The CyberWire Daily Podcast 7.14.21
Ep 1374 | 7.14.21

Patch notes. What’s happening with REvil remains unclear, but it would be rash to count the gang out.


Dave Bittner: SolarWinds patches a zero-day exploited by a Chinese threat group. We got Patch Tuesday notes. What's up with REvil - takedown, retirement, rebranding or glitch? Joe Carrigan from Johns Hopkins University Information Security Institute on cellphone carriers sneaking us ads via SMS. Our guest is Nicko van Someren of Absolute Software with a look at endpoint risk. And those bots like futbol.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 14, 2021. 

Dave Bittner: We begin with a few quick notes on this week's patches. SolarWinds yesterday patched a vulnerability in its Serv-U FTP server that Microsoft discovered. BleepingComputer reports that groups based in China were using the vulnerability to prospect U.S. defense contractors and software companies. The Microsoft Threat Intelligence Center says it has observed DEV-0322 targeting entities in the U.S. Defense Industrial Base Sector and software companies. This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure. 

Dave Bittner: Yesterday was Patch Tuesday. Microsoft's fixes included patches for three zero-days undergoing exploitation in the wild - two Windows kernel privilege escalation issues and one scripting engine memory corruption floor. CISA released advisories on 21 industrial control system products. And a separate CISA emergency directive also required federal agencies to apply mitigations to Windows Print Spooler vulnerabilities. Those mitigations have been made generally available in Microsoft's July updates, and CISA want the agencies it oversees to implement them. 

Dave Bittner: REvil's disappearance early yesterday morning from its usual online haunts - including its own cynically named Happy Blog - remains unexplained. The New York Times and others note that the vanishing followed a U.S. request that Russia do something about ransomware gangs operating from its territory, but it's unclear what connection that had with the American demarche. 

Dave Bittner: Steve Moore, chief security strategist at security firm Exabeam, wrote to offer some perspective on what may have happened to REvil. Quote, "it would seem that everything is down for REvil - landing page, payment, help desk chat. This outage could be criminal maintenance, planned retirement or, more likely, the result of an offensive response to the criminal enterprise. We don't know. If the outage is the result of an offensive response, then this sends a new message to these groups that they have a limited window in which to work. Furthermore, if a nation responds to criminals backed by and hosted in another country, this will change the definition of risk for affected private organizations. The question becomes who is and isn't ready to participate in this new theater. If a nation engages in offensive hack-back operations, then to what degree should they defend private companies as well, which is arguably more valuable?" 

Dave Bittner: The Washington Post summarizes three likely alternative explanations. First, the Kremlin bent under U.S. pressure and forced REvil to close up shop. Second, U.S. officials tired of waiting for Kremlin cooperation and launched a cyber operation that took REvil offline. And third, REvil's operators were feeling the heat and decided to lay low for a while. 

Dave Bittner: Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and well-known as the co-founder and former CTO of CrowdStrike, tweeted his own three suggestions. One, REvil decided to take a summer break or even rebrand themselves entirely like they did in 2019. Two, they got pressured by Russian government to go quiet, at least for a bit. And three, with a tip of his virtual hat to DomainTools' Joe Slowik, he suggests their intern screwed up DNS. 

Dave Bittner: On that third possibility, Alperovitch and Slowik are surely funnin' (ph), but the possibility of IT problems can't be ruled out entirely. As Recorded Future's Allan Liska told MIT Technology Review, the bulletproof hosting services criminals tend to use are often dodgy and unreliable, and sites do drop on and off. But in this case, that's unlikely since all things REvil took it on the lam simultaneously. Liska said, quote, "ransomware sites are hosted by bulletproof hosting, and they're flaky. They all go up and down. But they never all go up and down at the exact same time." 

Dave Bittner: In his Twitter feed, Alperovitch also commented that REvil's disappearance didn't look either like a U.S. Cyber Command operation or a takedown by non-Russian law enforcement agencies, quote, "given that domains were not fully seized, as would be standard practice," end quote. 

Dave Bittner: REvil's operators may simply be rebranding, as they are generally believed to have done in 2019, when REvil appeared shortly after GandCrab announced that it was disbanding. Perhaps the operators will reform under a new name. If they just watched "Black Widow," maybe they'll pick Red Room as their new name. It's worth noting that pressure by the Russian government is consistent with both retirement and rebranding. Privateers take guidance, after all. 

