The CyberWire Daily Podcast 5.12.21
Ep 1331 | 5.12.21

The security industry looks at DarkSide ransomware. CISA offers advice on defense and recovery. A new banking Trojan is out. Deprecated protocols remain in use. A quick look at Patch Tuesday.

Transcript

Dave Bittner: Hi, everybody. We're excited to let you know that we're adding an incredible new show to the CyberWire podcast network. It's Microsoft's "Security Unlocked: CISO Series" with Bret Arsenault. Listen in as Microsoft's chief security officer, Bret Arsenault, talks one-on-one with industry's leading CISOs, as well as technology leaders at Microsoft. In each episode, Bret and his guests will dive into the biggest challenges in cybersecurity, sharing new ideas and perspectives, and provide practical guidance based on the actual strategies implemented by Microsoft and Microsoft's biggest customers. You're not going to want to miss this one. Check it out on our web site at thecyberwire.com/security-unlocked, and be sure to subscribe wherever you get your favorite podcasts. A big welcome to Microsoft to the CyberWire podcast network.

Rick Howard: I think we are bad security practitioner historians. We see the strategies that our current senior security leaders have pursued in the past, admittedly with some successes, but certainly with a raft of failures, too. And still, we continue to travel in the same worn-out ruts that our predecessors made for us, moving in the same general direction, incrementally improving the situation day by day, but never stopping to wonder if we've been going in the right direction in the first place. 

Rick Howard: There's a whole new generation of security professionals waiting in the wings for their turn at the plate to become senior security executives that are perhaps wondering if there's a better way. And there is a rafter of turkeys, and I include myself in that group of gray-hairs, who have been doing this for a while and wonder if we can get our act together and be better at this kind of thing. 

Rick Howard: My name is Rick Howard, previous CSO of Palo Alto Networks, recovering general manager of iDefense and a former commander of the Army's Computer Emergency Response Team, and now, at the CyberWire, the host for "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. This show is my attempt to take a fresh look at the act of defending our organizations in cyberspace, but from the executive point of view and through a first principle lens. 

Rick Howard: But it's not just me yelling into the wind how everything is broken and everybody should do it my way like a grandpa standing on the porch and yelling at the kids to get off of my lawn. To keep me in check, I'm often joined by our hash table subject matter experts, other CSOs and industry thought leaders who come on the show on a regular basis to challenge my crazy ideas and to share their unique experiences and perspectives. This is not your typical security interview show. If any of this sounds like something you'd be interested in, check it out at thecyberwire.com/pro. That's thecyberwire.com/pro. 

Dave Bittner: FireEye's report says that "Mandiant has identified at least five Russian-speaking actors who may currently or have previously been DarkSide affiliates. Relevant advertisements associated with a portion of these threat actors have been aimed at finding either initial access providers or actors capable of deploying ransomware on accesses already obtained. Some actors claiming to use DarkSide have also allegedly partnered with other ransomware-as-a-service affiliate programs, including Babuk and Sodinokibi, also known as REvil."

Dave Bittner: Researchers at security firm Flashpoint are interested in the connections they discern between DarkSide and REvil. 

Dave Bittner: Quote, "Flashpoint assesses with moderate confidence that the threat actors behind DarkSide ransomware are of Russian origin and are likely former affiliates of the REvil ransomware-as-a-service group. Several facts support this attribution. Spelling mistakes in the ransom note and grammatical constructs of the sentences suggest that the writers are not native English speakers. The malware checks the default language of the system to avoid infecting systems based in the countries of the former Soviet Union. The design of the ransom note, wallpaper, file encryption extension and details and inner workings bear similarities to REvil ransomware, which is of Russian origin and has an extensive affiliate program. This shows the evolution path of this ransomware and ties it to other Russian-origin ransomware families. And the affiliate program is offered on Russian-language forums XSS and Exploit." 

Dave Bittner: As an aside, many outlets have reported, with an appearance of credulity, that DarkSide has foresworn attacks that amount to an infliction of social ills and that the attack on Colonial Pipeline may be one the operators now regret. DarkSide communiques have indeed offered various high-minded expressions of care in their selections of targets. While their avowals have more than a whiff of late-night dormitory discussions of why it's wrong to steal from people but OK to steal from institutions, man, it would, we think, be naive to take even such feeble moralizing too seriously. 

