The CyberWire Daily Podcast 5.19.21
Ep 1336 | 5.19.21

Updates on the Colonial Pipeline incident, and other ransomware incidents. A watering hole for water utilities. Credential harvesting, cryptojacking, and banking Trojans.


Dave Bittner: Colonial Pipeline corrected yesterday's IT glitch, and its CEO explains the decision to pay the ransom. A rundown of recent ransomware activity. A watering hole for water utilities? Credential harvesting and cryptojacking in the cloud. A banking Trojan spreads from Brazil to Europe. Joe Carrigan looks at keyboard biometrics. Our guest, Dotan Nahum from Spectral, on shifting left in security development. And the metaphysics of attribution.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 19, 2021. 

Dave Bittner: After a brief disruption caused by an IT problem yesterday, Colonial Pipeline tweeted that it had quickly resumed full service and that the brief interruption was not the result of a cyberattack. The company said, quote, "our internal server that runs our nomination system experienced intermittent disruptions this morning due to some of the hardening efforts that are ongoing and part of our restoration process. These issues were not related to the ransomware or any type of reinfection," end quote. 

Dave Bittner: Colonial's CEO, Joseph Blount, confirmed to The Wall Street Journal that he did authorize payment of $4.1 million in ransom to the company's extortionists. The urgency of restoring service, combined with the company's uncertainty about how extensively its systems had been compromised, drove the decision. 

Dave Bittner: He acknowledged that deciding to pay the ransom was difficult and that he knew the decision would be controversial, but he judged the situation analogous to the challenge of restoring service after a natural disaster, like a Gulf hurricane. In this case, however, the disruption was more widespread than what the company usually sustains in a hurricane. 

Dave Bittner: Elliptic, which identified a Bitcoin cryptowallet used by DarkSide, puts the ransomware gang's take at somewhat more than $90 million. On the average, victims paid $1.9 million. They were able to track payments made from 47 wallets. DarkSide has claimed 99 successful attacks, which suggests that about half the organization's hits made some payment. 

Dave Bittner: At noon today, security firm eSentire published an overview of six ransomware groups' activities. Ryuk/Conti had 63 new victims this year. Sodin/REvil had 52. DoppelPaymer came in at 59 new victims. Clop had 35. DarkSide, who are relatively new, but high-profile - they had 37 victims this year. And Avaddon had 47 victims so far in 2021. 

Dave Bittner: ESentire writes, quote, "the high level of activity carried out by these six ransomware groups has certainly given the TRU team pause. If these threat groups are to be believed, they are wreaking havoc against many more entities than the public realizes," end quote. 

Dave Bittner: Industrial security specialists at Dragos have an interesting account of a watering hole that appears to have some circumstantial temporal connection to the incident at the Oldsmar, Fla., water utility. Hosted on a water infrastructure construction company's site, the watering hole did not seem to compromise or deliver malware to the utility's control systems, instead collecting legitimate browser data for the purpose of improving the botnet malware's ability to impersonate legitimate web browser activity. 

Dave Bittner: Security firm Trend Micro's description of TeamTNT's operation offers an interesting kill-chain description of a credential-harvesting campaign against cloud services. Trend Micro wrote, quote, "credentials stored in plain text serve as a gold mine for cybercriminals, especially when used in subsequent attacks. Harvested FTP credentials, for example, could lead to old-school website hacking or credential modifications, followed by ransom demands in exchange for access or data restoration. The same goes for vulnerabilities, especially those in unpatched and otherwise unsecured internet-facing systems," end quote. 

Dave Bittner: Also active in the cloud are cryptojackers. The Record reports they're abusing free tiers of cloud services. 

Dave Bittner: It's a pretty obvious scam, really, the sort of thing that might well occur to some teenagers with too much time on their hands. The report says, quote, "gangs have been operating by registering accounts on selected platforms, signing up for a free tier and running a cryptocurrency mining app on the provider's free tier infrastructure," end quote. 

