The CyberWire Daily Podcast 5.7.21
Ep 1328 | 5.7.21

CISA on FiveHands. Connections among cybergangs, Russian intelligence services? Software supply chain security. Scripps Health incident update. Home routers. Ryuk hits research institute.


Dave Bittner: CISA outlines the FiveHands ransomware campaign. Circumstantial evidence suggests that some cybergangs are either controlled by or are doing contract work for Russian intelligence services. U.S. federal agencies turned their attention to software supply chain security. Scripps Health continues its recovery from cyberattack. Insecure home routers in the U.K. Daniel Prince from Lancaster University has thoughts on cybersecurity education. Our guest, Rupesh Chokshi from AT&T, has suggestions for organizations who want to get SASE but don't know where to begin. And Ryuk ransomware throws a wrench in research at a European biomedical institute.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 7, 2021. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency yesterday published an analysis report on the FiveHands ransomware campaign. The report says threat actors used publicly available penetration testing and exploitation tools, FiveHands ransomware and SombRAT remote access Trojan to steal information, obfuscate files and demand a ransom from the victim organization. Additionally, the threat actors used publicly available tools for network discovery and credential access. 

Dave Bittner: It's long been believed that Russian cybercriminals tend to operate at the Russian government's sufferance, but security firm Truesec reports that it's found evidence that the gangs may also be working for the state. Specifically, there are signs that EvilCorp is operating under the security organ's direction. Truesec had been investigating a Wasted Locker ransomware infection and assisting in its remediation when the victim received a government warning that it had received the attentions of the state-run APT SilverFish, regarded as a Russian operation and described earlier this year by researchers at the cyber intelligence firm PRODAFT. 

Dave Bittner: Truesec said that it, quote, "could quickly confirm that the cyber event referred to in the warning was the initial compromise that Truesec had found to be the start of the Wasted Locker ransomware attack." They add that, "we could also determine that the Cobalt Strike beacon used in the attack was in fact the same Cobalt Strike beacon found in the PRODAFT report since it was using the same domains and domain fronting technique described in the report. The domain used to download the PowerShell script GetSystemTime also appeared in the report from PRODAFT," end quote. 

Dave Bittner: This led Truesec to the hypothesis that the gang behind the Wasted Locker attack was identical to the SilverFish actor. They saw other bits of circumstantial evidence, including comparable levels of sophistication and the ability of both groups to conduct continuous 24-hour operations. They also observed a curious indifference on the part of Wasted Locker's operators to motivating their victims to pay. They didn't, for example, make the now routine threat to dox the victims if they failed to pay the ransom demanded. 

Dave Bittner: So the case is circumstantial but suggestive. EvilCorp may simply be a front group, or it could be working as a contractor. There's a possibility that it may be an independent criminal gang and that the apparent connections with Russian intelligence services are coincidental, but this possibility seems increasingly unlikely. 

Dave Bittner: According to Radio Free Europe/Radio Liberty, similar evidence is emerging in the New York trial of an alleged Methbot ringleader, Aleksandr Zhukov (ph). According to U.S. court records, the news outlet explains, the Methbot scam first took form in September 2014, when Zhukov and five other men from Russia and Kazakhstan allegedly rented more than 1,900 computer servers at commercial data centers in Texas and elsewhere and used them to simulate humans viewing ads on fabricated webpages. 

Dave Bittner: In this case, it appears that Methbot used the infrastructure that's been under scrutiny in the investigation of GRU and SVR cyber operations, including the dissemination of the Steele dossier during the 2016 U.S. presidential election. 

Dave Bittner: The U.S. Department of Justice is expanding its investigation post-SolarWinds into supply chain security. Justice is taking a closer look at the role Russian companies or U.S. companies that do business in Russia may have played in the compromise of the SolarWinds software. 

Dave Bittner: CyberScoop quotes Assistant Attorney General for National Security John Demers as saying yesterday, quote, "if there's back-end software design and coding being done in a country where we know that they've used sophisticated cyber means to do intrusions into U.S. companies, then maybe U.S. companies shouldn't be doing work with those companies from Russia or other untrusted countries," end quote. 

Dave Bittner: CyberScoop's sister publication FedScoop reports that CISA now believes it has a better understanding of the risks and dependencies in the federal government's software supply chain. At least nine federal agencies were affected by the SolarWinds compromise. CISA hopes that increased transparency in both software development and system architecture will serve to build a more secure supply chain. 

Dave Bittner: Scripps Health in Southern California is still recovering from the unspecified cyberattack it sustained last weekend, KPBS reports. The medical system is using workarounds as it continues to deliver care and says that patient safety is uncompromised, but scheduling and other IT-dependent functions continue to see disruption. Patients are reported to be seeking care at other regional health care providers. 