Dave Bittner: Taken down, on vacation, in custody or just regrouping, the organizations who represent ransomware gangs' potential pool of victims would be unwise to let their guard down. Neil Jones, cyber security evangelist at Egnyte, wrote us to say that, quote, "when malware infrastructure goes offline, even temporarily, that's obviously good news for businesses. However, I would encourage organizations not to let their guards down and to continue with the proven detection and mitigation strategies that have gotten them through the recent ransomware crisis. Realistically, new ransomware infrastructure can be brought online quickly, so we all need to remain vigilant. While it's too early to determine the cause of the sites' outages, continual steps must be taken to thwart ransomware groups, and the public and private sectors must come together at the highest levels to challenge multimillion-dollar cybercriminal gangs," end quote. So criminal infrastructure might be flaky and unreliable, but it's not difficult to stand up. Let the defenders beware. 

Dave Bittner: And finally, Imperva reports that the Euro 2021 tournament was accompanied by a flood of bot traffic across European sports and gambling sites. Italy took the football cup home, by the way, if the bots haven't already told you so. 

Dave Bittner: Nicko van Someren is chief technology officer at Absolute Software, an endpoint security and data risk management firm. Using telemetry data gathered from the more than 13,000 endpoints they have deployed worldwide, they've put together the latest version of their Endpoint Risk Report. 

Nicko Van Someren: Well, of course, it goes without saying that COVID has changed a number of things for a lot of our customers, particularly around the extent to which people are working away from head office. And so, as you might expect, we've seen an increase in the deployment of various of the controls that you would expect as people were sent home, VPN software and the like. But what we also saw was a continuation of a number of trends that we've been seeing for a few years around the time it takes for risks at the endpoints to actually get addressed, around the amount of sensitive data being stored at those endpoints, about the complexity of the sets of security controls that happen at those endpoints. 

Nicko Van Someren: So we've seen trends about the number of vulnerabilities that are existing at the endpoints and how long they go unaddressed. We've seen trends around the amount of sensitive data being stored at those endpoints and generally, about the decay of those controls at the endpoints. As you get increased complexity at the endpoint, you often find that the controls fight with each other. And so you tend to get what we call decay of the security at the endpoint as those increasingly complex endpoints and the sets of tools that you've installed fight with each other and often switch each other off. 

Dave Bittner: Is this a situation with diminishing returns, where too much of a good thing might fight against us? 

Nicko Van Someren: Oh, yes. It's actually not merely diminishing returns, but we actually see that at certain stages, you get a - start to get a negative return. This increased complexity at the end point means that not only are you adding more things to manage, but because those clients often fight with each other, we actually see that there's lower levels of compliance for some types of tool when you have other types of tool installed, reaching the point where, you know, as you add more complexity to the endpoint, you actually increase your risk rather than reducing your risk. 

Dave Bittner: So in terms of the information that you've gathered here, what are the take-homes? What are the recommendations for organizations going forward? 

Nicko Van Someren: Well, I think that there are two things. And one of the things I only touched lightly on earlier was the level of unaddressed vulnerabilities and the delay in patching. Now, not wanting to sound like a stuck record, but getting faster at patching your systems is a really good thing because we are seeing - we saw a slight improvement over last year. Down to 80 days instead of 95 days was the average length of out-of-dateness (ph) of Windows installations. But we're still seeing 40% of Windows 10 machines having over a thousand known vulnerabilities, which is a staggering number. 

Nicko Van Someren: So we do need to get better at patching, but we also need to make sure that we rationalize the set of endpoint controls to reduce that complexity. I think that moving towards more of a sort of zero-trust model and trying to keep data in highly managed cloud services, rather than allowing the sensitive data to end up on the endpoint, is something that you could do to reduce that endpoint risk. 

Nicko Van Someren: And then we also see that some of the management tools that people expect to rely on themselves need managing. So one of the key things we noticed this year was that SCCM - actually Microsoft now call it, I think, MSCM or something. They changed its name. Anyway, the thing - the endpoint agent formerly known as SCCM - even that built-in tool requires regular maintenance and reinstallation or reconfiguration. We're seeing that within a 90-day period, upwards of a quarter of those endpoints actually need maintenance. 