Dave Bittner: As Flashpoint observes, quote, "it's worth noting that DarkSide actors have pledged in the past not to attack organizations in the medical, education, nonprofit or government sectors. At one point, they also advertised that they donate a portion of their profits to charities. However, neither claim has been verified and should be met with a heightened degree of scrutiny. These DarkSide operators would be far from the first cybercriminals to make such claims and not follow through," end quote. 

Dave Bittner: Colonial Pipeline's website came back online late yesterday, newly armored with a reCAPTCHA landing page. The company published an update in which it reported progress toward resumption of refined petroleum deliveries with some 967,000 barrels delivered to Atlanta, Belton and Spartanburg in South Carolina, Charlotte and Greensboro in North Carolina, Baltimore, and Woodbury and Linden, which are close to the Port of New York and New Jersey. 

Dave Bittner: Some lines have been operated under manual control since Monday, at least, and have been moving existing inventory. As the company prepares to restart deliveries, they've taken delivery of an additional 2 million barrels, which they'll ship once service is restored. 

Dave Bittner: The company appears also to be addressing some concerns about its pipelines' physical security, having increased aerial patrols of their pipeline right of way, and deployed more than 50 personnel to walk and drive 5,000 miles of pipeline each day. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency has issued an alert that offers a set of best practices to protect against ransomware-induced business disruptions. The alert was prompted by the attack against Colonial Pipeline, and it includes in its introductory section the preliminary conclusion that DarkSide ransomware affected Colonial's IT systems only and had no direct effect on the company's OT networks. 

Dave Bittner: The best practices CISA advocates are as familiar as they are sound. They include measures that can be taken to avoid infection in the first place, mitigations that can reduce the business impact of a ransomware infection, should one occur, and steps organizations could take in responding to an attack. 

Dave Bittner: The alert closes with a statement intended to strongly discourage any victim from paying the ransom their attackers demand. Quote, "Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim's files will be recovered," end quote. 

Dave Bittner: Colonial Pipeline isn't the only energy company to sustain a ransomware attack. The Wall Street Journal, which notes that ransomware is a burgeoning threat elsewhere too, reports that Volue ASA, a Norwegian provider of tech to infrastructure and energy companies, was hit by ransomware earlier this month. Recorded Future looks at the criminals' recent record and sees indiscriminate attacks against targets of opportunity, which appears to be the norm for ransomware operators. 

Dave Bittner: Among the sectors affected indirectly by mounting rates of ransomware is insurance. The Wall Street Journal describes underwriters' growing skittishness about covering ransomware risks, and that such coverage has become pricier to buy. 

Dave Bittner: A major insurer, France's AXA, announced last week that it will no longer indemnify new policyholders for payments they make to ransomware operators. It had been the insurance industry practice to do so, ransomware payments being factored into the risk management calculus the way retailers accept a certain amount of shrinkage - that is, pilfering, shoplifting - of their inventory. It seems likely that other insurance firms will follow suit. Ransomware has become too large a problem to treat as a cost of doing business. 

Dave Bittner: Cleafy describes TeaBot, an Android banking Trojan that first appeared in Italy and is now engaged in fraud campaigns across much of Europe. TeaBot steals credentials and SMS messages. It includes keylogger and screenshot capture functionality. It disables Google Protect. And it steals other accounts from Android settings and Google authentication two-factor authentication codes. It also shows the ability to abuse accessibility services to simulate gestures and clicks on the screen. 

Dave Bittner: ExtraHop this morning released a study of how insecure but widely used protocols expose organizations to cyber risk. In particular, the deprecated protocol exploited four years ago by WannaCry and NotPetya pseudoransomware, Server Message Block Version 1 (SMBv1), remains in widespread use. Other deprecated and insecure protocols still in use include Link-Local Multicast Name Resolution (LLMNR), NT Lan Manager (NTLMv1) and Hypertext Transfer Protocol (HTTP). 

Dave Bittner: The U.S. Senate Homeland Security and Governmental Affairs Committee is deliberating revising the Federal Information Security Management Act to facilitate information sharing about attacks with national security implications, Meritalk reports. The chair and ranking member appear to agree that changes are warranted by recent high-profile cyberattacks. 

