The CyberWire Daily Podcast 5.20.21
Ep 1337 | 5.20.21

DarkSide: absconding, rebranding, or retiring to a life of penitence? (Probably the first two.) Israeli airstrikes said to target Hamas cyber ops centers. Apps behaving badly. Notes on phishbait.


Dave Bittner: Did DarkSide really see the light and shut down with a sincere promise of reform and restitution, or is the gang just rebranding? Researchers look at DarkSide ransomware and find complexity and sophistication. Israel says airstrikes in Gaza were intended to take out Hamas cyber ops facilities. Poor practices seem to have exposed data of millions of Android app users. Phishing from call centers and cloud services. David Dufour from Webroot looks at hacker psychology. Our guest is Rob Price from Snow Software on shadow IT. And who dunnit to SolarWinds? Not the intern.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 20, 2021. 

Dave Bittner: There had been a disturbance in the ransomware underworld that began last week with claims by DarkSide that its infrastructure and funds had been seized or otherwise disrupted. The gang promised to issue decryptors to all of its victims and to meet its financial obligations to its affiliates by May 23. Some other gangs also appear to have pulled in their horns, but it was unclear exactly what had happened to DarkSide. The gang's statements prompted speculation last Thursday that it had been taken offline by U.S. law enforcement action. But The Washington Post reported yesterday four U.S. officials have quietly denied that any U.S. military, law enforcement or other agency did anything of the kind. Various DarkSide affiliates have been complaining that the ransomware-as-a-service gang stiffed them of shares of ransom it owed them, which makes it appear likely that DarkSide simply absconded on the plausible pretext that it was being rousted by the law. 

Dave Bittner: Now, I hear you say, it's only May 20; maybe they'll have ponied up by Sunday, as promised. Well, OK. But I wouldn't build too many hopes on that promise. Many observers expected the gang to rebrand and resurface. But whatever the eventual fate of DarkSide proper is, RiskIQ finds that a number of its affiliates are still going strong and, in principle at least, capable of deploying malware. So it's by no means a good time to let your guard down. 

Dave Bittner: As far as the temporary eclipse of other ransomware gangs - posting of stolen data to name and shame sites, for example, fell off significantly last week - that seems to have been a temporary pause. Citing work by Recorded Future, Reuters says that rates of ransomware activity have now returned to near normal levels. 

Dave Bittner: Nozomi Networks has released its study of DarkSide's methods. The malware begins by collecting information about its targets. It systematically bypasses potential victims in Russia and some other former Soviet republics. It selects victims' files for encryption, and it's apparently choosy about those it picks. The malware uses self-encryption and dynamic API resolution to avoid detection, and it disables known backup solutions it finds in place in target networks. Its use of symmetric and asymmetric encryption is notably more sophisticated than was found in early ransomware strains and makes it less likely that the victim will be able to break the encryption on their own. 

Dave Bittner: DarkSide has also thrown up some recent variants that show enhanced capabilities. Fortinet researchers found that the ransomware is now capable of detecting and compromising partitioned hard drives. The U.S. Congress continues to deliberate legislation intended to protect critical infrastructure from cyberattack. Hearings on Tuesday took testimony from senior military leaders responsible for cyber operations, the U.S. Naval Institute writes. And The Hill reports that Energy Secretary Granholm, yesterday, told the House Energy and Commerce Committee that she favored applying the same security standards the power grid faces to pipelines. Secretary Granholm stated, quote, "If we had the standards in place, would this particular ransomware attack have been able to happen? You know, I'm not 100% sure. I do know that having good cyber hygiene on the private side as well as on the public side is a critical basic defense. And for entities that provide service to the public like that, especially critical services like energy, I think it's an important consideration for this committee for sure," end quote. She suggested that the Federal Energy Regulatory Commission cybersecurity guidelines for the power grid might serve as a useful initial model for pipeline regulation. 

