The CyberWire Daily Podcast 6.18.21
Ep 1357 | 6.18.21

Notes from the underworld: phishing with hardware, DarkSide impersonation, and cyber vigilantes. Data incidents, and a conviction for a crypter.


Dave Bittner: Phishing, with a bogus hardware wallet as bait. Empty threats from a DarkSide impersonator. Cyber vigilantes may be distributing anti-piracy malware. Data security incidents at a cruise line and a U.S. grocery chain. Malek Ben Salem from Accenture looks at optimizing security scanning. Our guest is Edward Roberts of Imperva on their 2021 Bad Bots Report. And a conviction for a crypter, with a sentence to follow.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 18, 2021. 

Dave Bittner: We are accustomed to phishing by email, and vishing is also now a fairly commonplace threat. There's a new approach, however, that dangles its bait in the form of a dongle. 

Dave Bittner: Hot for Security, reminding readers that almost three-quarters of a million customers of the hardware wallet Ledger had their email and physical addresses compromised last December, thinks we now know why. It appears to have been the onset of an elaborate phishing effort. Some Ledger users have received what appear to be replacement wallet hardware units. They are, however, bogus and represent an attempt to steal keys and cryptocurrency. BleepingComputer has pictures of the devices and an account of the poorly written scam text that accompanied them. 

Dave Bittner: The device itself came in a slick, well-made and professionally shrink-wrapped box, and the bogus key looks legit enough to be persuasive. But the accompanying letter should have blown the gaffe to any moderately aware recipient, composed as it was in jarringly bad English, with the poor idiomatic control characteristic of the cybercriminal. 

Dave Bittner: Here's a sample BleepingComputer shared. It starts off well enough. The letterhead is convincing and the first two paragraphs explain in respectable enough discourse prose that, unfortunately, Ledger was subjected to a cyberattack in July of last year and that contents of its customer database were dumped on Raidforum. So far so good. But after the first two paragraphs, the quality of the prose falls off dramatically. 

Dave Bittner: The crooks write, quote, "for this reason, for security purposes, we have sent you a new device. You must switch to a new device to stay safe. There is a manual inside your new box. You can read that to learn how to set up your new device. For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again," end quote. 

Dave Bittner: As the copy editors say, sic, especially after kinda. It's not quite Shadow Brokerese, but it's on that path. 

Dave Bittner: All in all, however, someone went to a lot of trouble to be convincing. When the criminal market starts to advertise for editors, Katy bar the door. 

Dave Bittner: Another point worth noting is the way in which the lie is surrounded with the customary bodyguard of truth. In fact, information about Ledger customers was indeed dumped on the Raidforum hackers' site last year. Ledger has been warning its customers about the breach since December 20. 

Dave Bittner: Success breeds imitation, proverbially the sincerest form of flattery, and this is no less true of criminal success than it is of legitimate achievement. Sometimes that imitation rises to the level of impersonation. DarkSide is the latest subject of such flattery. 

Dave Bittner: Trend Micro this morning reported that imitators are sending extortion emails to companies in the energy and food sectors. The target selection would seem to be shaped by the recent notoriety of ransomware attacks against Colonial Pipeline and the JBS food processing company. 

Dave Bittner: The emails began to circulate on June 4, with a few being dispatched daily. The text begins with a matey, hi, this is DarkSide, and goes on to talk large about what it's accomplished against the recipient's systems. Quote, "it took us a lot of time to hack your servers and access all your accounting reporting. Also, we got access to many financial documents and other data that can greatly affect your reputation if we publish them. It was difficult, but luck was helped by us - one of your employees is extremely unqualified in network security issues. You could hear about us from the press. Recently, we held a successful attack on the JBS. For nondisclosure of your confidential information, we require not so much - 100 bitcoins. Think about it. These documents may be interesting not only by ordinary people but also by the tax service and other organizations, if they are in open access. We are not going to wait long. You have several days," end quote. 

Dave Bittner: So there. There are several things wrong with this, apart from the appearance of having been written by the same people who composed the third and fourth paragraphs of the letter that accompanied those bogus Ledger hardware wallets. For one thing, JBS wasn't hit by DarkSide, but rather by another gang, REvil, and that doesn't lend the pitch very much verisimilitude. 

