The CyberWire Daily Podcast 4.23.21
Ep 1318 | 4.23.21

Three ransomware gangs up their game. The US Postal Inspection Service’s “Internet Covert Operations Program.” GCHQ warns of dependence on Chinese tech. Undersea cable security.


Dave Bittner: Ransomware operators begin timing their releases for more reputational damage. Another gang is equipping its ransomware with scripts to disable defenses, and yet another is now into stock shorting. The U.S. Postal Inspection Service is apparently monitoring social media. GCHQ's head warns of the dangers of becoming dependent on China's technology. Johannes Ullrich from SANS on Commodity Malware Targeting Enterprises. Our guest is Etay Maor from Cato with some of the clever ways criminals avoid detection. And it's not just sharks interested in undersea cables.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 23, 2021. 

Dave Bittner: Ransomware continues to trouble organizations. One of the bigger recent incidents was REvil's attack on Taiwan's Quanta, a major supplier for Apple, an attack that came to general attention this week. Threatpost reports that after Quanta refused to pay, the REvil gang began to leak sensitive design documents online, and they timed their leaks to coincide with Apple's big Spring Loaded product announcement event. REvil wants $50 million by May 1. 

Dave Bittner: In other ransomware news, researchers at GuidePoint Security say that the gang behind Mount Locker is changing the way it does business. Mount Locker, whose ransomware-as-a-service business entered the criminal marketplace in the second half of last year, has been an unfortunately effective but fairly conventional criminal operation. It encrypted and exfiltrated files on the double extortion that threatens both data availability and data privacy that's now customary with ransomware operators. 

Dave Bittner: Now, however, GuidePoint says Mount Locker is stepping up their game by including scripting and capabilities directly targeting prevention measures. Along with other enhancements, the extortionists are now deploying scripts tailored to the specific defensive tools they find in their target's environment. 

Dave Bittner: And another ransomware group has expanded its threats to a promise that they'll work with crooked market speculators to short the stock of the companies they target. Recorded Future finds that the hoods behind the Darkside ransomware have now made it formal. Dmitry Smilyanets, threat intel analyst at Recorded Future, told The Record, quote, "while other ransomware families previously discussed how to leverage the effect of a publicly disclosed cyberattack on the stock market, they have never made it their official attack vector," end quote. 

Dave Bittner: The US Postal Service is running an "Internet Covert Operations Program," Yahoo News reports - apparently a broad monitoring of US citizens' social media activity in an effort to trawl for signs of extremist content that might suggest incipient violations of law. The news has been poorly received by privacy advocates and some members of Congress. 

Dave Bittner: The US Postal Inspection Service is an actual law enforcement agency with a serious and longstanding mission to protect Postal Service operations that goes back to the "Surveyors" Benjamin Franklin appointed for that purpose in the late 18th century. In fact, since William Goddard was appointed the first Surveyor on August 7, 1775, the Service arguably predates the republic itself.

Dave Bittner: The Postal Inspection Service describes its mission as "to support and protect the US Postal Service and its employees, infrastructure and customers; enforce the laws that defend the nation's mail system from illegal or dangerous use; and ensure public trust in the mail." It currently organizes that mission under several relatively expansive heads - protecting USPS, protecting USPS employees, illegal narcotics, mail and package theft, identity theft, mail fraud, fraud prevention and education, suspicious mail, disaster response, money laundering, cybercrime, global mail security, and child exploitation. 

Dave Bittner: Presumably, incitement or conspiracy carried out over social media would fall under cybercrime, but the whole business strikes many as questionable domestic surveillance. The Postal Inspection Service didn't reply directly to Yahoo News in response to their questions, but they did return a general statement about their activities. They cast the Internet Covert Operations Program as a routine protective measure to secure the mail. 

Dave Bittner: Here's how they put it - quote, "The Internet Covert Operations Program is a function within the U.S. Postal Inspection Service, which assesses threats to Postal Service employees and its infrastructure by monitoring publicly available, open-source information. Additionally, the Inspection Service collaborates with federal, state and local law enforcement agencies to proactively identify and assess potential threats to the Postal Service, its employees and customers and its overall mail processing and transportation network. In order to preserve operational effectiveness, the U.S. Postal Inspection Service does not discuss its protocols, investigative methods, or tools," end quote. 

Dave Bittner: So tell it to the people squabbling with their city's water department over late charges because their bill was delayed by, in some cases, a month or more. The Guardian notes that the surveillance effort comes at a time when the U.S. Postal Service's core responsibility of delivering mail has been perceived as falling off from previous standards. Sniffing out revolutionary or reactionary wrong-think is now in the Postal Service’s remit? NSA didn’t want the mission, so it went to the Postmaster General? 

Dave Bittner: Representative Thomas Massie, for example, a Republican representing Kentucky's 4th District, put it this way - quote, "Disturbing. Why do presidents and my colleagues in congress tolerate these violations of the Constitution? Also, and unfortunately, the USPS has been losing money for many years, so where do they find money to run this surveillance program," end quote. Representative Massie tweeted these remarks, so one presumes the Postal Service received them. Had he dropped them in the mail, who knows? 

