The CyberWire Daily Podcast 7.28.21
Ep 1384 | 7.28.21

US ICS Cybersecurity Initiative formalized. Developments in the ransomware world. Addressing known vulnerabilities. Caucasus coinmining crackdown. A long-running IRGC catphishing campaign.


Dave Bittner: The U.S. formally establishes its Industrial Control System Cybersecurity Initiative; shooting wars in cyberspace; developments in the ransomware criminal markets. This week's iOS update may have closed the vulnerability exploited by NSO Group's Pegasus intercept tool. The U.S., U.K. and Australia issued a joint advisory on the most exploited vulnerabilities; Abkhazia's crackdown on coin miners. Joe Carrigan looks at the Mespinoza Ransomware Gang. And meet Marcy Flores, the Robin Sage of Liverpool aerobics.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 28, 2021. 

Dave Bittner: U.S. President Biden this morning issued a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control SystemsNational Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. Among other goals, the memorandum seeks to initiate development of baseline cybersecurity goals that are consistent across all critical infrastructure sectors, as well as a need for security controls for select critical infrastructure that is dependent on control systems. 

Dave Bittner: The memorandum formally establishes the president's industrial control system cybersecurity initiative, a voluntary collaborative effort between the federal government and the critical infrastructure community, to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections and warnings. That initiative began informally with electrical grid and pipeline security efforts. 

Dave Bittner: Would the next big shooting war begin in cyberspace? President Biden said it might well happen just that way. In a speech delivered yesterday during his visit to the Office of the Director of National Intelligence, he said, quote, "I think it's more than likely we're going to end up, if we end up in a war - a real shooting war with a major power - it's going to be as a consequence of a cyber breach of great consequence. And it's increasing exponentially, the capabilities," end quote. Video of President Biden's speech was provided by Reuters. 

Dave Bittner: It's not a surprising speculation. Cyber operations as the opening phase of a war are probably today roughly the equivalent of what calling up reserves and organizing the railroads for mobilization were 125 years ago. 

Dave Bittner: There have been some developments in the criminal-to-criminal ransomware markets. First, REvil may have reconstituted and rebranded itself as BlackMatter, although it's difficult to be sure. Forcepoint has found chatter on the high-tier Russian-language illicit forums XSS and Exploit, which suggests BlackMatter is REvil's successor. BlackMatter registered itself on July 19, and two days later they advertised for people willing to sell access to large corporations in Australia, Canada, the U.K. and the U.S. Recorded Future says that BlackMatter claims to have incorporated the best - in a criminal sense - of both REvil and DarkSide. 

Dave Bittner: REvil announced its occultation on July 13, the same day XSS banned REvil's spokesman from the forum. BlackMatter doesn't openly claim to be either REvil redux or a ransomware operation and so keeps narrowly within the forum terms and conditions. But the wink-and-nod indirectness in their chatter suggests to ForcePoint that that's indeed who the new group may be. 

Dave Bittner: Another ransomware gang that may be the successor of older, notorious groups is Haron, whose emergence is described by S2W Lab. Haron's approach incorporates features of both Thanos and Avvadon. So far, Haron has publicly claimed only one victim. 

Dave Bittner: Cyber intelligence firm KELA this morning released its study of a new Russian-language forum that may, researchers think, become a new home for ransomware-as-a-service operations. Called RAMP, the forum made its appearance this month. It, too, seems to represent an evolution from earlier markets. KELA says, quote, "The forum emerged at the domain that previously hosted the Babuk ransomware data leak site and later the payload.binary leak site," end quote. 

Dave Bittner: RAMP hasn’t been a runaway screaming success, but it’s attracted some interest. Registration is now closed, but will, RAMP says, reopen in mid-August. It may draw criminal operators looking to work around other forum bans on hawking ransomware. As KELA puts it, if the admins can leverage their competitive advantage of welcoming ransomware-as-a-service programs, chances to grow are fairly high. 

Dave Bittner: There's speculation from the Register, 9-to-5 Mac, and others that this week’s iOS fix addressed vulnerabilities exploited by NSO Group's Pegasus spyware. In any case, iPhone users would be well-advised to apply the update. 

Dave Bittner: Zero-days may draw a great deal of attention, but a lot of frequently exploited vulnerabilities could be closed by patching. This morning, a Joint Cybersecurity Advisory was issued by the U.S. Cybersecurity and Infrastructure Security Agency, the Australian Cyber Security Center, the United Kingdom’s National Cyber Security Center and the U.S. Federal Bureau of Investigation. You'll recognize them as the FBI. 

Dave Bittner: The allied services list the top-thirty vulnerabilities and briefly outline the mitigations that can be applied to avoid exploitation. Good digital hygiene can go a long way. As the report says, cyber actors continue to exploit publicly known - and often dated - software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system. 

Dave Bittner: Even disputed, partially recognized states struggle with illicit coinmining. Abkhazia, regarded as an independent republic by Russia, Venezuela, Nicaragua, Nauru and Syria, but seen by everyone else as a fractious autonomous region of Georgia, is, as Motherboard reports, conducting almost daily raids to shut down coinmining operations. The raids began in March and have, according to some accounts, taken down almost 1,300 rigs. The miners' offense, fundamentally, is stealing power and stressing the electrical grid. 

