same room, maybe make sure they verify their account, maybe make them log in, right? Then at least users would have to have a Discord account, and they should be receiving files from Discord at that point. So there are things you can do. You know, there's development decisions you can make. Like, maybe you shouldn't have a globally downloadable URL at all, right? It seems like that would kind of make sense (laughter). But unfortunately, it's the old trade-off of security for features. And so... 

Dave Bittner: Right. 

Craig Williams: ...It just depends on your priorities. 

Dave Bittner: Yeah. Yeah. All right. Well, there's a lot more to this, and you can check it out over on the Cisco Talos blog. Craig Williams, thanks for joining us. 

Craig Williams: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.