WastedLocker being distributed in RIG campaign. Investigation of the DarkSide attack on Colonial Pipeline. More ransomware gangs go offline. Double encryption. Third-party stalkerware risk.
Dave Bittner: Those who serve in the military - that's active or reserves - qualify for a steep discount of CyberWire Pro. Stay up to date on developments in cyber with full access to actionable reporting, analysis and insight concerning the global information security industry. We also have discounts for students, educators and large groups, too. Contact us to get your discount, and get started today. Visit thecyberwire.com/contactus. That's thecyberwire.com/contactus.
Dave Bittner: A new RIG campaign is distributing WastedLocker. The U.S. Congress considers two bills informed by the Colonial Pipeline incident, and congressional committees are looking at the company's response to the attack. More ransomware gangs go offline, but Conti is still trying to collect from the Irish government. Double encryption appears to be an emerging trend in ransomware. Ben Yelin looks at insurance companies clamping down on ransomware payments. Our guest is Nick Gregory from Capsule8 with thoughts on the Linux security landscape. And there's another problem with stalkerware: third-party risk.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 18, 2021.
Dave Bittner: Security firm BitDefender, this morning, issued a report that a new RIG exploit kit campaign is distributing what appears to be a new variant of WastedLocker ransomware, a strain associated with the Evil Corp gang. The campaign targets unpatched Internet Explorer browsers, and it uses known VBScript vulnerabilities. Victims get the infection by visiting a watering hole. Apparently, no interaction beyond the visit is required to expose vulnerable systems to infection. Patches are available for both vulnerabilities, and BitDefender advises bringing your systems up to date.
Dave Bittner: Now that operations have returned to normal, the DarkSide ransomware assault on Colonial Pipeline has moved into its after action review stage as legislators grill the company and third parties seek to extract lessons. BankInfoSecurity says that two bills influenced by the incident, the Pipeline Security Act and the CISA Cyber Exercise Act, are under consideration in the U.S. House of Representatives. The former would sort out responsibility for pipeline security between the Cybersecurity and Infrastructure Security Agency and the Transportation Security Administration. The latter would require CISA to establish a national program in which the government and industry could test their infrastructure's resilience against a range of cyberthreats.
Dave Bittner: Colonial Pipeline, yesterday, participated in staff briefings with the U.S. House Committee on Oversight and Reform and Committee on Homeland Security. The Committee chairs issued a brief statement communicating their concern and displeasure. Quote, "Following today's briefing from Colonial Pipeline, we remain extremely concerned about the rise in ransomware attacks and the threat to our nation and its critical infrastructure. It is deeply troubling that cybercriminals were able to use a ransomware attack to disrupt gas supply on the East Coast and reportedly extort millions of dollars. We are disappointed that the company refused to share any specific information regarding the reported payment of ransom during today's briefing. In order for Congress to legislate effectively on ransomware, we need this information. This attack not only highlights glaring vulnerabilities in our critical infrastructure, it also exposes a marketplace in which it may be easier for a company to pay off a criminal than put resources toward preventing and defending against attacks. We look forward to working with the Biden administration and our colleagues on both sides of the aisle to strengthen our nation's cyberdefenses and secure our critical infrastructure," end quote.
Dave Bittner: Politico offers a rundown of post-Colonial opinion on where the experts tell them ransomware is likely to strike next. It's the usual suspects - education, health care and local government, all of whom have recently received more than their fair share of attention from the ransomware gangs.
Dave Bittner: Jalopnik's rather sour take on the incident is the observation that the ransomware didn't actually interfere with pipeline operations, just Colonial's ability to bill customers for deliveries, which is why the company shut its systems down. Of course, you have to be able to bill for your products and services, so inability to track and invoice deliveries isn't a trivial flaw you can just fix when you get around to it. We're not in hakuna-matata territory here, friend. But the point is worth considering. Note, too, that an attack needn't hit industrial control systems to disrupt operations. An attack on business systems can often do the job, as it apparently did here. The Jalopnik piece also quotes some of the communications from DarkSide recounted to Zero Day like this one. Quote, "Before an attack, we carefully analyze your accountancy and determine how much you can pay based on your net income. You can ask all your questions in the chat before paying, and our support will answer them," end quote. Jalopnik's comment is apt enough. Quote, "I can't get over this exchange where the hackers are blase about the billing breach and refer Colonial to their customer service, as if this were some broadband outage from an ISP," end quote. Tell it, brother. The crooks do act like business reenactors, don't they?
Dave Bittner: That said, Energywire deputy editor Blake Sobczak tweeted late this morning that Colonial Pipeline notified customers today that it was currently experiencing network issues impacting customers' ability to enter and update nominations. Nominations in this sense refers to a shipper's request to move a certain amount of product. It's not known how serious this is, how long it might last or whether it's related to the DarkSide attack, but it's another instance of how problems with a business system can affect operations.
