The CyberWire Daily Podcast 6.25.21
Ep 1362 | 6.25.21

REvil is back. Misconfiguration with major effect. Mining Monero. Judgments against market-rigging hackers. A FIN7 operator is sentenced.


Dave Bittner: Hey, everybody. Just a quick heads-up before we start to show that this coming Sunday, we will be airing a special episode here from one of our network podcasts from Microsoft Security. It's called "Security Unlocked: CISO Series with Bret Arsenault." Bret, as you probably know, is Microsoft's CISO. In this episode, Bret will be talking to Emma Smith, director of Global Cybersecurity for Vodafone. They'll be talking about the return to in-person work after over a year of being remote and some of the inherent difficulties that come with the change, especially as they relate to inclusivity. We'll be airing the episode here in the CyberWire daily podcast feed this Sunday, but be sure to subscribe wherever you get your favorite podcasts so you can catch up on this new show and never miss an episode. Thanks.

Dave Bittner: REvil hits a Brazilian medical diagnostics company and a British fashion retailer. A misconfigured cloud database exposes millions of WordPress user records. A new cryptojacker is deploying XMRig to mine Monero. A judgment is issued against a hacker and one of the traders he worked with to trade securities on non-public information. Johannes Ullrich from SANS on server site request forgery and errors in validating IP addresses. Our guest is Tom Patterson from Unisys, reacting to the DOJ launching a ransomware taskforce. And a FIN7 operator is sentenced to seven years. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 25, 2021. 

Dave Bittner: REvil, the ransomware strain that hit JBS a few weeks ago, has afflicted another victim. Sao Paulo-based Grupo Fleury, the Rio Times reports, is in the process of responding to and recovering from an attack that's crippled normal operations and forced the large health care organization to revert to backup systems as its customers continue to deliver patient care. Grupo Fleury, the largest medical diagnostic firm in Brazil, was hit on June 22. 

Dave Bittner: REvil has also recently hit fashion retailer the French Connection, the Register reports. The French Connection said that the incident affected its backend servers and that customer data is not at risk. 

Dave Bittner: Infosecurity magazine reports that researchers at website Planet found a misconfigured cloud database belonging to DreamHost that exposed more than 800 million records associated with WordPress users. It's an accidental exposure, but of course, the actual or potential compromise raises the prospect of more plausible social engineering. The more the hoods know, the more specious their approaches can be. 

Dave Bittner: Avast describes a strain of malware they're calling Crackonosh. The malware's coin jacking capabilities appear to be its main goal. Specifically, it installs the XMRig coinminer and collects Monero. Crackonosh is distributed through pirated, cracked copies of software, including some antivirus utilities. CoinDesk says the hoods operating the malware have taken in around $2 million so far. Crackonosh is evasive, and it takes particular care to disable security software it detects on its victims' machines. 

Dave Bittner: The U.S. District Court for the district of New Jersey entered a default judgment against two gentlemen who hacked non-public copies of press releases from Business Wire, Marketwired and PR Newswire. They then used the information for illicit securities trading. The default judgment - neither of the men appeared - ordered hacker Aleksander Ieremenko to pay a Securities and Exchange Commission-imposed fine of $319 million. One of Mr. Ieremenko's colleagues, trader Pavel Dubovoy, was ordered to pay $33 million dollars. Both are currently resident in Ukraine and so, for the time being at least, beyond the reach of the SEC. 

Dave Bittner: And in other news from the courthouse, another Ukrainian national, Andrii Kolpakov, a leader of some sort in the FIN7 cybercriminal organization, was sentenced yesterday to seven years and required to pay his victims $2.5 million in restitution, the Record reports. Most of the organizations FIN7 hit were in the restaurant, gaming and hospitality sectors. Some prominent fast and fast-casual American dining chains were among the victims, including Chipotle, Chili's, Arby's and Red Robin. FIN7 would sell some of its take in prominent criminal carding markets like Joker's Stash. 