Dave Bittner: Second, there's been no reported disruption of the targets' operations. DarkSide usually sends its ransom note after the victim sees a problem. 

Dave Bittner: And third, there's no offer of any sample documents as evidence that the extortionists have the goods on the victim. So the whole thing seems to be a tacky commercial analogue of the low-grade sextortion emails that tell you, falsely, they've got saucy pictures of you that you'd probably prefer not to be plastered across the internet. 

Dave Bittner: Japan has been most affected, followed by Australia, the United States, Argentina, Canada and India, with lesser rates of approach experienced by companies in China, Colombia, Mexico, the Netherlands, Thailand and the U.K. 

Dave Bittner: Trend Micro has some good news. They've looked at the crypto wallet the goons have directed victims to, and they've found no signs that anyone has actually paid up. 

Dave Bittner: We've heard a fair bit about cyber privateering lately, especially in the days surrounding the now-concluded Russo-American summit. But cyber vigilantism hasn't been in the news much, until yesterday at any rate. You, of course, wouldn't download pirated software any more than we would, but suppose a friend were to ask your opinion. Rights and wrongs aside, even the basest self-interest should now lead that hypothetical friend to avoid doing so. 

Dave Bittner: Sophos has described what appears to be a strain of vigilante malware, apparently designed to prevent infected computers from visiting pirate sites. The malware has been distributed through BitTorrent and Discord disguised as pirated copies of games and other software products. Vigilante is a reasonable first guess, but the operators' ultimate purpose remains murky. 

Dave Bittner: Sophos principal investigator Andrew Brandt explained the ambiguities to Infosecurity magazine. He said, quote, "on the face of it, the adversary's targets and tools suggest this could be some kind of crudely compiled antipiracy vigilante operation. However, the attacker's vast potential target audience - from gamers to business professionals - combined with the curious mix of dated and new tools, techniques and procedures and the bizarre list of websites blocked by the malware all make the ultimate purpose of this operation a bit murky," end quote. In any case, probably best to stay clear of the pirated software. 

Dave Bittner: Two other data breaches are in the news today. Cruise ship line Carnival disclosed that it sustained a data breach in March. The company told BleepingComputer that the attackers accessed limited portions of its information technology systems. Some customer, employee and crew information is believed to have been exposed, but Carnival thinks the probability that the data have been misused is low. 

Dave Bittner: And, returning to shore, two unsecured cloud databases used by U.S. grocery chain Wegmans may have exposed customers' names, home and email addresses, phone numbers, birth dates, Shoppers Club numbers and hashed passwords to their store accounts, WCVB reports

Dave Bittner: Finally, in a case the U.S. Justice Department says is an example of how seriously it intends to take ransomware, Russian national Oleg Koshkin has been convicted on federal charges related to his operation of crypter websites, including Crypt4U, which helped ransomware and other malware evade detection by antivirus programs. The Department of Justice said that "Koshkin and his co-conspirators claim that their services could be used for malware such as botnets, remote-access Trojans, keyloggers, credential stealers and cryptocurrency miners," end quote. 

Dave Bittner: Mr. Koshkin faces a maximum penalty of 15 years imprisonment. He'll be sentenced on September 20. 

Dave Bittner: And before we go, a heartfelt happy Juneteenth on this first observance of the newest U.S. federal holiday. 

Dave Bittner: There's that old joke that, on the internet, no one knows you're a dog. And the same might be said for online bots. Some bots are loud and obvious, while others do their best to hide the fact that they are, in fact, bots. The team at Imperva recently published their 2021 Bad Bot Report. And joining us with highlights is Imperva's Edward Roberts. 

Edward Roberts: It's something that we've done for the past eight years. So this is the eighth time we published this report. And we look at it as trying to aggregate the data across our platform to see, you know, the different kinds of bot traffic and human traffic that we see. So this is an aggregate report of data across many industries globally, telling you about the traffic that's on the internet and on websites around the globe. 

Dave Bittner: Well, let us have it. I mean, what's our bot situation these days? What did you all find? 

