The CyberWire Daily Podcast 6.22.21
Ep 1359 | 6.22.21

Malicious Google ads lead to spoofed Signal and Telegram pages, and then on to malware. LV’s REvil roots. Vulnerable defense contractors. And bogus AIS position reports in the Black Sea.


Dave Bittner: Malicious Google ads for Signal and Telegram are being used to lure the unwary into downloading an info-stealer. LV ransomware looks like repurposed REvil. A study of the U.S. Defense Industrial Base finds that many smaller firms, particularly ones that specialize in research and development, are vulnerable to ransomware attacks. Rick Howard ponders how we categorize state-sponsored cybercrime. Our guest is Sudheer Koneru from Zenoti on how data privacy impacts salons and spas. And it's high noon in the Black Sea. Do you know where your warships are?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 22, 2021. 

Dave Bittner: eSentire reports finding spoofed Google ads for the Signal and Telegram messaging apps that induce visitors to download RedLine Stealer, information-harvesting malware whose take the criminals subsequently sell in various dark web markets. 

Dave Bittner: It's not just Signal and Telegram that are being faked to deliver malicious content. eSentire says others have seen similar activity pretending to be AnyDesk or Dropbox. 

Dave Bittner: In this case, the threat actors use convincingly forged download pages for the apps. Users who attempt to get those apps during their visit will be socially engineered, as eSentire puts it, into downloading and initializing RedLine infostealer. The hoods behind the scam are willing to invest. eSentire's report says, quote, "The threat actors who launched these malicious campaigns would have had to spend money purchasing Google ads. The cost of these ads depend on many variables, including the popularity of the keyword - like Signal, Telegram, Viber - and the willingness of other advertisers to pay for that keyword in their ads. Although we do not know the total amount the cybercriminals spent on the Google ads, we do know that purchasing the keyword Telegram can run $.40 per click, while the keyword Signal can cost up to $1.40 per click. It's possible that financing for these ad purchases were themselves sourced by earnings from previous malicious campaigns," end quote. 

Dave Bittner: So evidently, it pays to advertise. This is the third campaign eSentire has recently tracked in which the threat actors are abusing Google search results. The two earlier efforts were called Gootloader and SolarMarker

Dave Bittner: Secureworks has taken a look at the LV strain of ransomware that's in circulation, and they've concluded that LV is basically just warmed-over REvil and not really a distinct strain at all. How LV came to share the same code structure as REvil isn't entirely clear. REvil's proprietors, whom Secureworks calls GOLD SOUTHFIELD, and who succeeded the GandCrab operators at the time of that gang's retirement - or dispersal or rebranding - in the spring of 2019, may have sold it, had it stolen or traded it with some criminal partner for other considerations. There's no immediate evidence that LV's operators are running their own affiliate program, but Secureworks thinks it's possible that one is in the offing. 

Dave Bittner: The Colonial Pipeline and JBS ransomware incidents raised concerns about two critical infrastructure sectors, and recent reports have suggested that the water and wastewater sector has also come under attack more often than had been thought. This morning, BlueVoyant released a study of the U.S. Defense Industrial Base that concludes that this sector, too, exhibits significant vulnerabilities, particularly among its smaller companies. Half of the 300 small and medium businesses studied were found critically vulnerable to ransomware. Twenty-eight percent fell short of CMMC requirements. 

Dave Bittner: Should one of these firms be infected, there's the possibility of disruptions to those supply chains in which the company figures. There's also the possibility that the ransomware could be propagated from the initial victim to partners, prime contractors and subcontractors. The assumption the attackers seem likely to work from, the Washington Post writes, is that smaller firms are inherently less likely to be well-protected against cybercrime than are the bigger outfits in the defense sector. 

Dave Bittner: CISA's weekly vulnerability roundup lists 24 high-severity vulnerabilities. Twenty-three of them this past week are Android bugs. 

