Notes on current cyber criminal campaigns. Will Exercise Cyber Flag show the way toward an expedition to the virtual shores of a metaphorical Tripoli?
Dave Bittner: The ChaChi Trojan is out, about and interested in educational institutions. Bogus free subscription cancellations figure in a social engineering campaign designed to get the victims to download BazarLoader. Ursnif is automating fraudulent bank transfers with Cerberus Android malware. The U.S. Senate invites the Department of Defense to think of ransomware as analogous to piracy, and Defense says it's thinking along those lines. Ben Yelin looks at digital IDs on mobile devices. Our guest is Bryan Patton of Quest Software on shoring up your defenses against future threats. And rest in peace, John McAfee.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 24, 2021.
Dave Bittner: BlackBerry researchers have been tracking a variant of the Golang remote access Trojan. They're calling the variant ChaChi, and it's being used by operators of the PYSA ransomware. Educational institutions have recently figured prominently among the gang's targets. As BleepingComputer observes, the RAT has been upgraded to include the obfuscation, port-forwarding and DNS tunneling capabilities it formerly lacked.
Dave Bittner: Microsoft is tracking an active BazaCall campaign, ZDNet reports. Palo Alto Networks last month described how BazaCall backdoors vulnerable Windows systems with BazaLoader malware. A note on naming - Microsoft's tweets have called the campaign and the malware BazaCall and BazaLoader, respectively. Most others call the campaign and the malware BazarCall and BazarLoader. Either way, they're the same threat.
Dave Bittner: The BazarCall operators use, in effect, a call center as a major link in their social engineering chain. The scam begins with a phishing email telling the recipient that their free trial subscription to some service is about to expire and that unless they call a number to cancel it, they'll automatically be enrolled in and, of course, charged for the subscription. The examples of emails Microsoft shares screenshots in their tweets are patently bogus. ZonerPhoto and Prepear Cooking are the two examples of phishbait they give. The names are close to those of legitimate services, who, of course, have no relation whatsoever to the phishers.
Dave Bittner: Should you be persuaded to call, the operator - who's, of course, standing by - will direct you to a site where you're supposed to download an Excel file you can use, the operator says, to cancel your subscription or decline the upgrade to a premium service and so on. Should you be incautious enough, trusting enough to follow the operator's instructions, you'll be directed to a site that offers an Excel file as promised, but one with malicious macros designed to deliver the payload. That payload has been BazarLoader. More recently, Microsoft says, the gang has been using Cobalt Strike to steal credentials, including the victims' Active Directory database and exfiltrate data via Rclone.
Dave Bittner: The campaign is tough to stop by technical means, Microsoft observes. The initial email contains no links and no attachments, which are the customary items that trip warnings.
Dave Bittner: IBM has found a variant of the Ursnif banking Trojan using Cerberus Android malware to help automate fraudulent bank transfers. One of Cerberus' main roles in the attack is to receive two-factor authentication codes sent by banks to their users when account updates and money transfer transactions are being confirmed in real time. The new variant has been most often seen in Italy.
Dave Bittner: The Social reports that U.S. Deputy Assistant Secretary of Defense for Cyber Policy, Mieke Eoyang, yesterday told the Senate Armed Forces Subcommittee on Cyber that despite complications involving international law, the history of piracy suppression holds valuable lessons for dealing with current ransomware attacks. She seems to have the Barbary pirates in mind, tolerated and encouraged by Tripolitan authorities and not the legal combatants who sailed under letters of mark and reprisal. But to go to the virtual shores of a metaphorical Tripoli is no longer as directly straightforward as sending in Captain Decatur with a file of Marines.
