The CyberWire Daily Podcast 7.13.21
Ep 1373 | 7.13.21

SolarWinds patches a zero-day. Trickbot is back. Bogus Twitter accounts, now suspended, were verified by the social medium. DarkSide hits Guess. Updates on REvil and Kaseya.


Dave Bittner: SolarWinds addresses a zero-day that was exploited in the wild. A watering hole campaign lures users of online gaming sites. Inauthentic accounts, now suspended, get a blue checkmark. Trickbot is back with new capabilities. The DarkSide hits fashion retailer Guess. Malek Ben Salem from Accenture on remediation of vulnerabilities using AI. Our guest is Jeff Williams from Contrast Security with a look at application security and financial services. And some updates on Kaseya, its customers and the current state of REvil.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 13, 2021. 

Dave Bittner: SolarWinds is addressing a zero-day unrelated to last year's widespread SUNBURST exploitation of its services for cyber-espionage, Ars Technica reports. SolarWinds, which credits Microsoft with alerting it to the problem, has issued an update to fix the vulnerability in its file transfer software. The company said, quote, "The vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs, view, change or delete data or run programs on the affected system," end quote. The vulnerability has been exploited in the wild by at least one threat actor, The Record reports, but neither SolarWinds nor Microsoft have said when, where or by whom. 

Dave Bittner: A watering hole campaign affecting some online gambling sites based in China is serving up either Cobalt Strike beacons or the BIOPASS RAT, which Hacker News describes as a hitherto undocumented Python-based backdoor. The site's support chat pages are infested with lures to induce the unwary to download the malware. Hacker News writes, quote, "The attack involves deceiving gaming website visitors into downloading a malware loader camouflaged as a legitimate installer for popular but deprecated apps such as Adobe Flash Player or Microsoft Silverlight only for the loader to act as a conduit for fetching next-stage payloads," end quote. Trend Micro warned of the campaign in a report issued Friday. 

Dave Bittner: The Daily Dot rounds up tweeted reports about six accounts that received Twitter's coveted blue checkmark but which appear to be bogus. The accounts appeared roughly simultaneously last month, shared many of the same followers - each having about 1,000 - used either stock images or pictures generated by AI as their profile pictures and had done very little actual tweeting. Twitter user Conspirador Norteno, identified as a data scientist interested in disinformation, posted that, quote, "very few of the accounts in this network have tweeted. The majority of the tweet content is spam in Korean sent via automation service promoting a website," end quote. 

Dave Bittner: Twitter has revoked the account checkmarks and suspended the accounts as inauthentic. Quote, "We have now permanently suspended the accounts in question and removed their verified badge under our platform manipulation and spam policy," end quote. Blue-checked accounts have long been coveted by bad actors, but they've typically sought to get access to them by compromising legitimate accounts. Getting such verification for purely bogus, inauthentic accounts is unusual. And Stanford Internet Observatory's Alex Stamos commented that a bribed insider might have served as the conduit for the checkmark. Quote, "You might have a malicious or bribed insider. Something similar happened at Instagram - paid off by scammers, in that case," he tweeted. 

Dave Bittner: Trickbot, the Russophone cybercriminal network heavily involved in ransomware, has returned, The Daily Beast reports. Trickbot and the gang behind it, Wizard Spider, had been disrupted in October of 2020 by U.S. Cyber Command and various industry actors, Microsoft prominent among them. It's now resurfaced with a new virtual network computing module that Bitdefender describes as including new functionalities for monitoring and intelligence gathering. The renewed Trickbot seems involved in creating the Diavol ransomware strain Fortinet described earlier this month. The resurgence is an example of the resilience of criminal organizations, which survived both takedowns and arrests of some key figures. 

Dave Bittner: Whatever restraints Moscow's commitment to legality have placed on ransomware gangs don't appear to have put the DarkSide entirely out of business. It's been disclosed that the gang has hit fashion retailer Guess, ZDNet reports. Guess has been relatively tight-lipped about the incident beyond saying that customer pay card data was not compromised during the February exposure but that other information, notably employee data, was exposed. BleepingComputer notes that Guess hasn't said which group was behind the attack, but the DarkSide had already counted coup by listing the retailer among its victims. 