Dave Bittner: Yesterday was Patch Tuesday. Microsoft addressed a total of 55 vulnerabilities, four of them rated critical. Adobe fixed problems in several versions of Acrobat and Acrobat Reader. The Zero-Day Initiative has a summary of these patches and their implications. Onapsis, which calls this month's Patch Tuesday a calm one, has an account of the 14 fixes SAP released. Siemens issued 14 advisories for its systems, nine of which, SecurityWeek writes, cover issues and third-party components. So patch 'em if you got 'em. 

Dave Bittner: A highlight of the annual RSA conference is the Innovation Sandbox, where hopeful startups are given the opportunity to pitch their wares in front of a panel of esteemed industry leaders. It's one of many innovation-focused endeavors from RSAC. And joining me with an overview is Cecilia Marinier, cybersecurity adviser for strategy, innovation and scholars at RSA Conference. 

Cecilia Marinier: So this contest actually started back in 2005, and it has been one of the flagship events at conference. And I believe also it's a flagship contest across the globe talking about innovation and cybersecurity. So we're very blessed to have amazing companies keep on putting their name in the hat to see who will be selected as one of the top 10 finalists. 

Cecilia Marinier: For this year, we have an incredible lineup of companies. It's - you know, I've been doing this for the past six years, and this particular year is so strong. There were so many solid, amazing companies that could have made it to the stage. I actually wish I could have done two or three of these contests because there was that many that were that good. So the quality and the interest and where they're taking the innovation this year is really something to watch. 

Dave Bittner: Can you give us some - a preview of what we might expect to see this year? 

Cecilia Marinier: Absolutely. So one of the things that, back at the beginning, when we opened up the submission process - and for any entrepreneurs, we do this about three months before contest - before the conference starts, so please mark in your calendar October for next year. 

Dave Bittner: (Laughter). 

Cecilia Marinier: But when we started this, I had interviewed Niloo Howe, who's one of the judges. And I asked her, Niloo, what do you think is going to be innovative this year? And she's like, oh, my goodness. The reality is, everywhere. And she named off at least 15 different areas where she was seeing innovation happening in cybersecurity. And it has a lot to do with the times. It has a lot to do with, you know, the change from working from home. But we've seen innovation everywhere. 

Cecilia Marinier: And what I was really impressed by is the diversity of not only the companies where they came from, but also just the actual innovative spotlights that they're coming at, what are the solutions actually focused on? And it is security risk and compliance and zero-trust networks, democratizing fraud alerts, cloud infrastructure security, data security protection, encrypted learning, SEC, DevOps, infrastructure platform, and - I mean, just - I can keep on going on and on. It was just an incredible year of innovation in almost all facets of cybersecurity. 

Dave Bittner: You know, one of my favorite things when we're able to attend RSA Conference in person is to wander around the edges of the show floor, to find those startups, those little companies, who have, you know, some of them, not much more than a hope and a dream, but they really believe that they've got something that could really change things. In the virtual world, it's harder to have that sort of serendipity of discovery. But I know you all are working on making those discoveries still possible this year. 

Cecilia Marinier: Absolutely. Great for highlighting this. We have an area in our digital expo called the Early Stage Expo area. It's on-site. We have it - we have a place on-site that's also dedicated to startups. But when you come into the RSA Conference this year, please go into the expo area. Check out those exhibitors that are in the Early Stage Startup area. They're all also very interesting and have great solutions. And the top 10 will be included in there as well, the Innovation Sandbox top 10 companies. So if you want to learn more about what they're doing, I highly recommend going into the Early Stage Expo area. 

Dave Bittner: That's Cecilia Marinier from RSA Conference. 

Dave Bittner: I have some special news to share today - the CyberWire podcast network is proud to be partnering with Microsoft to bring you a new podcast. It's called "Microsoft Security Unlocked: CISO Series," and it's hosted by Microsoft's chief information security officer, Bret Arsenault. Bret joins me with a preview of the new podcast. 

Bret Arsenault: What prompted the idea of starting the podcast was, over the past year, particularly with the pandemic and people working in different scenarios, I would get asked often about - you know, how do you think about security in this environment? What do you do? What are best practices? And I had the opportunity to meet with customers and partners and people from all over the globe that have really amazing and unique perspectives because it's affected people differently. Some people, you know, like, you think geographically sectorally if you're in manufacturing versus service industry. And so this is just a way to share, frankly, some of the great learnings I've been able to be fortunate enough to meet with people to have those kinds of conversations. 

