The CyberWire Daily Podcast 6.16.21
Ep 1355 | 6.16.21

Airline resolves IT issue. Paradise ransomware source code leaked. Unauthorized access to cameras possible. TSA pipeline cyber guidance under preparation. Russo-US summit. Anonymous extradition.


Dave Bittner: Southwest flights are back in the air after an IT issue disrupted them yesterday. Paradise ransomware source code has been leaked online. Some networked camera feeds may be accessible to unauthorized viewers. TSA is preparing a second, more prescriptive pipeline cybersecurity directive. The Russo-U.S. summit is underway. Our guest is Jay Paz from Cobalt on bad actors targeting hackers. Joe Carrigan looks at malware hosted on Steam. And the face of Anonymous has been extradited from Mexico to the U.S.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 16, 2021. 

Dave Bittner: U.S. domestic carrier Southwest Airlines has restored normal service after an IT incident caused about 500 flights to be canceled and delayed roughly 1,300 more. The U.S. Federal Aviation Administration halted Southwest Airlines flights in a temporary ground stop Tuesday after Southwest experienced IT issues with its reservation systems. The ground stop was lifted early in the afternoon. 

Dave Bittner: Despite the widespread alarm on Twitter to the effect that Southwest had to have been a ransomware victim, that seems to have not been the case. The Wall Street Journal puts the incident down to what the airline called a systems issue and connectivity problems, so it was apparently a glitch and not an attack. Tuesday's outage represents the second time in two days that Southwest IT problems snarled flight scheduling. On Monday evening, flights were delayed when other connectivity issues interfered with a third-party weather data provider's ability to deliver its information to the airline. 

Dave Bittner: The barriers to entry in the ransomware market, already unpleasantly low, may soon get even lower. The source code for the Paradise strain of ransomware, a commodity in the ransomware-as-a-service criminal market since it appeared on the scene in 2017, has been leaked and posted to the XSS hacking forum, BleepingComputer reports. It's now available for free, at least to active participants in the XSS forum. 

Dave Bittner: Among the alerts CISA issued yesterday was one concerning a vulnerability in ThroughTech's P2P Software Development Kit, a supply chain risk for networked camera vendors who use the P2P SDK. The risk the vulnerability poses is unauthorized viewing of video. Security firm Nozomi has published an account of the issue. They point out that it's difficult for users of networked cameras to identify the provenance of peer-to-peer functionality or the security of the software that delivers it, and so they recommend that the best way to prevent captured audio/video content from being viewed by strangers over the internet is to disable peer-to-peer functionality. CISA's alert contains a set of useful mitigations. 

Dave Bittner: TSA is preparing a second pipeline cybersecurity directive, FCW reports. This one will focus on risk mitigation. Sonya Proctor, TSA's assistant administrator for surface operations, yesterday told subcommittees of the House Homeland Security Committee that the coming directive will be a security sensitive information document and will be rather prescriptive in terms of the mitigation measures required. 

Dave Bittner: The summit between Presidents Biden and Putin is now underway in Geneva. The American side is expected to raise Russian complicity in cybercrime. The Russian side is expected to offer extradition of criminals to the U.S. if the U.S. will honor similar Russian extradition requests. The Guardian is following the summit's progress. The close attention this meeting is expected to give cybersecurity issues probably represents a new normal in Russo-American relations. The New York Times observes that these summits are now about cyber the way they were once about nuclear weapons. Cyberattack is less immediately frightening than a nuclear exchange, but it's also a great deal more difficult to deter or to arrange confidence-building measures. Part of the problem lies in the problem of attribution. There are few human events less ambiguous than a missile launch. The same can't be said of a cyberattack, where misdirection and doubt are so notoriously pervasive. 

Dave Bittner: CyberScoop quotes FireEye’s CEO Kevin Mandia on his company’s own experience investigating the SolarWinds supply chain compromise. FireEye’s Mandiant unit was among the first to discover the problem and attribute the action to Russia. Mandia told a CyberScoop organized conference yesterday, quote, "That’s the challenge of cyberspace. It is so anonymous and they have such great plausible deniability that it makes it frustrating to understand that, if anything happens in the physical world, is it genuinely connected to the cyber world or not? What I learned from the SolarWinds implant, and who they targeted, was that the software and security companies are absolutely fair game for espionage," end quote. 

Dave Bittner: Russia has consistently denied involvement in the SolarWinds incident, as well as involvement in the recent ransomware attacks that Cisco’s Talos unit characterized as privateering. 

Dave Bittner: And finally, speaking of extradition, the so-called face of Anonymous, who’d been living in Mexico, has been shipped back to the United States where he’s wanted for a variety of computer crimes. And no, that face isn’t a Guy Fawkes mask, but rather, as Naked Security reports, the natural face of one Christopher Doyon, who goes by the hacker name Commander X, who allegedly skipped bail in California back in 2011 to live as a celebrity fugitive in Canada and then Mexico, where he was apprehended last week and extradited to the U.S. on June 12. 