Dave Bittner: It's a good thing dogs don't actually get mail, or they'd have an even bigger justification in the ancestral canine war with letter carriers than pooches already do. 

Dave Bittner: The head of Britain's GCHQ says that the West faces a moment of reckoning in cyberspace, and that, unless it wants the world's operating system to be made in China, it had better get skeptical about relying on Chinese technology in its infrastructure. GCHQ director Jeremy Fleming told the BBC, quote, "The risk, as I see it today, is that we lose control of the standards that shape our technology environment," end quote. The pressure to allow Chinese tech in will grow as cities become inevitably smarter - smarter in the IoT sense of the word. Fleming sees the experience of rolling out 5G technology as an important cautionary tale. 

Dave Bittner: And, finally, have you thought about the possibility of undersea cables being hacked? Whitehall has. Techerati says the U.K. is procuring a surveillance ship to quietly inspect cables for physical interference. It's a real possibility. The Royal Navy did it to German diplomatic communications during World War I, so Whitehall should know. And the Royal Navy's not the only one, either - or so we hear. Skittishness about cables has been a point of contention in the Southwestern Pacific in particular, where Australia has objected to Chinese tech companies' participation in running cable service to neighbors like Papua. Of course, there's physical interference, and then there's physical interference. There are plenty of documented cases of sharks gnawing on undersea cables, presumably attracted by the EMI energy they may be putting out. Real sharks, not, you know, robot sharks - with lasers. 

Dave Bittner: Adversaries have perfected their game when it comes to evading endpoint security, sandboxes, threat intel feeds and more, and the ongoing shift to the cloud has opened up new opportunities for them and challenges for defenders. Etay Maor is senior director of security and strategy at Cato Networks, and he joins us with thoughts on network-based threat hunting and leveraging your tools to work together. 

Etay Maor: I think we're actually in a very interesting time right now because different threats have been evading security controls for a while now, but almost everything we had was on-prem, and we used endpoint types of detections. And now a lot of the companies - a lot of organizations are moving to the cloud, which is a great opportunity for security, but as we've learned in the past, it's also a great opportunity for attackers as well. So I think one of the challenges, though, where we find ourselves now is we're trying to use old-school or the techniques that we used in the past for on-prem infrastructure to detect and mitigate cloud-based threats. And it's not what it was designed for. I mean, the attackers have already - already know how to beat the old versions on on-prem. And, of course, for cloud infrastructure, it's a different game. 

Dave Bittner: Well, I mean, let's continue along with that metaphor, then. I mean, when folks are working in a cloud environment, what sort of things do you recommend they have in place? 

Etay Maor: So there's several security solutions and architectures that I would recommend. But before I even go into that, I think a lot of organizations can better utilize what they already have today in-house, which means taking a look at some of the security feeds that they have, intelligence feeds, and correlating them, for example, is one good practice. I worked for a threat intelligence company in the past as well, and I think some of these feeds, some of the info that's there, is amazing. But it's really siloed, and the attackers take advantage of siloed information. For us as defenders, we have the opportunity to actually take all the information that's coming from multiple sources, multiple vendors, whatever it is, and correlate them to really identify threats and sometimes even identify threats that have not been identified before. 

Etay Maor: And here's where I'm getting to the old-school approach versus the new-school approach. Old-school approach was, hey, let's sign everything and, you know, fight it. As soon as I see that signature on my network, I can identify it. But, you know, there are so many threats out there today. And I'm just taking one small example, right? But there are so many threats out there today that signing everything is not easy - not to mention the fact that sometimes you may want to identify the threat even if it's not signed. And that's where I'm getting into network-based threat hunting, which is, you know, one of the things that is allowed if you use a SASE architecture, where you have the security and the network controls combined and integrate - merged. And you can start looking at things and say, hey, so I have an alert here; let's combine that with information I know from all the network that I'm seeing, all the different network flows. Is this little communication - is it going to somewhere that I've seen before? Does it act in a certain way? Did it invoke - did it use certain processes? Does it - there's all kinds of elements you can collect from different systems. 

Etay Maor: And when you put all of them together, you can say, you know what? I don't know what it is, but it's not something good. Now, each one of them alone may not raise an alert. And we actually tried this with our own security team. We saw threats that went undetected when you looked at them in a siloed view of one - of a specific, for example, threat intelligence or certain types of controls that you have. But when you combined three or four of these elements together, you could say, I don't know what it is, but I know it's not acting like I would expect something good to act. Does that make sense? 

Dave Bittner: It does. Now, the actual combining of the data there, integrating that information - how should folks go about doing that? 

