The CyberWire Daily Podcast 7.2.21
Ep 1367 | 7.2.21

Mitigating PrintNightmare. New ransomware strains in circulation. Router firmware patched. Russia denies brute-forcing anyone. What the reinsurance rates tell us.


Dave Bittner: Mitigations for the PrintNightmare vulnerability are suggested. Wizard Spider has a new strain of ransomware in its toolkit. A new RagnarLocker strain is in circulation. NETGEAR patches router firmware. Russia reacts to U.S. reports of a GRU brute-forcing campaign. Kevin Magee from Microsoft shares some of the tools he uses to keep himself and his team up to date. Our guest is Andrew Patel from F-Secure on how to prepare security teams for AI-powered malware. And a quick look at the true costs of cybercrime.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 2, 2021. 

Dave Bittner: CISA and US-CERT urge users to disable Windows Print Spooler in domain controllers and other devices not used for printing. Microsoft's June update addressed CVE-2021-1675 - being referred to as PrintNightmare - but that update didn't foreclose the possibility of exploitation. Security Boulevard reports that researchers briefly and inadvertently posted a proof-of-concept exploit for PrintNightmare last month, so this particular cat was at least briefly out of the bag. The CERT coordination center suggests two mitigations, both of which come at a cost of some printing functionality. Option one is to stop and disable the Print Spooler service. Option two is to disable inbound remote printing through Group Policy. 

Dave Bittner: BleepingComputer reports that FortiGuard Labs researchers have found the TrickBot gang Wizard Spider using a new ransomware variant, Diavol. Diavol has strong similarities to Conti, enough for high confidence in a circumstantial attribution. It doesn't have any built-in methods for avoiding installation on machines with Russian-language packages, as does Conti. But like Conti, Diavol uses asynchronous IO operations for file encryption queuing, and it uses similar command line parameters to achieve similar functionality. Diavol is also a bit of a throwback in that it's straight-up encryption ransomware. It doesn't appear to have any of the now-customary ability to exfiltrate data as part of a double extortion scheme. Wizard Spider, generally regarded as a financially motivated criminal gang, suffered a bit of a setback when a number of TrickBot servers were taken down earlier this year. But TrickBot has survived the takedown, and Wizard Spider has stayed in business. 

Dave Bittner: BlackBerry has an account of the new RagnarLocker ransomware variant recently used against ADATA, manufacturer of DRAM and NAND Flash products. This version of RagnarLocker does follow the current criminal best practice in that it's a double extortion tool; it steals data before it encrypts them. 

Dave Bittner: SecurityWeek reports that NETGEAR has patched firmware flaws in its routers. Microsoft researchers discovered and reported the issues. 

Dave Bittner: Yesterday's joint announcement by U.S. and British intelligence services that they detected a large-scale brute-forcing campaign run against Western targets by Russia's GRU prompted a predictable response from Russia's government. The Russian Embassy in Washington issued a long statement in which it both denied any Russian involvement and complained that Russia itself was under constant U.S. cyberattack. Quote, "It's high time to put things in order on the American soil, from where constant attacks on critical infrastructure emerge. We emphasize that fighting against cybercrime is an inherent priority for Russia and an integral part of its state policy to combat all forms of crime," end quote. 

Dave Bittner: With the recent conclusion of the Russo-American summit, RT clucks, one would have hoped for better. Quote, "We hope that the American side will abandon the practice of unfounded accusations and focus on professional work with Russian experts to strengthen international information security," end quote - that's Russian official sources after the Geneva meetings. RT also notes that Russian Foreign Minister Lavrov said after the summit, quote, "Moscow sent more than 40 appeals to Washington regarding American cyberattacks but received very few responses," end quote. This and other protestations of Russian innocence, like those published in RT, strike most observers as unconvincing. But it certainly looks as if the Aquarium has let the Bears out. The Register suggests a road not taken by Moscow's diplomats - people should be thanking the Kremlin for the free pentesting. Thanks, Vlad, for the cyber-check-up and the containerization case study, the Register says

Dave Bittner: Recent cyber incidents have exacted a fiscal toll on their actual and potential victims. Security firm IronNet places the average cost to affected companies of the SolarWinds compromise at 11% of annual revenue, which is high enough by any account. IronNet told ITBrief that one of the reasons for the high impact is that organizations still have a tendency to fight off attacks on their own, and that they might well do better with more information-sharing. 

Dave Bittner: But you needn’t actually be hit with a cyberattack or a cybercrime caper to take a bit of a financial bath. One place higher costs show up is in the insurance market. The reinsurance broker Willis said that, for the July renewal season, cyber reinsurance rates have risen by up to 40%. 

Dave Bittner: Reuters reports, citing a study by Coveware, that the average ransom payment made by a business to restore data after a cyberattack was $220,000 in the first quarter, up 43% from the last quarter of 2020. 