Dave Bittner: Obvious, of course, doesn't mean ineffective, but what follows can be easily managed. Quote, "after trial periods or free credits reach their limits, the groups register a new account and start from the first step, keeping the provider's servers at their upper usage limit and slowing down their normal operations," end quote. 

Dave Bittner: Kaspersky researchers report that the Bizarro banking Trojan has spread from Brazil to targets in Spain, Portugal, France and Italy. Bizarro may be using social engineering to induce its victims to install an app that ultimately compromises their banking information. 

Dave Bittner: BleepingComputer says that a new version of MountLocker ransomware is spreading through Windows Active Directory APIs. Its propagation is worm-like, and the gang that's distributing it has operated as a ransomware-as-a-service affiliate scheme, with the gang itself keeping a relatively low, by criminal standards, 20% to 30% of the take. 

Dave Bittner: In March of this year, a new group, AstroLocker, surfaced to deploy a new version of MountLocker. AstroLocker described themselves as in an alliance with the MountLocker gang. 

Dave Bittner: Attribution of cyberattacks to specific criminal groups is the last refuge of metaphysics in security, if only because identity conditions for gangs are notoriously slippery and protean. How do you recognize the same gang when it shows up again? 

Dave Bittner: Defense One points this out in the case of DarkSide, the group generally regarded as the one behind the Colonial Pipeline attack. The authors, both from RAND, note that, among other things, it would be unwise to accept DarkSide's self-presentation as apolitical. Cyberspace is no stranger to fronts, false flags, cutouts and other forms of misdirection. 

Dave Bittner: KrebsOnSecurity notes some evidence of, at the very least, a desire on the part of DarkSide to avoid getting on the wrong side of the Russian organs. Quote, "DarkSide, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States, former Soviet satellites that mostly have favorable relations with the Kremlin," end quote. 

Dave Bittner: More to the point than friendly relations with Moscow, which a number of the former Soviet republics decidedly do not enjoy, is the kind of linguistic slop that could facilitate collateral damage to Russian organizations. Better to avoid anyone using Cyrillic characters. And such damage is something a gang operating at the sufferance of the Kremlin, even if not working under state direction, would in all cases want to avoid. 

Dave Bittner: Cybereason finds DarkSide's claims to follow a high-minded, Robin Hood-esque code of ethics implausible. The gang's communiques suggest that they didn't mean to impose any hardship on individuals, regular Janes and Joes in the line at the gas station. 

Dave Bittner: Quote, "if they are to be believed, all they saw was another slow-moving, wealthy target. They were pirates, they tell us, not privateers, and certainly not a nation-state navy. And they are honest pirates who follow a code, and thus deserve some sympathy for this huge but honest mistake." 

Dave Bittner: Hornigold, and Every before him, DarkSide wouldn't be the first criminal organization to appeal to the sympathies of their victims by claiming that they follow a strict code of ethics. It remains to be seen if it will work or if it's true. Semi-state-sanctioned crime may not repeat itself through the ages, but it often rhymes. 

Dave Bittner: And, finally, Sergei Naryshkin, director of Russia's SVR, told the BBC that not only was Russia not behind the SolarWinds compromise, but that, in fact, the American intelligence services were - probably - and the British services, too. It's the kind of thing the Anglophone powers would do - probably. Mr. Naryshkin is flattered by the accusation that the SVR did it, but such charges are not only false, but, in his words, pathetic. So there you go. 

Dave Bittner: Shift left is a phrase often heard applied to software development and software security, but what exactly does it mean? Dotan Nahum is the CEO and founder of Spectral, a code security company, and he joins us to help make sure that understanding shift left is something that we get right. 

Dotan Nahum: There's one thing I like to say - is that history repeats itself. So actually, shift left isn't so new. I mean, if you look at the key way, which is, you know, quality assurance in software, so - and we go back maybe 20 years, that is a profession that has evolved. So we used to ship software, and we used to have this epic moment where software was being tested in terms of for quality and looking for bugs. And we had specialized personnel that were actually testing the software. And there was this big event, which we called GA (ph), and we burned the software on a CD and we shipped it to our customers that way. 