Etay Maor: So you can use all kinds of models. There are actually some good articles out there. We use - we - you know, we have our own MTR team, and they take this information and combine different security feeds, combine popularity, for example. Like I said before, one of the examples is, if I have access to data for hundreds of customers, and now I see that one of my customers is trying to communicate over the network to a certain domain or URL, has any one of the other customers ever tried to connect to it? That's a popularity rating, right? And you say, well, no. It's the first time. So, you know, maybe it's something that - a domain that was just created. And, you know, it's not something - it's not Google. It's not Yahoo. It's not CNN. And so it's suspicious. 

Etay Maor: Other things that we look into, for example, are the domains themselves. You start looking at - if you try to sign a malware, the malware may communicate to different domains. So the signature changes, or the network signature of it changes. But if you look at the domains themselves, all of a sudden, you start seeing these different patterns. Oh, wait a minute - this domain - it's in - always 24 characters, and it's always vowel, number, vowel, number. OK, I'm seeing a pattern here. So now I'm going to search for this pattern in all the communications and, by the way, not just for this customer - for all my customers. And now I have - I'm actually - you know, I'm a security vendor, but I'm actually using the knowledge, the combined knowledge coming both from security and network of my customers, to actually get a very good understanding of, what is the threat landscape? And, you know, where (laughter) - it's funny. It's, where is the needle in the needle stack? Because there's a lot of needles. There's a lot of bad stuff going on. But you really want to detect the one that, you know, might put you in the news in a couple of days. So that's the type of work that we're doing. 

Dave Bittner: That's Etay Maor from Cato Networks. 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute, also the host of the ISC "StormCast" podcast. Johannes, it's great to have you back. I know you and your team have been tracking some commodity malware that's been targeting enterprises lately. What are you all looking at? 

Johannes Ullrich: Yeah, so if you are in this business, one of the sad parts about it is that day after day, you see these reports, you get the sample where an email arrives with the Office attachment and a macro. And, of course, for the most part, the enterprise tools are having a pretty good handle on them and are removing those malicious attachments. But every so often, something slips through. Now, often, these exports are really more targeted at your home small-business user that doesn't have a lot of protection in terms of anti-malware. And in that case, typically that malware, what it did is it sort of focused on the machine that it was running on. It may encrypt it for ransomware. It may steal credentials, back-end Trojans and whatnot be had. Maybe it went out after a couple shares, network shares that were mounted on that machine. But that even was sometimes more accidental. 

Johannes Ullrich: Now, what we saw recently is that, actually, what these attackers realized is, hey, you know, there are a lot of enterprises with good protection that will not allow our macros in. But every so often, something slips through. You know how it goes - that the CIO or CEO who has an intern who'll print out his email for him? 

Dave Bittner: (Laughter) Right. 

Johannes Ullrich: And in that case, you know, the intern, of course, gets blamed for starting the macro, but it's now being started on the corporate system. So what this particular malware does is it checks, am I running on an enterprise network? And the way it figures that out is it checks if it is part of an active directory domain, so a more managed network. And if so, then it installs additional remote access tools, in particular Cobalt Strike - that sort of seems to be the tool of choice here. Or some variants or similar open-source products are then being used to sort of gain persistent access to the system. 

Dave Bittner: What are your tips here, then, to prevent this sort of thing? 

Johannes Ullrich: Well, to prevent it, first of all, if you are analyzing malware, make sure that you also analyze it on a sandbox that is joined to an active directory domain so you see the full behavior of it. Of course, you know, your standard anti-malware tools should take care of it. They should find the macro. They should block it. They're already sort of, you know, looking for the one system that slipped your central control. That's what they're looking for. And what happens next, then, really is this command control channel. So it's one of those things where you really shouldn't just focus on prevention by blocking these attachments, but, you know, assume that one or two of them are slipping through. So make sure you're also having detection in place to identify compromised systems. 

Dave Bittner: It really is remarkable how much of this is a numbers game - that, you know, these folks are - you know, they try to hit everybody with everything and sort of see what sticks. 

Johannes Ullrich: Yes. In part here, the problem is also that - the way sort of the bad guys are organized, these people that are sending you the malware - you're probably already dealing with two organizations. There's the one organization that really just provides the spam service, the sending the emails. And then there is the other organization that is writing the malware. But then they're essentially providing services for other tiers of malicious organizations. And, you know, they figured out that, hey, for a home system, they'll encrypt the baby pictures, and they'll pay us a hundred dollars. For the enterprise system, we'll hand it off to someone - we sell access to that company, and they can probably make more money that way and spend the time to really sniff around the network and see what hurts the most. 

Dave Bittner: Yeah. I mean, they're run like real businesses. 

Johannes Ullrich: Yeah. 

Dave Bittner: Yeah. All right. Well, Johannes Ullrich, thanks so much for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Be sure to check out this week's "Research Saturday" and my conversation with Jason Passwaters from Intel 471 on bullet-proof hosting - what it is and how to minimize impact, common BPH malware families and top BPH providers. That's "Research Saturday." Check it out. 

Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.