A look at some threats to ICS endpoints. EternalBlue remains a problem. US preparing attribution of the Microsoft Exchange Server hack. DoubleVPN seized. An arrest in the Gozi case.
Dave Bittner: Hey, guys. Dave here with a special announcement. You all know about CyberWire Pro, our subscription service that accesses our premium original programming, where we bring in leading industry experts to create informative and actionable cybersecurity content that you just can't get anywhere else. I want to let you know all about a special promotion we're running for Independence Day. When you purchase a CyberWire Pro annual subscription, you'll get three free months on top of the already discounted price of $99. Sign up and get your free three months at thecyberwire.com/julyfourth. That's thecyberwire.com/julyfourth.
Dave Bittner: A report on threats to industrial control systems is out, and it focuses on ransomware, coinjacking and legacy malware. EternalBlue remains a problem. The U.S. is preparing a formal attribution in the case of the Microsoft Exchange Server campaign. An international police operation has taken down DoubleVPN, and the authorities seem pretty pleased with their work. Joe Carrigan examines vulnerabilities in systems from Dell. Our guest is Vikram Thakur from Symantec on multifactor authentication evasion. And the guy who allegedly provided the Gozi banking malware with its bulletproof hosting has been collared in Bogota.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 30, 2021.
Dave Bittner: Trend Micro this morning released a study of ransomware's growing infestation of industrial control systems. Ryuk, Nefilim, Sodinokibi and LockBit variants accounted for a majority of the incidents Trend Micro investigated. The researchers wrote, quote, "Ransomware in ICS could lead to loss of view and control of physical processes, since such attacks encrypt a variety of files, including image and configuration files that are necessary for rendering the interface. This, in turn, leads to loss of revenue due to disrupted operations. Victims could also lose money from extortion schemes, as more ransomware operators also threaten to publicize stolen data," end quote.
Dave Bittner: Their report led with ransomware, which seems right given the current prominence that particular kind of threat has now. But they also discussed coinminers. These can have a bad effect on the operation of ICS endpoints, rendering them slow and unresponsive, particularly when those endpoints are running old operating systems or have limited CPU capacity. Both of these conditions are common enough in ICS environments. Trend Micro also discusses the effect legacy malware like Conficker can continue to have on industrial control systems. A lot of that legacy malware is propagated via removable media. Industrial countries are infected in different ways and at different rates. China is the leading sufferer of legacy malware. The U.S. has to put up with the highest rates of ransomware infections. And India is the unfortunate leader in the tally of coinjacking victims.
Dave Bittner: Trend Micro's recommendations will surprise few, but they're good advice nonetheless. Patch systems with security updates - a lot of the infestations they observed found their way in through EternalBlue exploits; there are fixes for that. Implement microsegmentation in the network or use virtual patching technologies. Restrict network shares and enforce strong username and password combinations. Use Intrusion Detection Systems and Intrusion Prevention Systems. Install antimalware solutions - these are particularly useful in controlling legacy malware. Set up USB scanning kiosks, and get people to use them before they plug removable media into a network. Apply the principle of least privilege. Consider regional differences in security awareness and implementation - this is especially important for multinationals. And identify and audit systems with low-risk tolerance.
Dave Bittner: Also this morning, Guardicore issued an update on the Indexsinas SMB worm, also known as NSABuffMiner. The worm has been in use since 2019 and recently has been most active against targets in the health care, hospitality, education and telecommunications sectors. The victims use SMB servers vulnerable to EternalBlue, and the campaign makes massive use of Equation Group exploit kit that includes both the EternalBlue exploit and the DoublePulsar backdoor.
Dave Bittner: The U.S. government expects to issue a formal attribution of Microsoft Exchange Server hacks in the coming weeks, Deputy National Security Adviser for Cyber Anne Neuberger said yesterday, The Hill reports. Microsoft announced the discovery of that campaign back in March, and Redmond was quick to attribute the hostile activity to Hafnium, a Chinese government-run threat actor. Neither Neuberger nor other U.S. officials have tipped their hand on attribution, but if you're betting on form, there's a pretty good chance Microsoft has this one right - straight up; it was the Chinese services.
Dave Bittner: DoubleVPN, a service based in Russia that catered to cybercriminals by helping them obscure both their physical location and originating IP address, was taken down yesterday in an international law enforcement operation, BleepingComputer reports. As its name suggests, DoubleVPN double encrypted - at least - data that transited its service. The takedown notice on what's left of doublevpn.com says, quote, "On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. DoubleVPN's owners failed to provide the services they promised. International law enforcement continues to work collectively against facilitators of cybercrime wherever and however it is committed. The investigation regarding customer data of this network will continue," end quote.