Dave Bittner: You know, one of the things that strikes me is that as CISO at Microsoft, you certainly have your eye on a breadth of issues all around the world. So you're going to be able to bring that perspective to the show. 

Bret Arsenault: Yeah, I think we do have a unique position in that, one, we are one of the more attacked companies in the globe, and two, we have a unique position in just the way we protect ourselves and how we work in that environment. So, yeah, I think there's a pretty interesting opportunity from both us and our customers and partners to share some of that. 

Dave Bittner: What are your goals in terms of some of the conversations you're looking to have? 

Bret Arsenault: Well, I - really, the goals should be super simple. One, get some goals on key insights and topics relative to cybersecurity. But most importantly, leave with, like, three practical things you can do to help your position or help you with your own security mission. So that idea that - there are lots of smart people. Converting that into the three actions you could go do that would actually help improve your security posture - that's fundamentally what success would look like at the end of each session. 

Dave Bittner: And who are you targeting here? Are we aiming for other cybersecurity professionals? Are we looking for folks throughout an organization who may gain from your wisdom? 

Bret Arsenault: Yeah, I think they'll be - security people are interested. But honestly, I think it'll be people outside the security realm. I think security executives who aren't steeped in security but are trying to get a simplified view on what things they should go prioritize and maybe how they should go talk to their security people. 

Dave Bittner: You know, I think an interesting perspective that you bring to the table is one of scale. I mean, we think about Microsoft as being the large global company that it is. But would you say that you're really fighting a lot of the same fights that people who are defending organizations of all sizes around the world are faced with? 

Bret Arsenault: Yeah, I agree. Security is an interesting realm in that it impacts all facets of the business on all sectors, from consumer - like personally - to small business to mid-market to enterprise, and also every part of the business, whether it's business applications or whether it's, you know, cloud services or on premise services. So it really does touch about every element, every part of every business. And the good part of it is that the things that we learn, even at enterprise scale, the same things apply, like, how you do zero trust or securing a hybrid workforce are relative and relevant for a small business and medium-sized businesses, large business and some for the consumers, although this isn't really a - this isn't targeted to consumers, so I probably wouldn't include that. 

Dave Bittner: Yeah. Yeah. You know, as one of the most well-known brands, certainly when it comes to computing but I would say just in general, Microsoft - is it fair to say that you all have a bit of a target on your back when it comes to folks trying to come at you in the cybersecurity realm? 

Bret Arsenault: Well, I think it's fair to say, yeah. I mean, I think I have a great T-shirt with a big bull's eye on the back that I got when I took this job. 

Dave Bittner: (Laughter). 

Bret Arsenault: So, yeah, absolutely. You know, I think that adversaries come after all sorts of companies and sectors and industries and regions for various reasons. But yeah, certainly being a large player in the space, in the technology space, we see our fair share of attempts. 

Dave Bittner: Can you give us a preview of some of the topics that you're planning on addressing here on the show? 

Bret Arsenault: Yeah. I think the topics that we want to cover is really driven by the types of questions we were hearing broadly from our customers - how to secure the cloud. What is your zero trust really and how do I implement it? Securing a hybrid workforce in, you know, new world of work as we slowly come out of this pandemic. And really things like that, or cybersecurity skills gaps. Like, most people are struggling with how to get the right talent and how to address that. I think they're topics that really address every company, every business and every sector around the world. 

Dave Bittner: You know, Bret, one of the things that I think you bring to the table as the CISO at Microsoft is you have an extensive Rolodex. So when you make a phone call, people are likely to answer it. And I'm hoping that that means you're going to get some really interesting guests who are going to join you on the show. 

Bret Arsenault: Yeah, it's a great point. The guests are who make this show. These will be like who I consider some of the industry thought leaders in security, both from Microsoft, but probably more importantly, from customers who are just doing amazing work. And the goal for them, really, is in every episode to share practical advice, not just theoretical work that their listeners can actually go implement and help them drive their own security missions. 

Dave Bittner: All right. Well, Bret, we're looking forward to hearing the Microsoft CISO podcast here. Best of luck to it. And thanks for taking the time for us today. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.