Dave Bittner: The DarkSide gang responsible for the Colonial Pipeline attack went offline late last week, either feeling the heat and deciding to lay low for a while or perhaps simply absconding with their affiliates' funds. Reuters reports that two other ransomware gangs, AKO and Everest, also went dark over the weekend. While underground criminal websites do from time to time suffer from instability, Recorded Future thinks that in this case the two gangs made a conscious decision to drop offline. Intel 471 has a useful account of where things stood with various gangs as of Friday - a number of groups seem to have skedaddled.
Dave Bittner: Conti is one ransomware gang that's still committing high-profile attacks, demanding the equivalent of $20 million for restoration of health care sites in Ireland. Computing reports that Prime Minister Martin says the Irish government has no intention of paying.
Dave Bittner: WIRED describes a further evolution in ransomware - double encryption. The gangs began by simply rendering victims' data unavailable, moved on to data theft and doxing and now have begun encrypting data twice. In some cases, they use one strain on part of a victim's information and a second strain on the rest, which means that a decryptor will at best restore a fraction of the data. In others, the criminals use, first, one strain, then another, on the entire corpus. So a second decryptor is necessary. You pay for one decryptor and then find you're being upsold to two. This doesn't seem a sustainable business model. One of the problems, we remember, with Colonial Pipeline's payment of ransom is that their reported $5 million didn't get them a particularly useful decryptor. That may just have been a lousy decryptor - and that's been seen before - but the principle is the same; it's bad business for a bad business, and no amount of chipper customer service chat is going to overcome the reluctance people are going to have to paying up.
Dave Bittner: Stalkerware is unsavory and a threat to privacy, but according to ESET, it's also dangerously slovenly, exposing its victims to further third-party risk. Stalkerware is often sold as a safety product, presumably one that enables a protector to look after you, as a parent might keep track of a minor child. But ESET notes that this particular fig leaf is a pretty small and translucent one. The security firm writes, "For stalkerware vendors to stay under the radar and avoid being flagged as stalkerware, their apps are in many cases promoted as providing protection to children, employees or women, yet the word spy is used many times on their websites. Searching for these tools online isn't difficult at all. You don't have to browse underground websites," end quote.
Dave Bittner: ESET researchers looked into 86 Android stalkerware apps and found a total of 158 vulnerabilities across 58 of them. Those bugs would enable a third party - neither the stalker nor the subject of the stalking - to extract sensitive personal information from the victim's affected device. And wait; there's more - some of the apps upload that personal data to their servers.
Dave Bittner: Despite vulnerabilities on Windows and Mac OS tending to grab the biggest headlines, attacks on Linux systems continue to grow in scope and prevalence. Nick Gregory is a research scientist at Capsule8, and his team has been tracking the issue.
Nick Gregory: So for Linux itself being the kernel, I would say it's a relatively good state of affairs, right? It's not like we're finding critical bugs every other week. Things do pop up every once in a while, but for the most part, the kernel itself is pretty robust at this point, I would say. As for, like, the rest of the Linux ecosystem, that's where I would say we start to run into more issues. Again, not everything is bad, but you're certainly more likely to hear about things impacting large businesses, you know, and those types of things, it feels like, almost every week.
Dave Bittner: And what sort of things are you all tracking? I mean, how has the proliferation of these sorts of malware tools taken place in the past year or so?
Nick Gregory: So we've definitely noticed a lot more just kind of low-hanging-fruit attacks. Crypto miners in particular have been basically present wherever we look, which was definitely not the case, it feels, you know, a couple - two, three years ago. Other than that, like, it feels like we're just seeing a lot of, again, kind of low-hanging fruit, people taking public proof of concepts and just trying to get whatever fast money they can with them - yeah, you know, and not a whole lot of, you know, advanced attacker stuff every day, luckily.
Dave Bittner: I know one thing that you and your team have been tracking is the adoption of the Go programming language...
Nick Gregory: Yes.
Dave Bittner: ...When it comes to the hackers coming after Linux. Can you give us a little bit of the background there? Why do you suppose we're seeing that?
Nick Gregory: Yeah, so Go in particular has a lot of nice properties for attackers. Existing tools to do reverse engineering are just now beginning to actually be able to, like, properly parse Go programs. Before - literally, I think two days ago, the most popular reverse engineering toolkit, IDA, basically just didn't support Go programs. Like, it would load them, but you just didn't get anything useful out of it. So there's that. There's the fact that they're statically compiled, so there's no chance of anything really going wrong. You just drop the binary and run it. There's no dynamic linking or anything. It's just there. And, you know, it's performance enough - and you can link in C libraries. So you can do anything with it still. So it's got a lot of nice features for attackers.