Dave Bittner: Senator Mike Rounds, Republican of South Dakota, framed the discussion with a brief historical excursion. Quote, "In the beginning years of our country, we made it very clear that when pirates would attack shipping that was vital to the United States, we actually created the Marine Corps, in a way, to actually go on out and find these private citizens who were acting as pirates, and we basically took them out - even though they had found a safe harbor in other sovereign countries. In doing so, we extended and recognized that the defense of our country included the defense of our assets," end quote. And of course, this was done in cases like the Tripolitan expedition. Senator Rounds concluded, quote, "I think it still holds true with regards to cyberattacks. And I think the Department of Defense clearly has a role to play in extending and in protecting - and I think most citizens of the country believe that if someone from out of the country is going to attack us - either critical infrastructure or in the case of ransomware, if there is a way for our Department of Defense to either stop the incoming attacks, or to respond accordingly outside of our country to those incoming attacks, would seem to be appropriate to do so. Recognizing that this is not normal, just stealing of information and espionage, this is a demand for payment or this is a direct attack on property within the United States," end quote.
Dave Bittner: The deputy assistant secretary said she appreciated the senator's analogy, quote, "because I've actually been thinking a lot about the development of international law and piracy as it relates to cybersecurity. And I think it's a very instructive one for us as a nation. One of the challenges that we saw with piracy is that territories at that time were either unwilling or unable to do anything about the threats that emanated from their territory. And I think this is a very important question for us to be asking now as we see the cyberactors who are operating outside the United States" end quote.
Dave Bittner: There are two possible cases, she said. The threat actors may be operating from territory the host nation is unable to control. And the remedy in that case would lie in diplomacy, cooperation and capacity building. Or they might be operating, as the Barbary pirates did, at the sufferance of a host government. And that's a very different matter, a diplomatic challenge and a national security challenge, as she put it. In such cases - and Russia is the unnamed obvious case - it's necessary to make it clear to such governments, quote, "that they have a choice to make about whether or not they are willing to do anything about this and that they will be held accountable for being unwilling to do so" end quote.
Dave Bittner: How to hold them accountable is, of course, the big problem. Tell it to the Marines, to be sure, but America's Corps of Marines will be thinking through this analogy in the context of the ways in which international law has evolved over the two centuries in which Hassan Bey has been replaced by Vladimir Putin.
Dave Bittner: And if you don't believe us that the Marines and other services are mulling this sort of thing, read yesterday's Marine Corps Times, which has a story on Cyber Flag 21-2, which is using Cyber Command's Persistent Cyber Training Environment in a joint and combined exercise designed not only to train, but to help shape tactical doctrine.
Dave Bittner: This year's Cyber Flag scenario is set in a customarily fictitious location - in this case, a Pacific-allied logistics depot which has to contend with two distinct adversaries. One is sophisticated and interested in disruption and denial. The other is less advanced and concerned with theft of intellectual property and personal data. By the way, our ordinance desk informs me that pronouncing it deh-poh and not dee-poh will help you pass as a member of the Ordinance Corps in bars.
Dave Bittner: The participants include more than 430 personnel and 17 teams from the U.S., the U.K. and Canada from the National Guard, the U.S. House of Representatives and the U.S. Postal Service.
Dave Bittner: And finally, Reuters reports that commercial antivirus pioneer John McAfee died yesterday in a Barcelona jail, an apparent suicide. Earlier that day, a Spanish court had ruled that McAfee would be extradited to the U.S., where he faced charges of tax evasion. McAfee was 75 and is believed to have taken his life over the prospect of having to spend the rest of it in a U.S. federal prison.
Dave Bittner: Suppose you find yourself in the midst of that nightmare scenario. Word comes from your team that your network has been compromised. How should you respond, both in the moment and afterwards, when things are back up and running? I checked in with Quest Software's principles solutions consultant Bryan Patton for his perspective.
Bryan Patton: Well, I think there's an emotional state that happens. And people really are in a moment of disbelief where they can't really believe that it's happening to them. I think that's a common problem. And then it's like, OK. What do I do next? What's the next thing I need to be able to do? Is it impacting absolutely everybody, or is it just affecting, you know, a part of my network?
Dave Bittner: I see. What sort of mistakes do you find people making in the heat of the moment?