Nicko Van Someren: So having insights into the state and health of those endpoints and all of the various different controls you install on that is crucial to maintaining your security posture. And you can have the best intentions to roll a set of controls, but if they don't stay in good condition, then you're not getting the value from all of those products that you've purchased. And so being able to have that insight and staying healthy by keeping an eye on everything is crucial to maintaining this posture. 

Dave Bittner: That's Nicko van Someren from Absolute Software. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: A Twitter thread came by that caught my eye and really hits on some of the things that you and I talk about a lot over on "Hacking Humans." 

Joe Carrigan: Yes. 

Dave Bittner: This is from a gentleman named Chris Lacy. He's @chrismlacy on Twitter. Evidently, a developer - I believe he's from Australia, seems to be - develops a product called Action Launcher for Android. And Chris posted this thread. He said, I just received a two-factor authentication SMS from Google that included an ad. Google's own Messages SMS app flagged it as spam. And he says, what a shameful money grab. And he had a screen capture here. And it says - it has, here is your Google verification code, right? The kind of thing... 

Joe Carrigan: It starts with a G, just like you'd expect. 

Dave Bittner: Anything, yeah, you'd expect from Google. And then there's an ad. It says, keep the hackers at bay. Get a VPN today. And it has a link. 

Joe Carrigan: Yeah. 

Dave Bittner: So Chris goes down the path of wondering, who put this ad on my SMS verification message? Was it Google? And some Googlers chimed in and said, no, it wasn't us. 

Joe Carrigan: Right. 

Dave Bittner: We don't do that. 

Joe Carrigan: In fact, they were also very happy that their messenger app flagged it as spam. 

Dave Bittner: Right. Right (laughter). 

Joe Carrigan: They were pleased to see that part of the app was working. 

Dave Bittner: Right. Right. But it turns out that whoever Chris' provider is, the carrier... 

Joe Carrigan: Right. 

Dave Bittner: ...Was appending his SMS verification message with an ad. 

Joe Carrigan: Right. 

Dave Bittner: Now, the fact that this ad is - seems to be associated with security... 

Joe Carrigan: Right. 

Dave Bittner: ...Makes me think that in some way they're analyzing the content of the SMS message that he got. 

Joe Carrigan: Or they could be analyzing the sending number of the SMS message, right? 

Dave Bittner: Yeah, absolutely. 

Joe Carrigan: Say this is the number that Google uses to send their multifactor authentication codes out. 

Dave Bittner: Absolutely. 

Joe Carrigan: Any time you see that, just add this to the - and put an ad at the end of the text message. 

Dave Bittner: Yeah. So I'm going to go out on a limb - let me tell you how I feel. 

Joe Carrigan: OK. 

Dave Bittner: And then I want to get your take on this. 

Joe Carrigan: (Laughter) I think everybody knows what my take is. 


Dave Bittner: I think I'm with Chris here that this stinks to high heaven. 

Joe Carrigan: Yeah. 

Dave Bittner: (Laughter). 

Joe Carrigan: It does stink to high heaven. 

Dave Bittner: OK, what do you think about this, Joe? 

Joe Carrigan: I'm with you and Chris. And I'm thinking somebody at whatever government level should be looking into this. 

Dave Bittner: Yeah. 

Joe Carrigan: Because - you know, and SMS, you pay for that service, right? 

Dave Bittner: Right. 

Joe Carrigan: First off, that's one of the things I object to. This is a service I pay for. 

Dave Bittner: Yeah. 

Joe Carrigan: Do you remember years ago when we used to have to pay per message? 

Dave Bittner: Yes. 

Joe Carrigan: Right? 

Dave Bittner: Yes. 

Joe Carrigan: Ten cents per message for... 

Dave Bittner: Right. 

Joe Carrigan: ...What was essentially just a, you know, a milliseconds-long use of the network. We had to pay 10 cents. Now we don't have to do that anymore... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Because the market forces have made it unlimited texting. 

Dave Bittner: Right. 