Dave Bittner: Right. The Golden Master, right (laughter)? 

Dotan Nahum: Yeah, yeah. 

Dave Bittner: Yeah. 

Dotan Nahum: I mean, even the term is taken from there. And then around 2001, there was, like, extreme programming, you know, a movement led by Kent Beck, which is, you know, a unit testing superstar. And then unit testing was kind of introduced as a practice. And - but you know what? Just fast-forward 20 years to today, and today, unit testing is very, very natural. And manual testing, you know, is kind of awkward. So that is kind of an evolution that happened in software. And, you know, it's basically intuitive. And we can all connect to that because we've all experienced bugs. 

Dotan Nahum: So in that terms, shift left is how do we break this epic event called testing security in production or getting an audit or getting a pen tester, and how do we take that thing and kind of bring it toward the start of development process? 

Dave Bittner: So the actual term of shift left refers to moving it earlier in the process, having it not be something that happens at the very end. 

Dotan Nahum: Correct, correct. So it assumes that left is the beginning and then the right is the end, like reading an English sentence. And actually, the left side is actually the left side of the software development lifecycle, which means the left side is the start and the right side is whatever, like deploy to production and ship your software. 

Dave Bittner: So is this the shape of things to come? I mean, does it seem as though overall, the industry is - has recognized that this is the way they should be heading? 

Dotan Nahum: Yeah. I mean, it's all about optimization. I mean, every society, every organization, everything that needs to produce is actually - you know, if you look at this in a philosophical way - is trying to optimize. And we're running out of things to optimize, right? 

Dotan Nahum: So scale - that was an issue, like, back in 2011 up to 2014. And scale is still kind of an issue. But, you know, back then, databases, document databases and all kinds of new databases were emerging just to compensate for the scale problem that was caused by, you know, the network effect that everyone are - were building their own Facebook, and Twitter was born and social networks were, you know, emerging every now and then. 

Dotan Nahum: But, you know, it's kind of, so where's the scale problem these days? You hardly hear of apps, organizations that are crashing due to scale problems these days, where in 2014, it was kind of a couple times a quarter. And so it looks like security is the next thing to optimize, and that is what's happening. 

Dave Bittner: That's Dotan Nahum from Spectral. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: I had - this interesting Indiegogo caught my eye. This is one of those fundraising platforms. And there's a security-related one that some folks are trying to spin up here. And the product is interesting, but I thought it also speaks to an interesting way of tracking people online. 

Joe Carrigan: Right. 

Dave Bittner: And I thought we might have an interesting conversation about that. Why don't you give us a little background here, Joe? 

Joe Carrigan: So the concern - this is from somebody named Paul Moore, who is the founder of something called Privacy Protocol. 

Dave Bittner: Yeah. 

Joe Carrigan: And Paul's concern here is that biometric tracking of the way you type can identify you. And in the Indiegogo ad, he says that they can identify your - these algorithms can identify your gender within 10 keystrokes and then identify you uniquely with just a few more keystrokes. 

Dave Bittner: Right. So everybody has their own unique cadence... 

Joe Carrigan: Right. 

Dave Bittner: ...When they type. You have... 

Joe Carrigan: Yes. 

Dave Bittner: Yeah. And so they can look at that cadence, assign that to you. And then when you show up typing somewhere else, they can say, aha, I recognize this cadence. 

Joe Carrigan: That's correct. 

Dave Bittner: OK. 

Joe Carrigan: And this can be used for tracking you across different platforms. I am almost positive that some of the social media sites out there are already using this kind of thing to identify you on online even without your knowledge. It can be done locally with JavaScript on - you know, in your web browser. So your computer actually does the processing to send back the fingerprint to the AI algorithm that then does the comparison. And from there on, they've got you. 

Joe Carrigan: There's an interesting article that Paul links to in here from Ars Technica from way back in 2015. You remember 2015, Dave? 