Dave Bittner: Britain's NCA, which credited the Netherlands with leading the effort, tweeted that DoubleVPN was advertised on both Russian- and English-speaking cybercrime forums as a service which provided anonymity to those seeking to carry out cyberattacks. Its cheapest virtual private network connection cost as little as 19 pounds. NCA assessed the action as extremely significant, adding that not only have we successfully affected the takedown of DoubleVPN, but it is the first time law enforcement has been able to take direct action against a criminal-enabling service of this type. Europol in particular isn't just tweeting; it's crowing large over the operation, with a hand emoji waving in triumph that, quote, "The golden age of criminal VPNs is over."
Dave Bittner: And in another law enforcement action, Colombian authorities have arrested the alleged distributor of the Gozi virus, the Washington Post reports. Mihai Ionut Paunescu was taken into custody as he was passing through the airport in Bogota. He faces the prospect of extradition to New York, where U.S. authorities intend to try him for computer intrusion and bank fraud. Gozi infected computers in at least eight countries - the United States, Germany, Finland and the United Kingdom among them - and both individuals and organizations were affected.
Dave Bittner: Mr. Paunescu is the third person the U.S. has pursued for their roles in Gozi. Nikita Kuzmin, a Russian national and creator of the Gozi virus, was arrested in the U.S. in November 2010. He took a guilty plea in May of 2011. Deniss Calovskis, who went by the hacker name Miami, a Latvian national who improved Gozi's code, was arrested in Latvia. And in January 2016, he was sentenced in the U.S. to the 21 months he'd served while awaiting trial. Mr. Paunescu's alleged role in the criminal activity was different from those played by Misters Kuzmin and Clovskis. They coded; he provided the bulletproof hosting service used to distribute Gozi and other malware. Mr. Paunescu, who went by the hacker name Virus, was arrested in 2012 by Romanian authorities but was able to escape extradition to the U.S. His luck ran out this week.
Dave Bittner: A pro tip to those on the lam - plan your vacations with the possibility of extradition in mind.
Dave Bittner: Recent high-profile incidents like SolarWinds and the Microsoft Exchange Server attacks have highlighted the fact that in response to multifactor authentication establishing itself as a basic security standard, adversaries are pivoting to methods capable of bypassing it. Vikram Thakur is technical director at Symantec, and he offers these insights.
Vikram Thakur: Over the past, I want to say, at least 10 years, we've been seeing attackers trying to go after different types of high-value accounts, different types of information that might be stored in organizations which are of extremely high value, but they've been protected using multifactor authentication, which just means that - hey, even after you get onto the network or even after you gain access to an account, you still need that little second token or you need that second password in order to gain access to the information that you need.
Dave Bittner: And so what have we seen from the attackers, then? How have they adjusted their methods to try to get around this?
Vikram Thakur: So we've seen a variety of techniques that attackers have used in the past. And I can go back 10 years. In fact, in 2011, in the month of March, we probably saw one of the biggest attacks on this two-factor authentication probably to date, where the attacker - what they wanted to do was they wanted to gain access to some very critical defense-related information in the Western world, but they realized that the organizations were using a two-factor authentication mechanism, which was provided by a company called RSA. So the attackers then said, well, instead of us trying to somehow circumvent the two-factor authentication, why don't we go and hack into RSA and try to see if we can somehow steal some secrets from there that'll help us enable getting into the defense information that they truly wanted to. And they were successful. They hacked into RSA. It's a public piece of information that you can see from 2011. They got in. They were able to steal secrets related to the two-factor authentication and then make use of it in order to get the data that they wanted. So that's been going on for at least 10 years.
Vikram Thakur: The latest attempts that we see is - somehow the attackers are getting onto the servers that are managing two-factor authentication, or they're managing a service that they truly want to get access to, and that machine itself may not be guarded by two-factor authentication. So as an example, while people might have two-factor authentication enabled on their email accounts, the attackers found a way to not bother going after email accounts as much as they just went and hacked into the email server itself. So they get into a network, and they found a vulnerability which enabled them to get onto the email server, and once on there, they found a way to just access any user's mailbox without even requiring the two-factor authentication. So that's just an example of how these attackers are trying to go around the requirement for two-factor authentication. But it doesn't take away from the fact that two-factor authentication is extremely useful, and it is efficient, and it does the job because it's forcing the attackers to try really, really hard. And the attackers have realized that they cannot seem to somehow crack into that method of two-factor authentication, so it's forcing them to go around it and try to find weaknesses in the systems that might be using two-factor authentication.
Dave Bittner: That's Vikram Thakur from Symantec.
Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: So some interesting research from the folks over at Eclypsium caught my eye. They have discovered some vulnerabilities that are affecting some Dell computers.
Joe Carrigan: Correct.
Dave Bittner: What's going on here?