Bryan Patton: I think a lot of it, when you're doing, like, a full disaster recovery, is assuming that you were already covered. You know, unfortunately, there's a lot of different vendors out there that have backup tools. And if you're an executive, you probably think that you're already covered. But unbeknownst to a lot of different people, you know, restoring active directory and your identity is a lot different than restoring, you know, data in a directory.
Dave Bittner: Yeah. All right. Well, let's say recovery happens and, you know, you're back up and running. What now? How do you go about making sure this doesn't happen again?
Bryan Patton: Well, you know, having the different key information as to what happened so you understand the attack that did happen is absolutely vital. So hopefully all the different audit data as to what happened wasn't encrypted as well, and hopefully you can salvage to figure it out. But now you're kind of like, OK. What can we do to contain it? You know, what I've seen is, some organizations - they've been attacked, pay the ransom, for example, and they get attacked again if they don't patch it up. So it's really important to put a control in place for whatever vertical it was that people did as far as that attack pattern.
Bryan Patton: So this is where it's really good to have an emphasis on how did this happen, so if it's a patch, you can patch it up, make sure that doesn't happen again. If it's due to the fact people have more rights than are really needed, well, now we need to really fast-forward our privileged account management strategies and work on reducing administrative privileges in your environment.
Dave Bittner: You know, it's interesting. I suppose there are a lot of folks who are still kind of, I don't know, whistling past the graveyard and trying to rely on obscurity or security by obscurity, which I suppose you simply can't do anymore.
Bryan Patton: You can, but you shouldn't.
Dave Bittner: (Laughter).
Bryan Patton: I think it's people realizing that it hasn't happened to them yet, and it's not real until it finally does happen to them. You know, it's not a matter of if you're going to be attacked. It's a matter of when you're going to be attacked. And if it does happen, make sure your backup files you have aren't affected as well. We're seeing very commonly where attackers will go out there and attack the backup files first and encrypt that different data.
Bryan Patton: So whatever you can do, whatever tools you're using, make sure you have an offline copy of your backups. And even if you do have that with a third-party provider, figure out what the SLAs are to be able to get those different backups back. If it takes you three days to get a backup back from your vendor, that SLA is probably not going to do you a lot of good.
Dave Bittner: That's Bryan Patton from Quest Software.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: Interesting story from WIRED. It's titled "Apple Says It's Time To Digitize Your ID, Ready or Not." This is written by Lily Hay Newman. And really what this is about is that beginning with iOS 15, which is coming out this fall, Apple's going to enable you to store your state ID inside your iOS device, in your Apple wallet, which is Apple's digital version...
Ben Yelin: Next to your airline tickets, your Panera card, and...
Dave Bittner: All - yeah. All that stuff (laughter).
Ben Yelin: All that fun stuff. Yep.
Dave Bittner: So this strikes me as being an interesting shift and perhaps a pivot point for this sort of thing. What's your take on this, Ben?
Ben Yelin: It's really interesting. Apple is ahead of the curve here because so far, only a couple of states have authorized digital IDs. A few other states have tried to develop systems and have hired contractors to try and develop a system for having digital IDs. But digital IDs, particularly when it relates specifically to driver's license, are still in their infancy. Even the states that allow for digital identification still require you to carry a physical copy of your ID. And now, Apple is saying that, at least when iOS 15 is released, the capability will exist to store your ID digitally. And perhaps that will be the impetus for other states to introduce digital IDs and maybe over the long term make that - you know, make the identification system exclusively digital, although I think we're a very long time from that point.
Ben Yelin: There are a couple potential security concerns here. You know, you are required to - or you are able to use biometric information to unlock your phone to show your digital ID. So if you're at the airport, and you're getting screened by the TSA, you need to show them your driver's license, it's really good, as opposed to the physical license, that it can't just, you know, fall out of your pocket, and somebody else can pick it up and use it as a fake ID. The digital format allows it to be relatively secure. You'd need somebody's fingerprint, you know, somebody's Face ID, et cetera, to open it.
Dave Bittner: Right.