Dave Bittner: And finally, two NATO warships, the Dutch vessel Evertsen and the Royal Navy's HMS Defender, operating in the Black Sea and visiting the Ukrainian port of Odessa, were falsely reported to have moved to disputed waters in the vicinity of the Russian-claimed port of Sevastopol. The USNI News reports that it seems automatic identification system signals were falsified to give the impression that the warships had engaged in what effectively would have been a provocation. In fact, both ships remained in Odessa. Whether the AIS reports were deliberately falsified and by whom or whether the incident involved some malfunction, how the misreporting occurred remains unclear. 

Dave Bittner: Most commercial vessels are required to be equipped with AIS, which is a valuable aid to collision avoidance, among other things. Warships also typically carry AIS, although for security reasons, they may turn it off as necessary since their locations are often sensitive. But navies, too, are interested in safe transit. In 2017, for example, following two deadly collisions between U.S. Navy warships and commercial vessels, the U.S. Navy told its ships to turn their AIS on in heavily trafficked waters. 

Dave Bittner: So there are several points in the electronic chain at which AIS positions for the two NATO warships in the Black Sea might have been faked, but it seems that both Evertsen and Defender were in Odessa where they belonged and had every right to be. Again, how the locations came to be misreported remains, for now, unknown. 

Dave Bittner: Those of you landlubbers out there who may decide you're interested in looking at what ships are doing where, you can gratify your curiosity by consulting the AIS aggregation site MarineTraffic. And all y'all mariners, well, stay safe out there, whether you're in the Gulf of Odessa, Manila Bay or practically outside our own windows here on the Chesapeake. 

Dave Bittner: Third-party risk is top of mind these days thanks to incidents like the SolarWinds Orion breach. And it's worth considering the broad range of places in our lives where third-party data is stored and shared. Sudheer Koneru is founder and CEO of Zenoti, a provider of cloud-based software for the beauty and wellness industry. They work with companies like Hair Cuttery and European Wax Center; potentially intimate stuff and data worth protecting. 

Sudheer Koneru: Some of the more organized and larger-scale footprint businesses do ask for more information around, you know, their preferences in terms of color, skin care, skin type. Some of them even take a photograph of the person's hair before and after, you know, depending on - you know, well-established brands have these kinds of processes defined and they use all that. And then some of the businesses where they do, you know, spa-related services and all that - there, you do need them to, you know, sign a disclosure and, you know, sign a waiver kind of stuff, which - you know, in the event of any challenges. So most spas insist on a waiver of sorts. So yeah, there's - that's the - I would say the spectrum of information. 

Dave Bittner: Yeah. It strikes me, too, that there's sort of an intimate relationship you have with the folks who are doing this sort of - these sorts of services for you. You know, particularly, when we're talking about things like grooming, there could be details there, even just the services rendered, that you want to be kept private. 

Sudheer Koneru: Yes, absolutely. And, you know, even what services a person took is a private information (ph). And many of these - what we think of as salons and spas go beyond hair itself. They do a lot of skin care treatments. And then nowadays, they are expanding into something called medi spa, which is like, you know - because it is a profitable segment which has - involves, you know - whether it's Botox or other kinds of regimens kind of thing. So yeah, even disclosing who came and what service they took, it would be a liability for them. 

Dave Bittner: And is it your sense that the folks who are running these sorts of organizations - do they have a good understanding of the importance of protecting the privacy of this sort of information? 

Sudheer Koneru: I would say the well-run and established organizations definitely do, especially if you are running a business which has more than five stores. I think they're - you know, they understand the liability associated with it and are waking up to being very diligent about asking all the right questions and ensuring their software supports these capabilities. And I would say some have even made changes to their software systems as these regulations are getting more prominence in the industry kind of stuff, to make sure their software supports it. 