Dave Bittner: British consumer advocacy organization that goes by the name Which? says that thousands of U.K. households are using outdated and vulnerable home routers. Thirteen widely used models display such common vulnerabilities as default passwords and outdated firmware. Some of the routers haven't received updates or security patches since 2016. 

Dave Bittner: WeLiveSecurity reports that two companies' products, at least, deserve honorable mention. Devices produced by BT and Plusnet were found to contain none of the easily exploited vulnerabilities that Which? and its technical partners at Red Maple Security (ph) found. 

Dave Bittner: And, finally, ZDNet reports, citing security firm Sophos, that a European biomolecular research institute lost a week's worth of data to a Ryuk ransomware infestation. The ransomware found its way in courtesy of a student who was looking for a free version of visualization software and settled for a cracked version and, worse yet, disabled Windows Defender so as not to be bothered by its alerts. The cracked software executed a Trojan on the student's device which stole RDP credentials. The attackers then used their access to install Ryuk. 

Dave Bittner: In this case, it wasn't the unnamed institute that was responsible, but rather a user who abused convenient but permissive access policies. 

Dave Bittner: The SASE framework is a hot topic in cybersecurity these days, SASE standing for secure access service edge. To help cut through the hype, we checked in with Rupesh Chokshi, vice president of AT&T Cybersecurity, for his take on SASE's potential. 

Rupesh Chokshi: So right now, you know, SASE is one of the hottest terms in the market with customers in the business world as security becomes sort of, you know, front and center for everybody. And I think of it as, you know, we have evolved into a hyper-distributed, you know, workforce environment for the enterprise with the hyper-connected - you know, from a capability perspective. 

Rupesh Chokshi: So the combination of these things are creating this very unique opportunity for a security-centric framework, which SASE is all about, and bring capabilities that can drill down at a very granular level to protect the data, protect the applications, protect the information flows and protect the network for that customer, for that enterprise, for that session, for that particular identity end user. 

Dave Bittner: And what are the specific things that attract people to adopting a SASE framework, for example? 

Rupesh Chokshi: I think the main drivers are sort of, you know, this ability to have, you know, kind of security done at a very granular level, the ability to have a zero trust in a network or capability, the ability to bring, you know, the entire enterprise, whether it's a, you know, branch location or a user working from anywhere or a business IoT endpoint. All of this data and the different connectivity types, whether it is the wireless network or the wireline network, you know, bring all of that into the framework and be able to then, you know, provide the security policies and controls and the granularity that is needed. 

Dave Bittner: You know, with SASE being as hot as it is, of course, that means that folks who are considering it are getting all sorts of marketing messages about it and so on. I'm curious. What are your recommendations for folks of how to get started, how to cut through that noise and get a real solid understanding of what it might mean to them? 

Rupesh Chokshi: Right. That's a great question, Dave, because, you know, as a trusted adviser, you know, I would like to recommend a few things that says, look; you know, sit down with the experts. You know, we have security consulting offers that we provide along those lines of, you know, SASE readiness, you know, literally with that mindset to say, OK, let's better understand what is the environment, right? Are you going to have a distributed workforce for a period of time? Are you going to bring it all, you know, back into the fold or not? Are you adding significant amount of sort of, you know, new devices and new users and new endpoints, and do you have a way to kind of, you know, secure those? And what are you going to do about it? 

Rupesh Chokshi: So I would say that - spend the time on the architectural framework aspect of it, better understand what the business drivers are and think of the sort of, you know, outcome because security is not just, you know, about the technology. This is about the business, right? It's a business problem in terms of, am I secure? Am I compliant? Do I have the risk profile figured out? Have I done all of the testing that I need to do? So it's basically - lay out the blueprint, partner up with somebody you can kind of work and trust, and then get into phased execution. 

Dave Bittner: And when you look at organizations that have successfully adopted a SASE approach, are there any things that they have in common? Are there any things you see that set up particular organizations for success? 

Rupesh Chokshi: I think there are sort of, you know, two dimensions that I'm seeing, you know, more and more. So one is sort of, you know, setting it up in a way that all of the physical locations or the branch locations are all sort of, you know, secure within that framework, and you're applying certain rules and policies. So I'm seeing that, you know, more and more. 

Rupesh Chokshi: You know, one example is that we worked, you know, last year into this year with a health care customer as an example, right? And that health care customer is talking about, you know, how do I do the clinics and the hospitals and get them ready, but simultaneously, I have a workforce that I need to, you know, be more remote and bring that into the mix? So I'm seeing the branch transformation with SASE, and I'm seeing the remote work transformation with SASE here and now. 

Dave Bittner: That's Rupesh Chokshi from AT&T Cybersecurity. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, it's always great to have you back. I want to touch base with you today about cybersecurity education, certainly something that is near and dear to you and part of your everyday. But sort of check in. You know, where do things stand today? 