Dave Bittner: Mr. Doyon, now 56 years old and a former resident of Mountain View, Calif., in the center of Silicon Valley, faces charges of failing to appear for a 2012 status hearing after his arrest in connection with a distributed denial-of-service attack against systems belonging to Santa Cruz County, Calif. The DDoS was allegedly part of a protest against changes to Santa Cruz enforcement policies that would have affected when and where homeless people might camp in the jurisdiction. 

Dave Bittner: The U.S. Department of Justice explains that failure to appear after pre-trial release carries a maximum penalty of two years' imprisonment, a $250,000 fine and three years of supervised release. 

Dave Bittner: The Justice Department says, with respect to the 2011 indictment, the maximum statutory penalty for conspiracy to cause intentional damage to a protected computer is 10 years imprisonment, three years of supervised release and a fine of $250,000, plus restitution if appropriate. So stay in school, friends. Straighten up and fly right. 

Dave Bittner: Security professionals recently found themselves the targets of online social engineering campaigns, specifically targeting them and the enhanced access they may have to their clients' and companies' systems. Jay Paz is director of pentest operations and research at pentest platform provider Cobalt, and he joins us with these insights. 

Jay Paz: It's important to know - right? - that when we're talking about hacker, we aren't just talking about malicious attackers. We are talking about security professionals that make a living assessing networks or applications for customers or for their own company. And so they are also, here, considered a hacker, right? And then the other side of it is those that are malicious attackers, those that, you know, are doing it for the financial aspect of it or just as part of a group, a state-funded group, perhaps, those are also hackers. And so we want to make sure that we are capturing both of those personas in this conversation. 

Dave Bittner: And what is it about a cybersecurity professional that makes them particularly attractive to adversaries? 

Jay Paz: The amount of knowledge that they have, what they know about the environments that they're testing for the companies that they work for - they have a insider knowledge that is extremely valuable for those individuals that are doing this for malicious reasons. 

Dave Bittner: So what are your recommendations? I mean, what should organizations do to make sure that these folks don't fall particular victim to these adversaries? 

Jay Paz: I think the best thing that any organization can do is not assume, right? And we talked about it a little bit. That assumption that security professionals know how to defend their own environments is flawed. And a lot of times, security awareness training or even more in-depth training isn't provided to some of these individuals, either to save money or because they don't feel like they need it. And I think, similarly, it's important for security professionals to realize that we need to continue to learn and to continue to stay ahead of the malicious attackers. And so I think it's a partnership between the organization and the individual to really make sure that those gaps are being covered. 

Dave Bittner: Yeah. It strikes me that, you know, this may require a certain amount of humility to recognize that, yes, even though you are above the average person when it comes to knowledge of these things, there are still areas where they can come at you. 

Jay Paz: A hundred percent. And I think that that's true in any profession, right? Like, you see major league baseball players getting out there and getting the reps in batting practice and field practice. And just because they've made it to the big show doesn't mean that they can't improve or that they shouldn't continue to practice or get better at their craft. And I think that applies to all of us as well. 

Jay Paz: It's important for all of us to realize that these malicious attackers are continuously getting better and better at what they do and are finding new targets and new approaches to arrive at the information that they're trying to steal. And while today, this hacker-on-hacker attack may be the thing, tomorrow, it could be a completely different group of people that they are targeting. And so it's important to look at our security programs in a more holistic approach to make sure that we're capturing all of these nuances. 

Dave Bittner: That's Jay Paz from Cobalt. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: An interesting story caught my eye, and I thought it would interest you, you being a gamer... 

Joe Carrigan: Yes. 

Dave Bittner: ...I know (laughter). 

Joe Carrigan: I'm a l33t gamer, Dave. 

Dave Bittner: So (laughter)... 

Joe Carrigan: (Laughter). 

Dave Bittner: So this is an article written by Becky Bracken. It's over on the Threatpost website. And it's titled "Steam Gaming Platform Hosting Malware." There's some interesting details here. Unpack it for us, Joe. 

Joe Carrigan: All right. So it's - it sounds a lot scarier than it is for Steam users. But it's not really - what's happening here - let me tell you what's happening here - is somebody out there has figured out that they can use Steam as a distribution platform for images that have a set of malicious code - some malicious code packed into something called the ICC profile. ICC profile is - the ICC is the International Color Consortium. 

Dave Bittner: Right. 

Joe Carrigan: And they work on standardizing colors across applications. 

Dave Bittner: Yeah. 

Joe Carrigan: And image formats like PNG - Portable Network Graphic, which is an open image format - have allowances for putting these profiles into the image. 

Dave Bittner: Right. 

Joe Carrigan: Now, I looked up the specification of these, and these profiles can be of n bits long, which means they can be arbitrarily big. And what that means is that you can put anything in there that you want, and it probably will not affect the rendering of the image. 

Dave Bittner: Right. 

Joe Carrigan: But it may not be a valid ICC profile, but it's still there. 