Joe Carrigan: It's affecting 129 models of Dell computers.
Dave Bittner: OK.
Joe Carrigan: That's a lot of computers. It goes back very far. These are vulnerabilities in the BIOS, and BIOS stands for basic input output system, I believe, if my memory serves.
Dave Bittner: (Laughter) It's been around a long time, yeah.
Joe Carrigan: It's been around - (laughter) Yes. It's the very first thing when you turn on - I don't even know if - actually, nowadays you don't even see it. But when you used to turn on your computers, you'd see the BIOS come online very quickly.
Dave Bittner: Right.
Joe Carrigan: It's essentially an embedded system in your computer that starts everything up, right?
Dave Bittner: Yeah.
Joe Carrigan: But it's still just software. And Dell has this product called BIOSConnect that allows a computer in BIOS to call - phone home to Dell for support purposes.
Dave Bittner: So, like, to get firmware updates and things like that? OK.
Joe Carrigan: Exactly. Or if you've lost your operating system and you can't get it to boot or something's missing, you can actually still get this thing to connect to the Dell servers in BIOS because that's always going to be there.
Dave Bittner: OK, sounds like a good thing in theory (laughter).
Joe Carrigan: Yeah, it is a good thing in theory, and it would be a great thing in theory if it was done right.
Dave Bittner: Yeah.
Joe Carrigan: But what's happened here is the first vulnerability that they found, that Eclypsium found, is a problem with TLS certificates. And TLS is Transport Layer Security. It's how the internet works. But this software is written in C code - right? - at a very low level, so getting that TLS handshake correct is important, and Dell didn't do that here. In fact, this system - if you have a privileged network attacker on the network, and they can intercept, like, a DNS call out to the Google DNS server of 8-8-8 - (unintelligible). I'm not - I'm getting too technical.
Dave Bittner: (Laughter).
Joe Carrigan: They can intercept the communication.
Dave Bittner: Yeah.
Joe Carrigan: Right? And then impersonate Dell and hand back any readily available, freely available TLS certificate, and the software in the BIOS will accept that and say, OK, you're Dell, right? So...
Dave Bittner: Oh, and any certificate at all, this software says, we're good here.
Joe Carrigan: Just about, as long as it's not self-signed. It has to be from a certificate authority that's in the - but those are not easy - not hard to come by.
Dave Bittner: I see.
Joe Carrigan: You can actually get one anywhere.
Dave Bittner: Yeah.
Joe Carrigan: So if you're on the network, if the malicious actor is on the network, they can intercept the traffic, they can feedback the - some bogus certificate, and the service will then - the service on that computer will then trust the attacker, and then the attacker can exploit one of three buffer overflow vulnerabilities that were also found in the software.
Dave Bittner: Right. Bob's your uncle.
Joe Carrigan: Right, exactly. And that allows arbitrary code execution. There's even one that allows arbitrary code execution in BIOS, so they could completely replace the BIOS of your machine, and...
Dave Bittner: Bob's really your uncle (laughter).
Joe Carrigan: Yeah, Bob's really your uncle. Now you're hosed, right?
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: I mean, it may be to the point where you might have to just throw the motherboard away, right?
Dave Bittner: Wow.
Joe Carrigan: It's - you know, because you can never trust it again.
Dave Bittner: Yeah. So where are we with this? Dell has responded?
Joe Carrigan: Dell has responded. Eclypsium is not releasing all the technical details until Defcon, which is in August. They're going to do demos and put everything out there. Dell has already patched two of the vulnerabilities, and they say they're going to patch the other two in July. So it's time to update your BIOS. But one of the things that Eclypsium says is update your BIOS manually.
Dave Bittner: (Laughter) Right.
Joe Carrigan: Right? Don't trust the tool.
Dave Bittner: Right. Yeah. Oh, how ironic (laughter).
Joe Carrigan: Yeah, and verify the hashes that are available on the Dell site.
Dave Bittner: Yeah.
Joe Carrigan: So go out to Dell, download the patches, verify the hashes. That's a lot easier to do now on Windows machines with PowerShell. You can just Google how to verify hashes. You don't have to download a tool anymore like you used to. And you can then run the BIOS update application from the operating system, and that will update the BIOS.
Dave Bittner: OK.
Joe Carrigan: So it's pretty easy to do. Just get it done. And get it done before August because (laughter) once this stuff is disclosed to Defcon, it's going to be out there in the wild.
Dave Bittner: Right. So go check out to see - if you have a Dell machine...
Joe Carrigan: Right.
Dave Bittner: ...Go check out to see if it's vulnerable to this, and if so, put your plan into action.
Joe Carrigan: That's right.
Dave Bittner: All right. All right, well, Joe Carrigan, thanks for joining us.
Joe Carrigan: It's my pleasure.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.