Sudheer Koneru: But yeah, I do think - the small players, I don't think even know or understand any of it. So many of them run their business in pen and paper or some old-school software, which probably is not even complying from a regulatory perspective. Even for the smaller businesses, actually, the compliance is not very hard to achieve today. So software solutions, whether it's ours or others, make it super easy for them when they deploy it to say, hey, the customer - their guest should have the flexibility and control to choose, you know, will they opt in? will they opt out? - and making sure the business doesn't do any mistake also of saying, hey, accidentally, also, our systems will not allow a business to go send off a marketing mailer to people when the guest has said no. And it protects the business quite well. I think there's awareness, but it's pretty strong in our industry as well. And I think many systems have matured to ensure they're protecting the business overall. 

Dave Bittner: That's Sudheer Koneru from Zenoti. 

Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, always great to have you back. 

Rick Howard: Thanks, Dave. 

Dave Bittner: So your "CSO Perspectives" podcast just wrapped Season 5 last week. And I have to say, it seems as though you've got some free time on your hands... 

Rick Howard: (Laughter) Yeah. 

Dave Bittner: ...Because at our program meeting this week, you were mentioning a new trend in terms of nation-state hacking activity, something that you call continuous low-level cyber conflict. So that caught my eye - or my ear as being an expensive stringing together of words. 

Rick Howard: (Laughter) Yeah. 

Dave Bittner: So two questions for you. First of all, how does it feel to have some free time to get caught up? But more importantly, what is this new trend you're talking about? 

Rick Howard: Well, it's always good to get some breathing room between deadlines and having time to get caught up in - on the latest developments. And we were getting ready for the CyberWire's quarterly analyst call, which, by the way, is at the end of the month. You don't want to miss any of that. And that's where we get two smart people and me into a room and discuss the three most impactful news stories from the past 90 days. So I'm going through all these old news stories - right? - from the last quarter. And I notice a lot more state-sponsored actors were dipping their toes into cybercrime in various ways. 

Dave Bittner: Now, I don't think it's new news that, you know, North Korea, with the Lazarus Hacking Group - they've been conducting cybercrime operations to help fund their espionage operations. Are you saying that we're getting beyond that, that the situation is evolving? 

Rick Howard: Yeah, that's exactly right. You know, here at the CyberWire, we started calling the Lazarus Group's crime activity as the old APT side hustle, right? 

Dave Bittner: (Laughter). 

Rick Howard: But - (laughter) - and they originated the idea. But the Russians, with their Internet Research Agency, did it to fund their influence operations in the 2016 U.S. presidential election. And the Chinese do it too for general purpose funding, like how APT41 does it. But that's just one way that nation-state hacking groups conduct cybercrime. 

Rick Howard: A slightly different angle than the APT side hustle is the idea of using these very same groups to bring revenue into the country. In my free time here, I sub in on a podcast made by the BBC. It's called "The Lazarus Heist," and it's excellent. But they describe that North Korea is so poor as a country that they use their hacking team to bring in revenue, to support, you know, things they need to buy and maintain and things, right? And so that's very interesting. 

Rick Howard: And then we have a completely - another category, which I call state-sponsored organized crime, where the government tasks cyber-adversary groups within their country with specific target sets, like how the Russian FSB co-opted the ransomware group Evil Corp in order to cause chaos and fear in the West. And then, you know, finally, we had the one long-standing tradition that we all know about - OK? - of state tolerated crime - essentially, looking the other way as long as cybercriminals are not attacking their own citizens. And that was one of the things that President Biden and President Putin talked about during this week's summit. 

Dave Bittner: Wow. So I guess when we talk about this changing cyberthreat landscape, I mean, these are the kinds of things we're talking about. 

Rick Howard: Yeah. And it changes fast. It's always changing. That's what I like about it. 

Dave Bittner: Yeah. Yeah. Well, listen, before I let you go, even though you concluded Season 5 of your "CSO Perspectives" show, we are still publishing Season 1 episodes over on the ad-supported side. And what is on tap for this week? 

Rick Howard: Yeah. So most of the Season 1 was me discussing my first-principle strategies. And this week, we're talking about something that the entire industry needs to go a lot faster on, and that is DevSecOps. So join in and figure out what we're talking about there. 

Dave Bittner: All right. We will check it out. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.