Dark Side’s way into Colonial Pipeline networks may have been an old VPN. Summit agenda. DDoS hits German banks. Anonymous angry with Elon Musk? Alleged Trickbot coder arraigned.
Dave Bittner: DarkSide seems to have attacked Colonial Pipeline through an old VPN account. Washington and Moscow prepare for this month's summit with cyber on the agenda. DDoS affects German banks. Anonymous may be back and out to bring to book those who would troll Bitcoiners. Rick Howard looks at process management and security. David Dufour from Webroot on lessons learned from exchange server vulnerabilities. And one of Trickbot's alleged authors has been arrested and arraigned on multiple charges in a U.S. federal court.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 7, 2021.
Dave Bittner: There's a bit more out about the Colonial Pipeline ransomware incident, this time concerning the entry point the attackers appear to have followed. Citing sources at Mandiant, Bloomberg reports that DarkSide ransomware operators gained access to Colonial Pipeline's networks on April 29 through a deactivated, disused virtual private network account. The attackers are believed to have found the password in a batch of credentials posted on the dark web. It's unclear whether they obtained the username in a similar fashion or arrived at it by guessing. Mandiant's investigation found no evidence of phishing, although it doesn't discount the possibility of password reuse. The investigators saw no signs of an attack earlier than the 29.
Dave Bittner: As Presidents Biden and Putin prepare for their June 16 summit, the U.S. increasingly regards ransomware as a national security crisis, The Washington Post reports. Last week, FBI Director Wray compared ransomware to terrorism and went so far as to suggest analogies to 9/11. Over the weekend, the secretaries of Energy and Commerce both outlined measures their respective departments were taking as part of the government's response to the Colonial Pipeline and JBS incidents.
Dave Bittner: The U.S. is also seeking to organize an international response to the ransomware threat. Much of that response seems headed in the direction of getting a handle on the use of cryptocurrencies and their use as a conduit for payment of ransomware. There is nothing inherently nefarious about cryptocurrencies, of course, and governments are increasingly bringing both recognition and regulation to alt-coin. But one area in which closer scrutiny and regulation seem likely is in the way such alternative currencies, so well adapted to legitimate purposes like the transmission of remittances, can be used to enable criminal transactions and extortion.
Dave Bittner: In any case, since much recent big-ticket ransomware has been attributed to Russian criminal gangs, the matter will be taken up at this month's Russo-American summit. The view that such Russian gangs operate with the toleration and encouragement of Moscow is gaining currency among U.S. policymakers, and the new category of threat actor Cisco's Talos group introduced, privateers, is also seeing broad adoption.
Dave Bittner: How does this all look from Moscow? Foreign Ministry spokesman Dmitry Peskov said, quote, "Clearly, cybercrime and challenges in the cybersecurity field will be on the agenda one way or another," end quote, which is surely true, but then you didn't have to be Metternich to see that one coming. TASS further quotes the Russian foreign ministry to the effect that what we have with cyber tension between the U.S. and Russia is a failure to communicate - the U.S. having yet to take President Putin up on his offer of full cooperation. It's always Cool Hand Luke time over at the Kremlin, and every incident is always an opportunity for high-minded negotiation and other forms of mutuality.
Dave Bittner: While ransomware has justifiably drawn more attention over the past two months, distributed denial of service attacks also continue. Reuters reports that German financial tech company Fiducia & GAD IT AG, provider of online services for more than 800 financial institutions, sustained a distributed denial of service attack on Thursday and Friday. Its effects were felt by the cooperative banks who used the company's IT services. After Thursday's disruptions, Fiducia & GAD says it was able to mitigate subsequent waves of heavy traffic. The incident remains under investigation.
Dave Bittner: Anonymous may have resurfaced. Coindesk and others report that a video representing itself as coming from the anarchist collective denounces Elon Musk for effectively trolling cryptocurrency users, damaging their investments and ruining lives. After some ritualistic denunciations of labor and environmental practices and after characterizing Mr. Musk as nothing more than another narcissistic rich dude who is desperate for attention, the video turned to its principal concern, which would be Mr. Musk's retreat from Bitcoin. The person behind the Guy Fawkes mask said, quote, "It is now widely believed you have been forced to denounce your company's involvement with Bitcoin in order to keep that green government money flowing into Tesla's coffers," end quote. The reputational damage done to Bitcoin apparently hurt. As the video said, "Millions of retail investors were really counting on their crypto gains to improve their lives. As hardworking people have their dreams liquidated over your public temper tantrums, you continue to mock them with memes from one of your million-dollar mansions," end quote.
Dave Bittner: So memes can hurt. Noted. No doubt they can, and there are some hedge funds still licking their wounds from the GameStop squeeze.