Dave Bittner: Kaseya has completed addressing the three vulnerabilities REvil exploited at the beginning of the month. Threatpost summarizes the fixes, and IGI places them in perspective. Customers continue what VentureBeat calls their long slog to recovery. The general consensus is that REvil operates with at least the knowledge of and probably with the tacit approval and encouragement of the Russian government. The joint enforcement action the U.S. has requested of Russia has not materialized. GovInfoSecurity notes. Moscow is standing on ceremony as it expresses its commitment to the rule of law, as the Register puts it, with a straight face. But so far there are few, if any, signs of Russian authorities taking action against the gangs that operate with impunity from its territory. We'll continue to follow developments in operations against REvil, DarkSide and other ransomware gangs with particular attention paid to Russian enforcement actions if any such appear and U.S. retaliation, again, should any such appear, one preliminary report tweeted this morning by Recorded Future's Allan Liska says that REvil's sites have been down since 1 a.m. Eastern Daylight Time, which would be 8:00 a.m. Moscow time. It is, of course, too early to know what to make of this, whether it's a temporary tactical occultation, whether it's a system failure, whether the gang is absconding, whether Russian authorities have told the gang to chill for a while, whether those same authorities have actually taken action in conformity with their public commitment to the rule of law and the responsibilities of sovereignty or whether some foreign cyber organization has reached into Russia. All of these are possibilities. Some are more likely than others. 

Dave Bittner: Application security firm Contrast Security recently published their 2021 State of Application Security in Financial Services Report, exploring the strengths and weaknesses in the apps many of us use to manage our personal and professional finances. Jeff Williams is co-founder and chief technology officer at Contrast Security. 

Jeff Williams: Everybody uses applications for just about everything that's important in their lives, and not much is more important than financial institutions. So where you bank, where you store your money, where you get your insurance - all those things use a massive amount of applications. In fact, those companies are some of the largest software development organizations in the world. And so we thought it'd be useful to study them, find out what they think about their application security efforts, where they're weak, where they're strong and publish the results. 

Dave Bittner: Where do financial services organizations stand when it comes to addressing the specific challenges that they face with their application development? 

Jeff Williams: Well, they almost all have a program in place. So they'll have a small team of experts, sometimes a large team of folks. And they use tools. They scan their applications. But I would say most of them, I think, are really sort of more focused on a compliance kind of approach, like enforcing application security rules rather than actually making real progress on securing applications. And so what we found in the study was some, you know, disturbing facts about application security in financials. 

Dave Bittner: Well, take us through some of the things that you explored here. 

Jeff Williams: Well, the big thing that jumps out at me from this study is that when we asked them about whether they've been actually breached through their applications - this is not network breaches. We're not talking about ransomware, email attacks or anything - just through their web applications and web APIs, 98% admitted that they had at least three successful application exploits in the past year. That to me is shocking. And more than half of them, 52%, saw 10 or more successful attacks over the last 12 months. That's a terrifying level of attack. I mean, there's hundreds, thousands of financial institutions out there. And they're all getting attacked at a very high rate successfully. And it's not - it's way more than what you read about in the newspaper for sure. 

Dave Bittner: Can you give us a little perspective on that? I mean, what's the range - when we talk about an attack on one of these organizations, a successful attack, can you give us a range of the spectrum? Are - you know, are we - how serious are they? How concerned should we be? 

Jeff Williams: Yeah, so one thing we asked about was the cost of each of these breaches, and 99% of respondents in organizations with more than 15,000 employees, which is a substantial portion of this survey, put the cost of each attack at more than a million dollars. So when we're talking about, you know, 10 a year, that's a million dollars each time. 

Dave Bittner: Are they seeing this as a cost of doing business to some degree, or how are they coming at this? 

Jeff Williams: Well, you know, I think they all want to do better. They certainly don't want to have successful breaches against them because, you know, any one of these breaches could be much more serious than a million dollars. So, you know, I hope that they haven't resigned themselves to thinking of this as a cost of doing business because it's very preventable. 

Dave Bittner: The organizations that are effective here, who are doing a good job, are there things that you find that they have in common? 

Jeff Williams: Yeah, I think we see well-structured AppSec programs that focus on what matters. They use threat modeling. They've automated as much as possible of application security so that their teams can make code changes, push them into their pipeline, the pipeline does all the security testing, and they're cleared to go into production with a high degree of confidence that what they've written is secure. 

Jeff Williams: Teams that struggle are much more manual oriented. You know, they do pen testing maybe a few times a year. They don't do it on all of their applications. They haven't really standardized their approach on application security. So I think that's one huge thing that teams can do to get better. 