Daniel Prince: Well, I say as a senior lecturer at a university, cybersecurity education is a passion of mine. And it's - a reason why I wanted to talk about it really is it's a massively changing industry at the moment. From my point of view, cybersecurity has gone through incredible change in terms of the professionalism that sits around it. And we're seeing, you know, in the U.K. the rollout of the UK Cyber Security Council, who's really meant to be there to establish cybersecurity as a professional body. 

Daniel Prince: And so that changes the nature of education. And I'm looking at it from the point of view of the university. And this year, we're celebrating the 10th year of our multidisciplinary cybersecurity program. And looking back from where we started to where we are now and how the industry's changed is - it's quite a remarkable journey. And thinking back 10 years, where there was a lot of push around industry certifications and all, you know, the types of tests that we were doing then to assess the quality of cybersecurity professionals, to where we are now, with lots of informed, practical-based assessments. 

Daniel Prince: And then the role of academia within that as well has changed. And within the U.K., the National Cyber Security Centre has recently rolled out the Academic Centers of Excellence in Cyber Security Education. And I know in the U.S., they've got a similar scheme to recognize centers - academic centers which are really trying to be at the forefront of cybersecurity education. And Lancaster's submitted and is fortunate to be awarded one of those statuses. 

Daniel Prince: And it's - again, it's moved away from not just being about educating professionals, but what are we doing in the academic community to teach historians or English-language specialists or, you know, how are we reaching out across and improving cybersecurity awareness for a variety of different disciplines and roles? And I think that's reflecting really the criticality of digital technology in every single role and then the importance that cybersecurity has with those roles and not just this isolated profession of protecting a few computers. 

Dave Bittner: Yeah, that's fascinating to me. I mean, I think back to my own university days. And, I mean, is this a situation where you're having - you can have classes that are, you know, cybersecurity for nonmajors, you know, that sort of thing? 

Daniel Prince: Yeah, that's certainly something that we are looking to move out of - yeah, really the kind of extracurricular activities and certainly something to put into almost like professional studies for these other disciplines. You know, there's always been a tie with management sciences, so we do a little bit in there. But, you know, when you get into some of the humanities, certainly, you know, it would be the last thing that you think about. And in some ways, it's almost like data science type of skills. And we're seeing a big push to embed data science in a lot of the - a lot of other kind of disciplines and roles because it's such an essential skill. 

Daniel Prince: And cybersecurity is such an essential skill, and it shouldn't just be left to a select few. I mean, I likened it to, you know, "300." It's not about, you know, 300 Spartans sealing the breach. Everybody's got a role to play in protecting the whole system and, you know, and our society. And I think because the technology is now so expansive, we can't take that for granted, and we all have a role in protecting it. 

Dave Bittner: What's the response of the university been? Are they supportive here? Do they recognize that this is something that needs broader attention? 

Daniel Prince: Well, yeah. So as part of the - our application process to become a center of excellence, we required a high level of support from our vice-chancellor down. So they're very supportive. And we're looking at how we actually start to integrate some of this education into some of our other degree programs not to try and displace the central curriculum they're teaching, but to help them to understand the role within the roles that they are going to take on. 

Daniel Prince: Because, for me, it's about having them, the students and then the future employees, empowered to be able to ask that question and challenge, are we doing the right thing with the systems, the data that we have? And if we can start to get people to ask those types of questions in the - as an employee, that will then start to hopefully lead to answers in terms of increased protection for us all. 

Dave Bittner: Is there an intimidation factor that you need to get past? You know, you're a student who's, you know, doing their course of studies in the humanities. Might they find themselves put off a bit by, you know, this computer science topic? 

Daniel Prince: Yeah. I mean, we have conversations like this internally within the university. But it's a fundamental truth that our students can't do their studies now without their computers, right? They are - you know, just look at the global pandemic and the role that that technology has played in ensuring that educationists and students have stayed connected, that we've still been able to teach. And those students have also been able to maintain contact with their families. 

Daniel Prince: It's so interwoven in the way that we work and the way that we live that it just becomes vital that they have some basic skills suitable for their discipline in the same way that we teach, you know, basic road safety. You know, it's got to be there because it's such an essential part. 

Daniel Prince: And specifically, we don't want them to be able to go and configure firewalls and, you know, make sure that they write patches themselves. That's not what I'm advocating. I think the important thing is to spark that curiosity so they can go away and find the answers or at least not be intimidated - and I think that goes back to your point - at least not be intimidated to try and tackle some of these problems. 

Dave Bittner: All right. Well, Daniel Prince, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: If you're looking for something to do this weekend, be sure to check out "Research Saturday" and my conversation with Mike McLellan from Secureworks. We're going to be discussing SUPERNOVA web shell deployment that's linked to the SPIRAL threat group. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.