Dave Bittner: Any Anonymous video always gets us into the realm of metaphysics. How do you specify identity conditions for an anarchist collective? The anarchists themselves have difficulty doing so. With something like Anonymous, how do you recognize them when they show up again? But whoever prepared the video, it's worth taking it as an index of dissatisfaction on the part of some people who've got considerable alt-coin exposure.
Dave Bittner: And finally, one of the authors of Trickbot, the ransomware tool that rose from the ashes of Dyre in 2015 and has been a nuisance ever since, has been arrested. U.S. authorities in Miami arrested Alla Witte, who went by the hacker name Max, a 55-year-old Latvian national recently residing in Suriname, in connection with crimes committed using Trickbot. Ms. Witte is alleged to have been one of the original Trickbot coders. The indictment charges that Witte worked as a malware developer for the Trickbot Group and wrote code related to the control, deployment and payments of ransomware. The ransomware informed victims that their computer was encrypted and that they would need to purchase special software through a Bitcoin address controlled by the Trickbot Group to decrypt their files. In addition, Witte allegedly provided code to the Trickbot Group that monitored and tracked authorized users of the malware and developed tools and protocols to store stolen login credentials.
Dave Bittner: She's been charged with one count of conspiracy to commit computer fraud and aggregated identity theft, one count of conspiracy to commit wire fraud and bank fraud affecting a financial institution, eight counts of bank fraud affecting a financial institution, eight counts of aggravated identity theft and one count of conspiracy to commit money laundering. She was arraigned Friday in the U.S. District Court for the Northern District of Ohio. Ms. Witte is, of course, presumed innocent, but should she be convicted, she faces maximum penalties of five years on the first charge, 30 years for conspiracy to commit wire and bank fraud, 30 years for each aggravated substantive bank fraud charge, a two-year mandatory sentence for each charge of aggravated identity theft - and these would have to be served consecutively for a total of 16 years - and 20 years for conspiracy to commit money laundering.
Dave Bittner: And it is my pleasure to welcome back to the show Rick Howard, the CyberWire's chief security officer and also our chief analyst. Rick, always great to have you back.
Rick Howard: Thanks, Dave.
Dave Bittner: You know, here at the CyberWire, one of the things that pops up a lot is this constant stream of cyber adversary attacks, but also how the victims and supporting governments respond to those attacks. And I'm thinking of things like SolarWinds and the Colonial Pipeline, and then most recently, this JBS meat company situation. And, you know...
Rick Howard: What? I haven't heard of any of that. What are you talking about?
(LAUGHTER)
Dave Bittner: No, they - those things haven't totally dominated the headlines over the past couple weeks. You know, one of the common mantras for the security community is that we try to prevent these things, usually with some kind of combination of people, process and technology. Well, it strikes me that the technology leg of that three-legged cyber stool is substantive.
Rick Howard: (Laughter).
Dave Bittner: And it's something that each of us spends a whole lot of time doing but not a whole lot of time talking about or discussing how to manage that process. And I say all that to say that I understand that's what you're covering in this week's episode of "CSO Perspectives."
Rick Howard: Yeah, that's right, Dave. Ever since I was a wee lad, you know, running my first Unix lab, you know, back in the day, our community has always had this notion of a security stack protecting our environments, and that stack consisted of all of the security tools used in the organization. And in the early days, that stack was pretty small. You know, we had firewalls, intrusion detection systems and some kind of antivirus system. But today the number of tools in the security stack can be anywhere from 15 to 300, depending on how big you are, and somebody has to monitor and manage all of those tools every day, decide when they have reached end of life and need to be replaced and then choose the tools that we want to replace them with or, you know, just bring in some new tech to give us some needed functionality. So in this episode, we bring two CISOs to the CyberWire Hash Table and discuss that process - Helen Patton, the advisory CEO for Cisco Duo, and Nikk Gilbert, the Cherokee Nation Businesses CISO.
Dave Bittner: Wow. All right, well, that's quite a lineup. Now, that is what's going on on the Pro side, and you are currently in Season 5 of the show there. But over on the ad-supported side, we're releasing the Season 1 episodes so everybody can check those out. What's in store for us this week?
Rick Howard: So we continued down our cybersecurity first-principle journey. And so far we've talked about what exactly is the ultimate first principle for all cybersecurity practitioners. And then we said, if that was true, what are the immediate strategies to pursue in order to accomplish that first-principle goal? Last week we talked about zero-trust as a pillar strategy, but this week we're talking about my passion strategy. Out of all the things that I do, I love this one the most. And it's called intrusion kill chain prevention.
Dave Bittner: All right, so if I could just take a little trip down memory lane...
Rick Howard: (Laughter).
Dave Bittner: ...I remember the very first time that you and I met - this was years ago. It was at the RSA Conference. And you were chief security officer of Palo Alto Networks at the time, and I was very impressed that someone of your status in the industry was, A, willing to talk to me and, B, a fan of the CyberWire podcasts. And so, oh, how time has changed. And if I'd only known you then the way I know you now.