Dave Bittner: That's Jeff Williams from Contrast Security. 

Dave Bittner: And I'm pleased to be joined once again by Malek Ben Salem. She is the technology research director for security at Accenture. 


Dave Bittner: Malek, it's always great to have you back. You know, I wanted to touch base with you on application security. You know, we've seen the recent executive order come down from the presidential administration. I know that's something that you and your team are working on. Specifically, can we touch today on optimizing security scanning? 

Malek Ben Salem: Yeah, sure. Thanks for having me back, Dave. Yeah. With the executive order, I think there has been calls for even more scanning, more application scanning and performing various types of scans - you know, the static application security tests, or SAST, DAST scans, IAST scans, et cetera. But we know that these scans generate loads of findings that developers may not be able to respond to in a timely manner or they may not be able to respond to at all - right? - especially if aware of the vulnerabilities that are not that critical. 

Malek Ben Salem: So what I wanted to do is to help these development teams prioritize what they need to respond to, and we do so by, you know, several optimizations. No. 1, we generate exploitability rankings for these vulnerabilities so that the teams respond to the findings that have the highest exploitability. And some of the existing scanning tools do provide that, but we take it to the next level by adding some additional information about the vulnerabilities such as their exploitability over time, their past exploitability. 

Malek Ben Salem: But also, you know, these are scores that are available through the NVD database - right? - through their common vulnerability scoring system. They do provide some of these scores, such as the impact of the vulnerability and its exploitability, but it's based on the likelihood of that vulnerability being exploited. What we add is threat intelligence information about whether that vulnerability has been actually exploited, whether we've seen PoCs - right? - proofs of concept of that vulnerability being exploited and how many of them do we see. We also include information about the vulnerability notability. So if a vulnerability is gaining notability in the media, that means it either has been used or is very likely to be used by malicious actors. 

Malek Ben Salem: By combining all of these scores, we come up with better exploitability for these vulnerabilities that application teams and - application development teams and security teams can use to prioritize which vulnerabilities they need to mitigate or remediate first. 

Dave Bittner: So is part of the notion here that you're providing a lot more context to the information that they're getting? 

Malek Ben Salem: Absolutely, absolutely. And that is key for these teams who are very time-constrained. The second thing we do, actually, is identify any correlated vulnerabilities or, in some cases, any false positives that these scanning tools generate. We have realized that a lot of the vulnerabilities being found are actually false positives that, you know, teams do not have necessarily to respond to. And so we do some triaging to help these teams, and we do that through different techniques. No. 1, we look at duplicates within the same scan - so review the same scan, identify if there are any vulnerabilities that have been reported twice or more. And we remove those so that the teams, you know, respond to fixing the vulnerability just once. We correlate findings between different types of scans. So we take the SaaS scan and the DaaS scan, and we try to identify if there are vulnerabilities reported in the same scan that are actually the same vulnerability. Again, this would help the team just respond to one - right? - to mitigate just one instead of responding twice to these vulnerabilities reported differently on two different reports. And then the third thing we do - correlation between scans. So what I talked about - between scans in different time windows, right? So earlier I talked about correlating vulnerabilities between SaaS and the DaaS scan, and that's at a one, you know, snapshot. But, you know, sometimes we can correlate a scan done, let's say, a week ago with a scan that has been done today and look at the correlations between the vulnerabilities between scans and remove any false positives that have been identified in the previous scan so that we don't have to respond to it again or analyze it in the current scan. And what we found out is that we can identify between 50 and 80% of these false positives, and we're able to save about 64% of the security analysts' time as they are reviewing these findings from the scans and other - as they are trying to triage them. And this can be all enabled through artificial intelligence. 

Dave Bittner: Now, that's fascinating, I mean, obviously, you know, nothing is perfect. And I suspect, you know, the AI is not perfect as well. But I mean, is the system constantly feeding back on itself so that, over time, the results that it generates are also improving? 

Malek Ben Salem: Absolutely, absolutely. It is constantly learning, and it's constantly applying or contextualizing information for particular clients because we know that the development environment for one of our clients may be different from another client. So we are optimizing that learning for a client environment. 

Dave Bittner: Yeah, interesting. All right. Well, fascinating stuff. Malek Ben Salem thanks for joining us. 

Malek Ben Salem: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.