Dave Bittner: Yeah. And the ICC profiles are there so if you were to send an image off to be printed, for example... 

Joe Carrigan: Correct. 

Dave Bittner: ...It would tell the printer, this - these are the things you need to know about this image to have it print properly. 

Joe Carrigan: Yeah, here are the exact colors I want you to use. 

Dave Bittner: Yeah. Yup. 

Joe Carrigan: And the printer has its interpretation from the ICC, and the image displayer has it's - you know, the application you're using has its interface with the ICC. And so it's just basically a standardized way of doing things. 

Dave Bittner: Right. 

Joe Carrigan: It's just being abused here as an opportunity. But the code will not run on its own, right? So if you just view the image, that doesn't run the code. 

Dave Bittner: OK. 

Joe Carrigan: What has to happen is somebody has to be tricked into running some other code that goes out, fetches the image, gets the decompressed code out of the image and then executes the decompress code. So what they're speculating is happening here is that they're prepping for a larger-scale attack. They're going to send out a bunch of phishing emails or a bunch of - probably just a bunch of phishing emails. And they're going to get people to click on links or download malicious attachments that are really very small. And that's really the objective here is - the distribution of the malware will be easier because the malware that actually goes out and fetches this image will be tiny... 

Dave Bittner: Right. 

Joe Carrigan: ...Maybe a couple lines of code. 

Dave Bittner: OK. 

Joe Carrigan: And then it's going to go out to Steam, which you can access as web - through a web interface and get this image, download the image, unpack the ICC profile, find the code, execute the code. That's how this... 

Dave Bittner: I see. 

Joe Carrigan: ...Is going to work. 

Dave Bittner: So they're basically hiding this code in plain sight... 

Joe Carrigan: Right. 

Dave Bittner: ...On a publicly accessible website... 

Joe Carrigan: Yep. 

Dave Bittner: ...That is, Steam. And profile images don't generally draw a whole lot of attention to themselves. 

Joe Carrigan: Exactly. And we've seen this done before on Twitter - we've - Twitter being used for command and control and other social media sites. Any place you can put a public image, you can do this. But this is the first time we're seeing it on Steam. 

Joe Carrigan: Hmm. How does - has Steam had any response to this? 

Joe Carrigan: As of the recording, no. It's owned by Valve. Steam is owned by Valve Software. And they have not responded to it. I don't know how they would respond to it, you know, it's - or how they would control for this. I mean, I guess you could check the ICC profile and make sure it's not being abused, or you could limit image size. 

Dave Bittner: Yeah. 

Joe Carrigan: But actually, these are just source code, so it's going to be small anyway. 

Dave Bittner: Right, right. 

Joe Carrigan: I mean, checking for image size is not going to be very helpful. 

Dave Bittner: I would - I mean, I wonder if you could just simply strip the ICC code info out of images that are being used as profile pictures. 

Joe Carrigan: You could strip a lot of the metadata out, yeah. 

Dave Bittner: They're being just displayed on a screen. 

Joe Carrigan: Right. 

Dave Bittner: So presumably, you know, it's not something - it wouldn't make that much of a difference if you were to do so for security reasons. But who knows? I mean, Steam's big, so there are lots of images up there. Right? 

Joe Carrigan: Right. They have - this article actually gives you the number. They've got over 20 million users. 

Dave Bittner: Wow. Wow. Yeah, interesting. Yeah. You know, one of the things that fascinates me about this is, is that, you know, over the years, I've had to shed my perception that graphics files are pretty much benign. 

Joe Carrigan: Right. 

Dave Bittner: You know? Because become a popular place for folks to hide things. 

Joe Carrigan: Right. Well, the - I mean, still, if you just look at the graphic - if you just look at - load it up in a web browser, nothing's going to happen. 

Dave Bittner: Right. 

Joe Carrigan: You're going to have to have the loader execute the software. Now, I guess if you could - if you wanted to, you could, you know, compile and run the code yourself that you find in some random image. But I wouldn't recommend doing that. 


Dave Bittner: Yeah, yeah. That's an edge case, for sure. 

Joe Carrigan: That's - yeah, that seems like a very bad idea. 

Dave Bittner: Yeah. All right. Interesting thing to look out for. I mean, is this imminent? As you said, it seems like they're preparing for something else. So, I mean, any advice for folks to protect themselves here? 

Joe Carrigan: I would say the standard advice - don't open email attachments, don't click on links, those kind of things. 

Dave Bittner: Right. 

Joe Carrigan: It's - there's not really anything you can do. Steam - one of the reasons I think they're using Steam is because a lot of legitimate traffic goes to Steam. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? So it wouldn't stick out, especially if you have a Steam client installed, it won't stick out on any packet capture tools because it will just look like normal traffic. 

Dave Bittner: I see. Yeah, yeah, absolutely. All right. Well, again, it's over on Threatpost. The article is titled "Steam Gaming Platform Hosting Malware." Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.