Dave Bittner: James Vickers, chair of Willis International, told Reuters that, "Reinsurers that have been writing cyber are looking at considerably worse results than a few years ago. I don't think people had really imagined the extent of the ransomware attacks going on," end quote. 

Dave Bittner: These are big jumps. Here’s one comparison - property reinsurance rates for the U.S. state of Florida were up as well in July, but only by 30%, not the 40% seen in cyber policies. And remember - hurricane season is just getting under way in the Sunshine State. 

Dave Bittner: For several years now, artificial intelligence and machine learning have been popular buzzwords in the cybersecurity world - practically irresistible to the folks in marketing. The terms may have reached cliche status, but under the hood, it can be powerful, effective technology. Andrew Patel is a researcher at the Artificial Intelligence Center of Excellence at F-Secure, and he and his colleagues have been looking at ways to train up AI systems on the attack side to better prepare our defenses for that inevitable day when the bad actors unleash AI-powered malware on the world. 

Andrew Patel: Artificial intelligence is really being used as a blanket statement right now, mostly for machine learning. So that's the way that when someone talks about artificial intelligence - has done in the last few years, that's what I immediately kind of switch to, is talking about machine learning. I mean, artificial intelligence has a large range of stuff that it represents, all the way from when you talk about games - you know, game AI, like the AI that will play Starcraft against you, if you play against the computer - or all the way up to artificial intelligence as in actual machine intelligence running on a computer. So right now, though, I think that we're - I mean, when I think of artificial intelligence, it's just the default of what people are referring to, which is machine learning. 

Dave Bittner: Well, and for several years now, we've had folks who are selling products that help defend against malware. They've, you know, made hay out of the fact that their products are using AI to help you defend yourself. But I think more and more we're hearing that AI may be being used by the folks who are producing the malware themselves, and that's something that you and your team are tracking. 

Andrew Patel: Well, I mean, I would tell you that if the folks who are making the malware are using machine learning techniques right now, it's most likely for data analysis stuff. But there's no way of us really knowing that bar, getting a hold of their computers that they're using to do this stuff. So there's speculation but no real evidence of that. As far as putting machine learning methodologies into malware, I mean, there have been academic publications which talk about that, but they're really quite academic. And examples like - one being Microsoft that used a neural net to further obfuscate a payload inside an executable, which is basically a technique to make reverse engineering even more difficult. So there's no - as far as I can tell, nobody has been looking at building malware where the logic has been created with machine learning techniques. 

Dave Bittner: I see. Now, do you imagine this sort of thing being kind of, you know, self-contained, where it would be using these capabilities within a single system that it had infiltrated or - and/or would it be able to, you know, phone home and say, hey, you know, on this system, here's where we had success. Here's where we had failure. So the next time a system gets infected, it's been able to learn from the experience of previous attempts. 

Andrew Patel: So, I mean, right now, what I envisage is training it sort of offline. You train it on your own infrastructure, and then you would use it as a tool when you arrive on an actual target infrastructure. So it's a tool that allows you to automate some of the steps that you would have had to do manually if you're an attacker. But as far as, like, it learning as a deployed tool, that's something that would be sort of a - more of a futuristic thing, I think. 

Dave Bittner: I see. 

Andrew Patel: So this is - essentially, what we're doing is instead of hand coding the logic to do those steps, we're training it to build that logic. And for very simple scenarios, of course, one can code that logic. But when it gets more complicated, then hand coding that logic becomes really messy and unmaintainable. So this approach might be better for more complicated or more generalized attack scenarios that we want to look at. 

Dave Bittner: And suppose this sort of thing is, you know, unleashed on the world. What sort of adjustments would need to be made to people's defenses? 

Andrew Patel: One of the reasons for doing this would be that a tool like this could execute a series of steps very quickly. So that would be the change I think, that once this sort of thing becomes a reality, then the idea of having a period of time to react to something kind of goes away because the whole attack chain can happen very, very quickly. 

Dave Bittner: So it really allows the attacking system to be both nimble and fast. 

Andrew Patel: Yeah. I would suggest that, like, for the time being, tools like these would be useful against environments which have low security, which have bad security that, for instance, might not be running breach detection solutions or IDS, that might not have their antivirus up to date or proper firewall rules, that would have misconfigurations that could be attacked. So a tool like this would be really useful for an attacker to be able to do more things than they have time in the day to do otherwise because they can just - when they find a system that's at low security, they can just run the tool. When they find a system that's much more hardened, you'll still require a human to figure out how to attack it and how to be stealthy and not get noticed. 

Dave Bittner: That's Andrew Patel from F-Secure. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro, and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Kevin Magee. He is the chief security officer at Microsoft Canada. Kevin, it's always great to have you back. You know, one thing that I know that we all struggle with - and I wanted to check in with you on - is just keeping current, you know, the tools that you use, the resources you use. In the midst of doing your job, how do you make sure that you're up to date? 