Ben Yelin: But that also presents its own risks. Because once you have opened that device, that does potentially open the door for law enforcement to go snooping in that device. It's been unlocked. And that could be a privacy concern for people who want to use digital IDs.
Ben Yelin: We also - there's just kind of a lack of transparency from Apple. Even though they've indicated that this is going to be part of their iOS 15 release, they haven't really identified any details. We don't know whether they're going to follow some of the compliance standards that have already been issued for digital IDs. And I think a lot of the concerned parties here, the Electronic Frontier Foundation being one of them, is sort of withholding their support of digital IDs until they can see what privacy and security features are included and whether Apple is working directly with any states on pursuing, you know, universal digital ID policies.
Ben Yelin: So that's kind of where I see where we are with this issue now. It's certainly going to be something that, if it's available, is going to greatly improve our convenience, particularly at places like airports. But I worry that, you know, if you are stopped for a traffic stop, you hand law enforcement your phone, and they tell you, unlock this so I can see your driver's license. You give them your device. They see some incriminating text messages. You know, that might be a problem for you.
Dave Bittner: Yeah.
Ben Yelin: So I think it's something that we have to watch out closely what the details are here going forward.
Dave Bittner: Yeah. A couple of things come to mind. I mean, folks have pointed out that if they made this ID part of something that was accessed from the lock screen, so you could have the ID available without unlocking the phone, that could be a good step to help with some...
Ben Yelin: Right, although that would cut against one of the security benefits of it, that if it were available on the lock screen, then, you know, anybody could steal or pick up your phone and...
Dave Bittner: Right. Right.
Ben Yelin: ...Show that ID.
Dave Bittner: Right. The other thing that I think is potentially interesting and perhaps beneficial here is if the user had control over the granularity of the information shared. For example, you know, I'm waiting in line to get into my favorite college bar, right?
Ben Yelin: Creep.
Dave Bittner: (Laughter) Well, I'm - all right. I'm waiting in line to get into my favorite age-appropriate bar.
Ben Yelin: There we go.
Dave Bittner: (Laughter) And that bouncer doesn't need to know my address, right? The bouncer only needs to know that I am old enough to get into the bar.
Ben Yelin: Right.
Dave Bittner: Right? So...
Ben Yelin: And that you're you.
Dave Bittner: Right. Exactly.
Ben Yelin: So perhaps the photo and the age, but they don't need to know your address or whether you're an organ donor.
Dave Bittner: Right - certainly don't need to know my weight.
Ben Yelin: Oh, gosh. Yeah.
Dave Bittner: (Laughter) Right?
Ben Yelin: That's what's good about having an old license, is that that weight is out of date.
Dave Bittner: Right.
Ben Yelin: And I'm flattering myself with it.
Dave Bittner: Yeah. Is this you? This looks like an old guy.
Ben Yelin: Yeah.
Dave Bittner: (Laughter) Yeah, yeah. So I think that could be a potential benefit here, that you only provide access to the information that's necessary in that transaction.
Ben Yelin: Yeah. We already do that with other uses of Apple Wallet. I mean, the information on the credit card in your Apple Wallet isn't as complete as the information on a actual physical credit card, for example. So, you know, if we could develop something like that where maybe as part of the lock screen, you are only, you know, showing a picture and somebody's age so that the rest of the information that's more proprietary is reserved for either an unlocked device or a physical copy of that ID, I think that's something that could be potentially promising.
Dave Bittner: Yeah.
Ben Yelin: I mean, I'm excited about it because potentially it means that there's, you know, fewer things to carry around when you're traveling.
Dave Bittner: Right.
Ben Yelin: So if I didn't know anything about the potential security concerns, I think it would be something to be really excited about.
Dave Bittner: (Laughter) Right. Right.
Ben Yelin: But I just think, you know, we have to keep our eye out for the specifics here.
Dave Bittner: Yeah.
Ben Yelin: Exactly what is Apple doing? Who are they working with? And are they using the standards that have already been developed?
Dave Bittner: All right. Well, certainly it's something to keep an eye on, but an interesting development either way. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.