Edward Roberts: I think what we found is that the bot traffic is increasing again. It's the worst amount of bot traffic. And we've actually gone over a quarter of all internet traffic is classified as a bad bot. That is doing something that you haven't allowed, and you do not want them on your site. It's automation that you haven't approved. 

Edward Roberts: And so normally it's been in the 19% to 22% range, and now we're just over the 25% range, so it's creeping up. And I guess the one thing that's the outlier this year is the pandemic has obviously created a scenario where more and more people are purchasing things online and having daily activities online. And so bot operators have also been very active in there as well, so we think that's part of the driver. 

Edward Roberts: One of the interesting findings that we have in the Bad Bot Report this year was that we saw that every business that has a login page has an account takeover attack for 16% of their time over a year. So that's literally from January to the end of February. You've got a continuous ATO, account takeover, credential-stuffing attack happening on your login page. So think about that as a volume. If that's something that you want to take care of, that - a lot of people would not want the fraud that would follow those types of attacks. So that's kind of the average that we see. 

Dave Bittner: That's remarkable. And what - 1 in 7, 1 in 8, I suppose, somewhere around there... 

Edward Roberts: That's right. 

Dave Bittner: ...Of login attempts are fraudulent. 

Edward Roberts: Yeah, we've actually - the actual number of the number of attempts is 34% of all login attempts are fraudulent. But the amount of time that you suffer under these attacks, we said, is 16% of the time. 

Dave Bittner: Oh, I see. 

Edward Roberts: So that's effectively two months period. 

Dave Bittner: Yeah, let's dig into that. So, I mean, obviously, we've heard stories in the news about things like, you know, being able to - having a hard time getting your hands on something like a PlayStation because, you know, bots have scooped them all up. Is that something you all have been tracking here through the pandemic? 

Edward Roberts: Absolutely. That is one of the big shifts. You know, we would classify that as automated abuse called scalping. And people typically have known as scalping in the ticketing for shows or sporting events, where you can scalp that ticket and get a premium price somewhere else, whether you sell it outside a stadium or what. That moved online. So scalping is a well-known problem from bots in the ticketing industry because there's the ability to make money off it if you can resell it at a higher price for a high-demand show. 

Edward Roberts: What you've now is this has moved from shows. It's moved into the retail space. And now you've got this perfect storm of the pandemic where you weren't able to walk into stores and actually purchase these items over the counter and walk out with it. It all went online, so you actually had to go online to it. So the bot operators suddenly realized, if they can grab as many of these consoles as possible and hold them, they can arbitrage the price and get that increased profit margin from it. So it's a business for these bot operators. So grabbing as many and hoarding as many of these gaming consoles as possible and then reselling them is how they're making their money and paying their mortgage. 

Dave Bittner: When you all are tracking the activity of bots, how many of the bots are out there trying to not look like bots? You know, are there some that just do their business and are fine with everybody knowing and seeing that they are bots but others that try to look more humanlike? 

Edward Roberts: Yeah, I think that's - we're trying to classify that as the sophistication level of the bots. So the more sophisticated they are, they try and emulate human behavior. They might move a mouse on a screen. They might pause before clicks. They might scroll the page. They might have characteristics that make them appear more humanlike because ultimately, that's what businesses want on their website. They want humans on a browser, browsing, reading, purchasing goods, using services online. And that's the perfect traffic for them because that's where their business is going to thrive. 

Edward Roberts: What bots do is try and imitate that and look as human as possible. So the more sophisticated they are, they try and evade whatever detections are in there, whether it be rate limits. Or a lot of people might be familiar with putting CAPTCHA in front of a of people to make them fill out - you know, find all the traffic signs in this picture or whatever it is. That's a technique to remove automation. But there are sophisticated bots that can get beyond those CAPTCHAs and actually program and get through those. So there is definitely the range of simple bots that get caught by very simple techniques, and then there are more sophisticated that are trying to actively evade detection methods. 

Dave Bittner: That's Edward Roberts from Imperva. 

Dave Bittner: And I'm pleased to be joined once again by Malek Ben Salem. She is the technology research director for security at Accenture. Malek, it's always great to have you back. You know, I want to touch base with you on application security. You know, we've seen the recent executive order come down from the presidential administration. I know that's something that you and your team are working on. Specifically, can we touch today on optimizing security scanning? 