Kevin Magee: Thanks for having me back, Dave. And this really is one of the most consistent questions I get asked by colleagues or customers or my students. Just - and even random folks on social media is - and it turns out to be my favorite question to answer is, you know, what have you been reading lately? How do you keep up? The simple answer is, I read everything I can. And the more detailed, you know, the problem, I think the more detailed and more sophisticated the inputs I need to be keeping up on because ultimately a big part of my role as a leader is just keeping up not only with what's happening in the industry but also world events and the threat landscape in general. This can mean everything, you know, from simply, you know, sorting out what matters are happening throughout the day but also what threats are emerging. And the sheer volume of information is just staggering and growing in complexity. So I really need to be very selective of what - you know, what I'm ingesting, what I'm reading, what I'm consuming. And not just what, but, you know, how, when and why really matters as well, too. 

Dave Bittner: Yeah. How do you come at that from a time management point of view? 

Kevin Magee: So I really look at it from three horizons of information I need to be consuming. And I call them now, today and tomorrow. And I know that's not - this is why I'm in security, not in marketing. That's the best I could really... 

Dave Bittner: (Laughter). 

Kevin Magee: ...Come up with for how to segment it. But now is - my tool of choice is sort of Twitter. And if it's in the newspapers, it's already too old. I really need a real-time monitor. So I have a monitor above my workspace. It continuously drips columns of tweets and lists of people, of topics that I follow. And whatever piques my interest, I'll create a new column to track a trend or a subject or an event that's happening in real time. And I can really look at it sort of like I'm watching "The Matrix" and see what's happening out there in real time. I also have a daily approach to my intel, where it's just probably where I invest most my time. And it really comes down to a number of form factors. But ultimately, it's two categories. One's the news - sort of the traditional news sites, blog posts that everyone reads. The other is a very select group of what I call trusted aggregators or curators that I follow. And for me, it's mostly newsletters and podcasts, you know, where someone whose judgment I trust has provided a summary or list of the most important topics of the day. And some of my favorites are, of course, CyberWire, the podcast and newsletters. Pinkerton Daily Insights is another great one. The World This Week section of The Economist - a great place to find sort of the geopolitical aspects of the day. And it may not be a security source, but it gives me a lot of context that I should be thinking about. Recorded Future Daily - Graham Cluley is - his site's fantastic for what's happening almost in real time, and his "Smashing Security" podcast is great as well, too. 

Kevin Magee: But the trick is, really, to find people who are doing the hard work, the research and the deep reading. And then you can also deliver me the best summarized and actionable intel. That's what I'm really looking for in sort of my daily intel intake. 

Dave Bittner: And then beyond that, you know, the stuff that's coming up, the future stuff, how do you ingest that? 

Kevin Magee: Yeah, I think about that as my tomorrow section. So it's not just what interests me but what I need to be mindful of and what topics are going to be of future requirement for my thinking. And those are the ones I really want to spend some time in depth to address, not just my day-to-day challenges but my future plan and strategic thinking. So I'm constantly seeking out recommendations to fill my blind spots in terms of what I should be looking at. And this could be anyone, anything from talking to folks like yourself. I always love to ask, what are you reading? It's places like the Cybersecurity Canon Project set up by Rick Howard, where sort of the greatest minds of our industry are nominating the key books that we should all be reading and also just beyond sort of reading, podcasts, documentaries, seminars, anything where I can sort of expand my overall knowledge base but also really grow myself as a security professional and leader. 

Dave Bittner: From a leadership point of view, how do you dial in the things that you spend your own personal time on and the things that you delegate to the folks that you work with? 

Kevin Magee: I think there's a few answers that. One would be, you know, the chance to develop the team, to give them interesting challenges to look into and research and see how they approach it. And the great thing about having a very diverse team with lots of different backgrounds and perspectives are - they'll sometimes approach the challenge or the problem or the research of that solution in a much different way than I would. So sometimes casting your net wider and allowing the team to delegate or delegating to the team to solve some of those challenges is really, really enlightening. And I often hear answers or perspectives or different approaches that would have never occurred to me. 

Kevin Magee: So some of the larger things that I look into - again, I ask my team. I ask my customers. I ask other folks within the organizations to recommend, you know, where we should be listening to you. And I take a mindfulness approach. I really try not to solution the problem or come up with where I should be going to find out the answer. And I really step back and look at where the data's taking me or where the - my interests are taking me or, you know, where a nagging suspicion in the back of my head is taking me when it comes to a threat or whatnot. And I let that guide, you know, where I do my research. And that's served me well. It's sort of the hacker intuition, I guess, that is really built into organization, that spirit of curiosity. I let it often guide me in terms of where I research and where I spend a lot of time thinking. 

Dave Bittner: All right. Well, Kevin Magee, thanks for joining us. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.