Rick Howard: Yeah, things could be so much different.
(LAUGHTER)
Dave Bittner: But all - again, I say all that to point out that I remember, from that very first conversation you and I had, talking about the intrusion kill chain.
Rick Howard: Yeah, so here's the thing - I love the cybersecurity community, and there are so many things I love about it. But one of the things that annoys me the most is our focus on each individual technical thing. We love talking about the latest malware from, say, the REvil ransomware gang or the latest zero-day exploit disclosure for some critical piece of software. And all of that is well and good, and we should pay attention to it. But as a first-principle strategy, worrying about the latest bad-guy tool is not the most important thing. What is the most important thing is whether or not you can stop the success of an offensive adversary campaign, which can consist of anywhere between, like, 30 steps to 300 steps. So blocking one piece of malware is just not going to get it done, but deploying a defensive campaign designed to specifically stop the entire attack sequence of the REvil ransomware gang will. So I love this topic, and that's what we'll be covering in this ad-supported "CSO Perspectives" episode.
Dave Bittner: All right, well, you can check all of that out on our website - thecyberwire.com. Rick Howard, thanks for joining us.
Rick Howard: Thank you, Dave.
Dave Bittner: And I'm pleased to be joined once again by David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, good to have you back.
David Dufour: Great to be back, David.
Dave Bittner: I want to touch base with you about the recent incident we had with the Exchange Servers and just your takeaways from that. What sort of things can people learn from this whole experience?
David Dufour: You know, it's - one, it's interesting. And, you know, as we've talked at different times, there's different types of attacks out there. And this is definitely a pointed attack that kind of takes advantage of flaws into a very commonly used piece of software, which we're talking about Microsoft Exchange Servers 2013, 2019 - not the Office 365. And there were some flaws in there. And really, the attackers just went all in on stealing information from those servers and funneling off emails. So it was a pretty big deal.
Dave Bittner: Yeah, one of the things that fascinates me about this is that as so many organizations have been shifting to cloud-based providers of these sorts of things, the things that they used to use their Exchange Servers for, you can understand that impulse to just leave the Exchange Server running in the background 'cause why not, right? I mean, if you turn that thing off, you might break something.
David Dufour: That's exactly right. And there is a philosophy, and I somewhat subscribe to it - sometimes it's worth turning it off, see what breaks and then go from there.
Dave Bittner: (Laughter).
David Dufour: And this would have been an example where, you know, really, if you stopped patching it, if you stopped paying attention to it, you really did leave yourself open and exposed in this instance. And this can happen a lot. You've got to be doing those inventories of your back-end systems and knowing what you can, you know, deprecate or even retire.
Dave Bittner: Yeah. What are the takeaways here? How do you think folks are going to approach this sort of thing going forward?
David Dufour: Well, what I hope they do and what I think they'll do are two different things. What I think is people will forget about this inside of two or three months 'cause they're going to get busy with their day-to-day jobs. But this is one of those cases, David, that you and I have talked about quite often, where the more mundane something is, the better it is for security. And to be very specific here, in this case, if people had been applying patches and immediately applied them once it was discovered and, then more importantly, if they were doing logging and auditing and analyzing all of that logging and auditing - I know it's a big ask - but they would have seen what was going on and been able to prevent it sooner. So this goes - points back to - you know, we all want to find the next big hack. We want to, you know, steer a car off the road into a ditch from a cellphone. But...
Dave Bittner: (Laughter).
David Dufour: Well, maybe everybody doesn't want to do that. But it sounds exciting.
(LAUGHTER)
David Dufour: But the more - the real security work starts at monitoring logs, making sure patches are made, and a big one is backing up your data. And I know those things sound boring, but that's really where it starts. And if you're not doing that, these things are going to continue to happen.
Dave Bittner: Another thing that struck me about this one in particular was how quickly - the amount of vigor that the bad guys came at this one, that they just started pounding away on these Exchange Servers around the world.
David Dufour: Absolutely correct. But believe it or not, this is something like when we first saw the first types of ransomware, and we saw the first botnets back in the 2000s. What happens is this stuff goes on for a while and nobody knows about it, and so it's actually happening a lot longer than we think. But the minute there's media coverage, they literally turn the volume up to 11 and just blast through as much stuff as they can 'cause they know their window's closing. So, unfortunately, what happens - there's a lot of these things going on for a period of time, and then it gets amped up the minute there's a ton of coverage, which there should be coverage. I'm not saying there shouldn't be. But that's what we see happening, always.
Dave Bittner: Yeah. All right, well, David Dufour, thanks for joining us.
David Dufour: Great being here, David.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed.
Dave Bittner: And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you all back here tomorrow.