Joe Carrigan: But there are still - this carrier's still trying to capitalize on getting a text message by selling ads on a text message that Chris pays for. 

Dave Bittner: Right. 

Joe Carrigan: That in and of itself infuriates me. 

Dave Bittner: Yeah. 

Joe Carrigan: The second thing I don't like about this is - what kind of vetting process do you do for these ads? Do you just sell them to anybody? 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Right. Who knows where that link goes? There's a link there. 

Joe Carrigan: Right. That's a shortened link, right? 

Dave Bittner: Yeah. yeah. 

Joe Carrigan: With an with some - that is obviously some shortened link... 

Dave Bittner: Right. 

Joe Carrigan: ...Or link-shortening service that... 

Dave Bittner: Yeah. 

Joe Carrigan: ...You don't know where that goes. 

Dave Bittner: No. 

Joe Carrigan: What due diligence is the carrier doing here? 

Dave Bittner: Yeah. 

Joe Carrigan: I want to know that. Second off, should the carrier even be doing this? Should there be some kind of regulation that says you cannot interfere with this in any way? 

Dave Bittner: Right, right. No, I - here's the other thing that gets me about this - is that this can erode your trust... 

Joe Carrigan: Right. 

Dave Bittner: ...In your verification process. 

Joe Carrigan: Absolutely. 

Dave Bittner: Right? 

Joe Carrigan: Absolutely. 

Dave Bittner: And so on the one hand, that's terrible. I suppose if there is an upside to that, maybe we should be eroding trust in SMS as a multifactor authentication method, right (laughter)? 

Joe Carrigan: Yeah, it's not the best multifactor authentication method, actually. And Chris talks about that. He says, to address the most common comments... 

Dave Bittner: Yeah. 

Joe Carrigan: ...One, I'm aware SMS is unencrypted and a poor choice for multifactor authentication. 

Dave Bittner: Right. Yeah, he seems sort of exasperated by that. Yeah, ugh (laughter). 

Joe Carrigan: Right, because I know thousands of people went, you shouldn't be using... 

Dave Bittner: Right. 

Joe Carrigan: ...SMS for your two-factor, right? 

Dave Bittner: Right, right. 

Joe Carrigan: And he says it's an older account. He was just logging into it again. 

Dave Bittner: Yeah. 

Joe Carrigan: I'm sure he now has gotten it set up with some kind of Yubikey or something... 

Dave Bittner: Right. 

Joe Carrigan: ...To help him secure this, but - or some universal two-factor device. 

Dave Bittner: Yeah. 

Joe Carrigan: It's - he doesn't - he does say he's not going to tell you who his carrier is for security reasons, which I think is probably wise. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: I'd like to know who it is, but I'm not going to ask him... 

Dave Bittner: Right (laughter). 

Joe Carrigan: ...Because I think his concern is valid. 

Dave Bittner: Yeah. Well, I'll tell you, if this were my carrier, they wouldn't be my carrier for long (laughter). 

Joe Carrigan: Right. They'd be receiving a phone call from me... 

Dave Bittner: Right, right. 

Joe Carrigan: ...Very quickly. 

Dave Bittner: Right. 

Joe Carrigan: One of the final things comes from Mark Risher, who apparently works at Google. 

Dave Bittner: Yeah. 

Joe Carrigan: And it says, to close the loop, these are not Google ads, and we do not condone this practice. 

Dave Bittner: Yeah. 

Joe Carrigan: We are working with wireless carriers to understand why this happened and to ensure that it doesn't happen again. 

Dave Bittner: Yeah, yeah. All right, well, you know, you can see why this got my dander up, right (laughter)? 

Joe Carrigan: Yeah. Yeah, it irritates me, Dave. 

Dave Bittner: Yeah, yeah. I appreciate Chris sharing it here. I think this is good information to know that this sort of thing is out there. 

Joe Carrigan: Agreed. 

Dave Bittner: And, boy, the carriers - I agree with you. When I rule the world (laughter)... 

Joe Carrigan: Right. 

Dave Bittner: ...There won't be this kind of thing, Joe. Let me tell you. 

Joe Carrigan: The hammer of justice will come down upon these carriers. 

Dave Bittner: That's right. That's right. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It was my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.