Dave Bittner: Where do you suppose things are headed when it comes to security on Linux but then also the bad guys coming after it? What do you think we're in for as you look towards the horizon?
Nick Gregory: So I would say, opportunistically, I'm very excited to see more adoption of Rust and other memory-safe languages, Go included. You know, it does have a good use for placing C programs. But Rust in particular is getting a lot of traction, and it's even starting to be integrated into the kernel itself. So, you know, the more things that we can get in that realm, you know, the better to just completely eliminate a whole bunch of vulnerability classes. Sounds good to me. That's - I guess that's kind of the largest thing that I'm seeing in the future. You know, there is going to be the continued push for cloud computing stuff and some of the nice things that come along with that, too. Again, securitywise, you know, you can very finely tune, like, IAM. So you do get some nice benefits there if you choose to use them. But, yeah, and I would say in general, the state of things is generally going in the right direction - eliminating vulnerability classes as we can.
Dave Bittner: That's Nick Gregory from Capsule8. And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Hi, Dave.
Dave Bittner: So interesting story from Insurance Journal. And they are covering one of Europe's largest insurers, who has decided to stop paying for ransomware crime payments in France. What's going on here, Ben?
Ben Yelin: This is a really fascinating story, which to me, we're going to - I think is going to become more and more of an issue, and I'm not sure we have a solution to this problem. So this is the insurance company AXA. I believe that's how it's pronounced and not AXA, but you can correct me if I'm wrong. And they have decided that they are going to stop writing cyber insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.
Ben Yelin: So a couple of limiting factors to this case, it does only apply in France. They insure companies in the United States, and this new policy will not apply to those insurance policies. But I think we're reaching a tipping point where policy officials and officials in the insurance sector and other areas of the private sector are starting to realize that there is this incentive problem. A lot of people are purchasing cyber insurance policies that cover the cost of paying a ransom or paying an extortion fee, and that's made the potential benefits of instigating ransomware attack far greater to cybercriminals because there's just more money in the game.
Dave Bittner: Right.
Ben Yelin: You know, if your ransom is covered, it's far more likely that you're going to pay the ransom 'cause it's not coming out of your own pocket; it's covered by insurance. So that could potentially lead to a resolution like the one here, where insurance companies decide to stop paying these extortion payments. But, you know, that's not really a solution to the broader policy problem because then the companies that are the victims of ransomware attack are still going to be on the hook for those payments. You know, that might give them more of an incentive to, you know, try and recover their own data rather than paying the ransom. And perhaps, you know, that's the long-term solution to this problem. But I think it's something we're going to have to watch out for. We're entering an era where cybercriminals are realizing how profitable it can be to engage in cybercrime largely because of these insurance policies.
Dave Bittner: Yeah. It's interesting. This article points out that they - I believe it was Emsisoft estimated last year that France's overall losses were more than $5.5 billion due to ransomware. And the payments have tripled to an average of more than $300,000. And the average time to recover is three weeks. I think it's interesting that they're pointing out here that the insurance companies will still cover the costs of recovering from a ransomware attack but not the actual ransom itself.
Ben Yelin: Yeah. And I think, you know, they're trying to create an incentive structure where the easiest solution is not to reward the criminals who instigated the ransomware attack in the first place. And I think that's a noble cause and a noble goal. Does it contend with the real-world situation, where sometimes organizations really just want to pay the ransom and have their, you know, data decrypted? I'm not sure it contends with that real world. And I think that's going to be a problem. I think in an ideal world, yes, you have the insurance cover recovering from the attack and not, you know, engaging in these extortion payments.
Dave Bittner: Yeah.
Ben Yelin: But I just don't know or think that that's the world that we live in.
Dave Bittner: Yeah. You know, I've wondered about this in some other interviews I've done with some experts on the topic. I wonder if insurance for ransomware is going to go the way of flood insurance, where you have a national program backed by the feds because it's not profitable for any private insurance companies to underwrite something like this. The losses are - can be too catastrophic. And so the really - the only backstop you can have is at the federal level. There's been some talk of that coming out of the Biden White House. Nothing's settled yet. But it's not something that they've dismissed.
Ben Yelin: Yeah. You'd hate to see that because the National Flood Insurance Program is kind of a mess...
Dave Bittner: True (laughter).
Ben Yelin: ...Which is a subject for a different show.
Dave Bittner: Right.
Ben Yelin: So you'd like to see this sort of decentralized system where people are purchasing insurance based on risk. And, you know, I think that can be undermined when you have this situation that we're seeing now, where cybercriminals realize that there's a lot more - there's a much greater chance that they're going to be reimbursed for their crimes because so many of these companies have insurance policies that cover extortion payments.
Dave Bittner: Yeah. Yeah. All right. Well, interesting times for sure. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.