Malek Ben Salem: Yeah, sure. Thanks for having me back, Dave. Yeah. With the executive order, I think there has been calls for even more scanning, more application scanning and performing various types of scans - you know, the static application security scan tests, or SAST; DAST scans; IR (ph) scans; et cetera. But we know that these scans generate loads of findings that developers may not be able to respond to in a timely manner or they may not be able to respond to at all - right? - especially if aware of the vulnerabilities that are not that critical. 

Malek Ben Salem: So what I want us to do is to help these development teams prioritize what they need to respond to, and we do so by, you know, several optimizations. No. 1, we generate exploitability rankings for these vulnerabilities so that, you know, the teams respond to the findings that have the highest exploitability. And some of the existing scanning tools do provide that. But we take it to the next level by adding some additional information about the vulnerabilities such as their exploitability over time, their past exploitability. 

Malek Ben Salem: But also, you know, these are scores that are available through the NVD database - right? - through their common vulnerability scoring system. They do provide some of these scores, such as the impact of the vulnerability and its exploitability. But it's based on the likelihood of that vulnerability being exploited. What we add is threat intelligence information about whether that vulnerability has been actually exploited, whether we've seen PoCs - right? - proofs of concept of that vulnerability being exploited and how many of them do we see. We also include information about the vulnerability notability. So if a vulnerability is gaining notability in the media, that means it either has been used or is very likely to be used by malicious actors. 

Malek Ben Salem: By combining all of these scores, we come up with better exploitability rankings for these vulnerabilities that application teams and application development teams and security teams can use to prioritize which vulnerabilities they need to mitigate or remediate first. 

Dave Bittner: So is a part of the notion here that you're providing a lot more context to the information that they're getting? 

Malek Ben Salem: Absolutely. Absolutely. And that is key for these teams who are very time-constrained. The second thing we do, actually, is identify any correlated vulnerabilities or, in some cases, any false positives that these scanning tools generate. We have realized that a lot of the vulnerabilities being found are actually false positives that, you know, teams do not have necessarily to respond to. And so we do some triaging to help these teams and we do that through different techniques. 

Malek Ben Salem: No. 1, we look at duplicates within the same scan, so review the same scan, identify if there are any vulnerabilities that have been reported twice or more. And we remove those so that the teams, you know, respond to fixing the vulnerability just once. We correlate findings between different types of scans. So we take the SaaS scan and the DaaS scan, and we try to identify if there are vulnerabilities reported in the same scan that are actually the same vulnerability. Again, this would help the team just respond to one - right? - mitigate just one instead of responding twice to these vulnerabilities reported differently on two different reports. 

Malek Ben Salem: And then the third thing, we do correlation between scans. So what I talked about - between scans in different time windows, right? So earlier I talked about correlating vulnerabilities between the SaaS and a DaaS scan, and that's at one, you know, snapshot. But, you know, sometimes we can correlate a scan done, let's say, a week ago with a scan that has been done today and look at the correlations between the vulnerabilities between scans and remove any false positives that have been identified in the previous scan so that we don't have to respond to it again or analyze it in the current scan. 

Malek Ben Salem: And what we found out is that we can identify between 50% and 80% of these false positives, and we're able to save about 64% of the security analysts' time as they are reviewing these findings from the scans and other as they are trying to triage them. And this can be all enabled through artificial intelligence. 

Dave Bittner: Now, that's fascinating. I mean, obviously, you know, nothing is perfect, and I suspect, you know, that the AI is not perfect as well. But, I mean, is the system constantly feeding back on itself so that over time the results that it generates are also improving? 

Malek Ben Salem: Absolutely. Absolutely. It is constantly learning, and it's constantly applying or contextualizing information for particular clients because we know that the development environment for one of our clients may be different from another client. So we are optimizing that learning curve per client environment. 

Dave Bittner: Yeah, interesting. All right. Well, fascinating stuff. Malek Ben Salem, thanks for joining us. 

Malek Ben Salem: Thank you, Dave. 

Dave Bittner: Thanks to all our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.