Dave Bittner: Mr. Kolpakov took a guilty plea back in November, and while he evidently made a serious contribution to FIN7's crimes, he was not, as he explained it, anything approaching the kingpin, big boy, No. 1 or Mr. Big. His lawyer argued in extenuation and mitigation during sentencing hearings that Mr. Kolpakov joined FIN7 without fully understanding what he was getting into. Maybe he had a point, although that point wasn't enough extenuation to get him less than seven years. FIN7 represented itself online as Combi Security, an information security outfit that claimed to be a legitimate provider of services to business. This was, for the most part, a recruiting ploy, and Mr. Kolpakov said it worked on him. The record explains, quote, "Kolpakov maintained that he did not seek to join FIN7. He applied to a classified advertisement for what he thought was a legitimate cybersecurity job at a company called Combi Security. Additionally, Kolpakov made about $75,000 for his work - an amount that provided his family security and stability but a modest sum for a cybercriminal," end quote. 

Dave Bittner: FIN7 put up a website for Combi Security on which the front company described itself as one of the leading international companies in the field of information security. But in truth and fact, the court documents say, Combi security carried out no legitimate work and was not hired by any company to provide security-related services. So Combi Security was a front for both recruiting and also a front designed to give FIN7's members a measure of plausible deniability. By the time he realized what was afoot, Mr. Kolpakov said he'd been backed into a corner and found it impossible to get out. He apologized to his victims and asked for their forgiveness. 

Dave Bittner: How was he caught? On vacation, of course. Like most Eastern European cybercriminals, he craved sunlight and warmth. Spanish police collared Mr. Kolpakov off in 2018 while he was vacationing in the town of Lepe. He had in his possession incriminating electronic devices - laptop, phone and storage media that were used in FIN7's capers. Spain extradited him to the U.S. in 2019. A moral for criminals and privateers - book your vacations in Chelyabinsk. It may not be scenic, but at least it's safe. And for heaven's sake, while you're on vacation, leave your work at home. We keep telling our editors to do that, but do they listen? No. They take their phones, their laptops, their storage devices to Ocean City with them, and that is no way to vacation. Phooey. 

Dave Bittner: The U.S. Justice Department recently announced plans for a ransomware task force. For insights on this development, I checked in with Tom Patterson. He's chief trust officer for Unisys and a senior fellow at Auburn University's McCreary Center for Homeland Security. 

Tom Patterson: Yeah, I think this is a direction that this entire administration is heading in. The appointments that have been made in national security and cybersecurity have been people that really have a firm grip not just on policy but on what's going on in the real world, how the threats are impacting our critical infrastructure, how they're impacting our daily commerce, how they're impacting our citizens' lives. So they've really, I think, tried to address these issues in a coordinated way but in a way where they're tackling some of these harder ones that are really highly impactful to our economy. 

Dave Bittner: You know, it strikes me also that this is one of the, I suppose, few areas that remains having bipartisan support. You know, there are - I can't think of anyone in Congress who's against better cybersecurity. Does that point to this having an easy pathway through the legislature, if need be? 

Tom Patterson: I've lived in Washington long enough not to project what's going to go through. 

Dave Bittner: (Laughter) Fair enough. 

Tom Patterson: But absolutely. You know, I'm a lifelong national security employee of some sort somewhere. And I can tell you it is a bipartisan effort. We've got great people, regardless of what color tie they wear, that are really highly supportive of this on Capitol Hill. The administration has just been loading up on great additional new people, kept a lot of great people. And so we've got a good team on the federal side, I think, who will be working to drive this forward. 

Tom Patterson: It will take that whole of nation effort, though. So we do need companies, especially ones - companies that work in our critical infrastructure sectors, to really step up. And, you know, if they say we need help, I think the government is more than ready, readier - more ready than they've ever been to step up and give companies the kind of help they need so that they can really help this fight against ransomware. 