Dave Bittner: The Record reports that two Israeli airstrikes against targets in Gaza were intended to hit Hamas cyber operations centers. A strike on May 14 is said to have hit what Israeli Air Force sources call a cyber-equipment storage site in the northern Gaza Strip belonging to Hamas military intelligence. The Record adds that the site was apparently also serving as a data center. The building also housed civilian media offices, NPR and others reported at the time. Among them, offices of the Associated Press and Al-Jazeera, who say they were unaware of the Hamas presence and that media personnel narrowly escaped being killed in the strike. 

Dave Bittner: Yesterday's strike targeted what the Israeli Air Force described as a hideout apartment that was used by the terror operatives for offensive cyberactivity against Israeli targets. 

Dave Bittner: Researchers at Check Point say their examination of 23 Android applications found 13 apps that exposed data of more than 100 million users. The problem lies in the developers' misconfiguration of such cloud services as real-time database, notification managers and storage. The report finds that among the more common poor practices was the embedding of push notification and cloud storage keys in the apps themselves. 

Dave Bittner: Palo Alto Networks' Unit 42 has found that the controllers of BazarLoader, malware that backdoors infected Windows hosts, is now using trial subscription phishbait to direct victims to a call center that walks them through the process of installing the loader. They're calling the operation BazarCall. 

Dave Bittner: INKY describes an ongoing criminal campaign that uses phishing to induce the victims to give up their email credentials. The phishbait is a bogus RFP, and the emails originate from compromised accounts that are generally known to the recipients. They were staged from the cloud-based content-sharing system Adobe Spark. 

Dave Bittner: Proofpoint is also seeing abuse of cloud content-sharing services. In this case, the platforms affected are from Microsoft and Google. This approach, the company notes, lends an appearance of legitimacy to criminal phishing attempts. 

Dave Bittner: And finally, at RSA, SolarWinds CEO Ramakrishna updated what's known about the compromise of SolarWinds' Orion platform. CyberScoop reports that, among other comments, he retracted earlier claims that the incident arose from an intern's carelessness. So the intern, it turns out, didn't do it. 

Dave Bittner: It is probably not off-base to say that the shadow cast by shadow IT grew longer in the past year thanks to the shift to remote work and to co-mingling of home networks and devices with business functions. Rob Price is global solutions consultant at Snow Software, and he joins us with his thoughts on shadow IT. 

Rob Price: Personally, I would define shadow IT as something that has not been adopted as a corporate standard or been ratified by, let's say, internal IT. To me, shadow IT is what occurs when an individual or a business unit seek technology capability to aid them in their day-to-day roles and improve their productivity that may not have been vetted by the core IT organization within an end user environment, the end computer environment. 

Dave Bittner: Is it fair to say that much of the time when folks resort to using shadow IT that they have good intentions in mind, that they're just trying to get their work done? 

Rob Price: Absolutely. That is fundamentally correct. And, you know, over the years, I've seen it adopted or used in multiple different ways where finance organizations have put data loss prevention systems in place and, you know, tied people to their desks and folks email home spreadsheets to their private accounts so they can work on them in their own time before, you know, sending it back prior to Monday morning. And being able to see those types of activities, Shadow IT itself isn't just about new applications. It's about working practices that take data outside of the security boundaries of an organization. 

Dave Bittner: How much of this is - how much of this comes down to communications? In other words, you know, the IT folks taking a collaborative approach to this, rather than viewing it as something that could even be adversarial. 

Rob Price: I think this is a fundamental shift in working practices and how organizations need to interoperate. You know, traditionally IT has been - let's call it, you know, an underfunded area of business. Very seldom do we ever see IT budgets, you know, running higher than an organization needs them to. And I think by the nature of our traditional insular, you know, IT folks, the - it's easier sometimes for them to say no than it is to say yes. And we need to turn IT from what I would call a service unit within businesses into a much more positive, proactive business unit. So we should be looking at and encouraging IT to be at the forefront of advancement within the organization, not as a cost center that's a drag on budgets. And that's a really, really big shift in, you know, organizational culture, not, well, I mean, global culture. We need to turn the IT folks into the forefront, I think, of our businesses. 

Dave Bittner: Really make them a business enabler. 

Rob Price: Yeah, absolutely. And celebrate their capabilities, not, you know, from where I started, pulling boxes of paper out the back of a line printer. You might as well have put me in a cupboard. 