Dave Bittner: Vaguely (laughter). 

Joe Carrigan: From Dan Goodin, it's "How the Way You Type Can Shatter Anonymity - Even on Tor," OK? If - I mean, Tor is a great anonymity tool out there. 

Dave Bittner: Yeah. 

Joe Carrigan: It does a really good job of anonymizing your traffic. But if you allow JavaScript to run on a web browser and somebody fingerprints your typing, they've got you. They've got you pretty - they've identified you, and your privacy is gone. It doesn't matter how many different Tor nodes are coming through. If they have a way of saying - who is this? - this is Dave Bittner... 

Dave Bittner: Right. 

Joe Carrigan: ...Then guess what. They know it's you. It's like you go to Facebook and log in from Tor. Then Facebook knows who you are... 

Dave Bittner: Right, right. 

Joe Carrigan: ...On that entire Tor session, right? 

Dave Bittner: Sure, sure. 

Joe Carrigan: What this project does is - this project is actually on Indiegogo, is actually a hardware - a piece of hardware that you plug your keyboard into, and then you plug this into your keyboard slot on your computer through the USB port. So it's essentially like an intermediate USB device. 

Dave Bittner: Yeah, little USB man in the middle. 

Joe Carrigan: Right, exactly. 

Dave Bittner: OK. 

Joe Carrigan: So it alters the timing of how you type. I don't know if there's any visible output - outcome of this. As you're typing, things show up and you can notice how much slower they show up. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: I don't know. I've never used this device. It seems like a really good idea. 

Dave Bittner: They have a Chrome plug-in, which was how they got started on this. 

Joe Carrigan: Right. There is a Chrome plug-in that kind of does the same thing. But one of the arguments they make in their article here for the Indiegogo campaign is that the Chrome plug-in can be detected, and this device cannot be detected. 

Dave Bittner: Right. 

Joe Carrigan: I'm not sure how comfortable I am plugging in a USB device directly into my keyboard. 

Dave Bittner: (Laughter). 

Joe Carrigan: I mean, I'm not trying to impugn Paul's character here. 

Dave Bittner: Sure. 

Joe Carrigan: I'm sure Paul Moore is a good guy. And - but, you know, it's - there's all kinds of opportunities for supply chain attacks on this (laughter). 

Dave Bittner: Sure, sure. 

Joe Carrigan: But this should be something that maybe people like Dell and Apple should start considering - and Microsoft, I guess, 'cause Microsoft also makes hardware now. Maybe you should start adding this as a feature to your keyboards or offering it as an option. 

Dave Bittner: Yeah, it could just be built into the OS, I suppose, where... 

Joe Carrigan: It could be built into the OS. That's correct. 

Dave Bittner: ...It just randomizes the delay between characters so that it takes away their ability to track you biometrically or smooths it out. Who knows what the most effective way is? It seems as though these people who are behind this keyboardPrivacy project, they've - according to their testing, whatever they're doing here is very effective. 

Joe Carrigan: Right. It looks like these algorithms have no success once you use the hardware. 

Dave Bittner: Yeah. This reminds me of something I thought of many, many years ago, which was instead of using passwords, could you use passrhythms, you know? 

Joe Carrigan: Yeah, you can. 

Dave Bittner: Yeah. 

Joe Carrigan: And - but the problem with that is this is a biometric. 

Dave Bittner: Yeah. 

Joe Carrigan: And I've made clear my feeling on biometrics, and I'll just restate it here. My problem with biometrics is they're immutable. You can never change them. So because of that, it's - I think that there is - there are - there's a good attack model, a good threat model of impersonation and making impersonation a lot easier... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: ...Particularly with these rhythms. You know, if I can identify the biometric rhythm with which you type, I can impersonate it very easily. 

Dave Bittner: Yeah. All right, well, it's an interesting project. Again, it's over on Indiegogo. It's called keyboardPrivacy, if you want to chase it down. Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.