Tom Patterson: You know, this is everybody's responsibility. A lot of - you read about these exotic attacks, you know, vectors. And everyone that gets - that's a victim says, oh, we could have never foreseen this. And yet a lot of this malware still gets in because companies aren't doing the basics. They aren't doing, you know, the dozen or so basic things that just has to happen. If you want to have an organization today that uses the internet, especially now you've got your employees working from home, you're going to - you may keep more of that. You've got to step up your defenses and really do the basics across the board. They're not that hard. There is a cost to it, but consider it the cost of doing business. If everybody did the basic stuff, it would make it much harder for these ransomware folks to really get in and cause this damage. So it's something that everybody needs to participate in. And that was really the gist of the initial report from the DOJ is that it's a whole-of-nation effort. 

Dave Bittner: That's Tom Patterson from Unisys. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute, also the host of the ISC "StormCast" podcast. Johannes, always great to have you back. Got some interesting stuff to cover today. You wanted to check in on this notion of server-side request forgeries. And what's going on there? Can you share with us - what are you working on? 

Johannes Ullrich: Yeah. So thanks for having me again, Dave. What this is specifically about is, well, server-side request forgery is part of it, and that's certainly a vulnerability that has sort of been taking off over the last few years, with us deploying more and more of these APIs that are HTTP-based, that sort of connect to each other. And as part of this, we have to validate which other APIs a particular API can connect to. It's, after all, all about machines talking to machines these days. 

Dave Bittner: (Laughter) Right. 

Johannes Ullrich: And we have to make sure we only talk to nice machines, not to those, you know, Terminator kind of evil machines that we sometimes have. 

Dave Bittner: Sure. Sure (laughter). 

Johannes Ullrich: But part of how we identify them is by IP address. So a cornerstone of validating what we connect to, what we allow our users to connect to is validating the IP address. And sadly, pretty much every language that's trying to do this has had a very specific vulnerability lately. And that's a fact that IP addresses - they may be represented in octal. And, well, I'm sure you use octal to add up your grocery bills and stuff like this. 

Dave Bittner: Oh, yeah. Sure. Every day. 

Johannes Ullrich: We do this all the time. 

Dave Bittner: Just rattle it off. Sure. 

Johannes Ullrich: Hexadecimal is too complex kind of. 


Dave Bittner: Honestly, I don't think I've thought about octal since I was a kid. 


Dave Bittner: But go on. 

Johannes Ullrich: Yeah. So - and apparently, a lot of developers develop these libraries that validate IP addresses, didn't really think about it. But then the libraries that establish the connection, they think about it. And so now, for example, I may specify an IP address. But now if I use a zero as leading digit, that sort of implicates that this is octal. So think about 10-dot addresses. We always use them. They're usually internal addresses, so they may be allowed. Now, if I say 010 - so zero, one, zero - well, in octal, that's eight. So now if I want to connect to, let's say, 8888, the Google DNS server, and you don't want me to connect to the Google DNS server, I could just specify and bypass your filter. 

Dave Bittner: Wow, OK. Clever computers, clever computers, clever people - well, is there a fix here? What's the workaround, or is this something we're stuck with? 

Johannes Ullrich: Well, the fix is so often just update everything. That'll fix it. I think it was this week we had a fix, for example, for the Python library that does that. A couple of months ago, we had the respective sort of npm libraries were updated. Perl was vulnerable. Like I said, pretty much any language was vulnerable. As a quick workaround, well, don't allow these leading zeros. Now, OK, the purists here will complain that you're supposed to allow it because the standard allows it, but we throw standards out of the window all the time, if it makes things easier so... 

Dave Bittner: (Laughter) Right. Right. And safer - and safer. 

Johannes Ullrich: And safer - so I would say, hey, for now, if there's a leading zero, no good point in having that. Let's throw out those IP addresses. And hopefully over time, your libraries will get updated and fix that. 

Dave Bittner: All right. Interesting stuff as always. Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is sending warm wishes for future success to producer Kelsea Bond, as she leaves the CyberWire and moves on to new challenges and opportunities. On behalf of all of us, I can say that Kelsea's contributions to our team were invaluable, and we wouldn't be where we are today without her hard work, creativity and dedication. Good luck to you, Kelsea. And don't be a stranger. I'm Dave Bittner. Thanks for listening.