Dave Bittner: (Laughter) Right. 

Rob Price: And these guys really need to be - you know, have a seat at the top table. Let's empower our CIOs. You know, what can technology do for the business? Let's be on the front foot and take the advantage. And, you know, the more we see it in, you know, today's day and world, it's - you know, cloud-first strategy is one thing, but actually, that just means somebody else's hardware. And what do we really do? And how do we empower these people to be thought leaders, not fulfill services that somebody else is already requesting? 

Dave Bittner: That's Rob Price from Snow Software. 

Dave Bittner: And joining me once again is David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, great to have you back. 

David Dufour: Great to be back, David. 

Dave Bittner: I know today you wanted to touch on something interesting here. It's comparing hacker psychology with vaccine-related threats. Thread that needle for me. Where do those two things cross over? 

David Dufour: (Laughter) Well, I mean, hackers are expert in vaccine distribution. You probably didn't realize that. 


David Dufour: No, actually, they probably would be pretty good at it if we could get them to do the right thing, not the wrong thing. 

Dave Bittner: OK. 

David Dufour: But seriously, around the psychology here - about a year ago when we started really picking up steam on the coronavirus, COVID, we saw massive amounts of negatively branded warning sites saying, you need to submit information here. We need to get your Social Security number here to protect yourself, et cetera, et cetera - really negative push on these malicious sites that were stood up specifically around COVID because malicious actors, the hackers, they take advantage of whatever the psychological mood is. And... 

Dave Bittner: Right. 

David Dufour: So the interesting thing, which I'm about to reinforce, is - and this is good news, David. Everybody should feel great. They've shifted to a really positive mood now about... 

Dave Bittner: (Laughter). 

David Dufour: Enter your information here to get the vaccine. You know, give us your credit card, and we'll put you on a vaccine list, things like that. So what's interesting is the world went negative, so did they. As we've gone positive, they're actually becoming more positive as well. 

Dave Bittner: Just so I make sure that I'm following you here, the case that you're making is that we should be grateful that the bad guy - the scammers have switched from a - using fear as their method to get you to click. And now they're using hope as their - somehow - some, I mean, I suppose - so we're saying that's more than a lateral move? (Laughter). 

David Dufour: Well, I mean, fundamentally, if your information is going to be stolen, wouldn't you want to feel good about it instead of bad about it? 

Dave Bittner: I see. All right. Well, thank you very much, David Dufour, vice president of engineering (laughter). All right. Well, I'm going to give you some more rope to hang yourself here, David. 

David Dufour: OK. 

Dave Bittner: I think the message is a good one, that the scammers absolutely follow whatever is in the public eye, right? So whatever the media is pushing and whatever buttons they can push on people, they do that. And that's what they're doing here. 

David Dufour: That is exactly right. And, honestly, if I was someone - I'm an engineer, so I'm not hugely interested in psychology. But if I was interested in psychology, this would be a fascinating topic because they truly shift their attack surface - and by attack surface the way they stand up and they socialize. They shift it based on the mood because based on society's mood, people are more liable to click into something. You know, when you're worried about getting a virus, you're going to give your information to someone who's going to tell you about it. When you're excited about getting the vaccine because maybe it's going to help you, you're more liable to give your information. So they're very, very good at tracking this psychological, you know, footprint of what people are feeling and in standing up attack surfaces that take advantage of that. That's really the point here. 

Dave Bittner: Yeah. And I suppose, too, I mean, they have so much real-time information coming in when they're - especially when they're doing these kind of spray-and-pray operations. You know, they can track which emails are working. Is hope working more than fear this week? Well, let's head in that direction. 

David Dufour: Yeah, that's exactly right. I mean, think of it in a real business case. Think of it as, you know, the website marketing where you're standing up a product and you maybe have three or four mechanisms for trying to position that product, and you're tracking which one sells better, that's the same thing they're doing. They're standing up three, four, five things, seeing which ones are trending better in terms of stealing information, and then they go all in on that based on the success. 

Dave Bittner: Yeah. All right. Well, David Dufour, thanks for joining us. 

David Dufour: Hey, great being here, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.