Dave Bittner: And finally, Robin Sage, meet Marcella Flores. Iranian operators have for some time engaged in catphishing to socially engineer access to targets in the U.K., Western Europe and North America. Proofpoint today published a report on how the threat actor it tracks as TA456 spent years running a fictitious persona, Marcella Flores, in a campaign designed to install LEMPO malware in the machines of a targeted aerospace contractor. LEMPO, Proofpoint explains, was designed to establish persistence, perform reconnaissance and exfiltrate sensitive information. 

Dave Bittner: The campaign is probably connected to the Islamic Revolutionary Guard Corps through its own contractor, the Iranian company Mahak Rayan Afraz. TA456 is also known as Tortoiseshell and Imperial Kitten. 

Dave Bittner: The approach worked as follows. Marcella Flores - Marcy to the would-be friends the catphish was wooing - would begin with apparently benign emails that included what Proofpoint calls a video to establish rapport and build rapport with the intended victim. Another video was described as benign, but flirtatious, and included a OneDrive link. A second OneDrive link from Marcy represented itself as a diet survey, with slacker leetspeak and sketchy idiomatic control, but a smiling wink emoji. 

Dave Bittner: A pro-tip - this sort of stuff is not the kind of thing that’s normal interchange during professional networking. 

Dave Bittner: We mentioned Robin Sage, and longtime listeners will recall that the fictitious Ms. Sage was a persona created in 2009 by white hats to test the gullibility of organizations in defense and aerospace, both on the government and the industry side. This mother of all catphish was represented as a 25-year-old analyst at the U.S. Navy's NETWARCOM, an MIT graduate with 10 years’ experience in the industry. The name Robin Sage was itself a wink - it’s the name of a U.S. special operations exercise. Some people were put on their guard by the implausible resume, others by their inability to find her through the phone number in her profiles or an MIT alumni directory. And, to their credit, neither the FBI nor the CIA were taken in. But others were. While the winsome but quite nonexistent Ms. Sage romped across the network for two brisk months, she received job offers from some big and sophisticated corporations and lots of dinner invitations. After the gaff was blown, Robin Sage entered the hall of fame of people who don’t exist, right beside Bertrand Russell’s present king of France. 

Dave Bittner: Anyhoo, back to Marcy. Her profile identified her as an aerobics instructor at the Harbour Health Club in Liverpool. She’s probably not the only one used by Iran - catphish, that is, not Liverpudlian aerobics instructors. As Proofpoint concludes, TA456’s dedication to significant social engineering engagement, benign reconnaissance of targets prior to deploying malware and their cross-platform kill chain establish TA456 to be one of the most resourceful Iranian-aligned threats tracked by Proofpoint. The Marcella Flores persona is likely not the only one in use by TA456, making it important for those working within or tangentially to the defense industrial base to be vigilant when engaging with unknown individuals, regardless of whether it is via work or personal accounts. 

Dave Bittner: So, friends, watch out for the company you keep. 

Dave Bittner: Members of Congress have recently been proposing that the Department of Homeland Security should undertake a study on hacking back - the notion that private organizations could go on the offense in response to cyber intrusions. I recently spoke with Anup Ghosh, CEO of Fidelis Cybersecurity, on the "Caveat" podcast, to get his take on hacking back. 

Anup Ghosh: Every serious study I have seen has concluded this is a bad idea, primarily because attribution of attacks is very hard. Also, oftentimes attackers use public infrastructure. And so when you're hacking back, you know, you're more likely hurting someone else other than whom you might intend. And finally, the consequences of escalation can go very badly for victims. So, you know, from a policy perspective, this is a bad idea. And I think anyone who's studied it has reached the same conclusions. 

Dave Bittner: What are the comparisons to, you know, sort of real-world crimes? You know, if someone were to kidnap someone or someone were to, you know, physically restrict access to a space or a business or something like that... 

Anup Ghosh: Sure. 

Dave Bittner: ...You know, there would be real-world reactions there. 

Anup Ghosh: Yeah, I think we do have real-world analogies here that hold up to some extent. So, for example, you know, think about someone breaking into your house, robbing you, and then later you actually find out, you know, or you think you find out who it is, right? Well, you might be tempted to go and try and get back your stuff and maybe cause some pain on that person. We know, you know, first of all, this is illegal. Second, vigilantism typically doesn't end well, right? And so, you know, for these reasons, we do have law. We do have a justice system and law enforcement. And the same holds true in the cyber domain. We might think we know who got at us, but chances are we really don't. And anything we attempt to do against the adversary outside of our own networks could end badly, just like it might in the real world. 

Dave Bittner: It strikes me, too, that, you know, even though we have robust laws for defending your homestead, for example, you know, the castle doctrine - you're still - you're not allowed to have booby traps all around your property. You know, that sort of thing isn't allowed. 

Anup Ghosh: Well, you know, I think you bring up a really interesting point, which is you are allowed to defend your property, right? In many states - what is it? - stand my ground kind of laws, the castle doctrine, as you mentioned. And that actually does create a guide, I think, in the security profession that you are allowed to defend your network, right? And if you do encounter an adversary on your network, you are allowed to engage and counter that adversary. And actually, that's a discussion we should be having, in my mind, is not the hack-back. It's the detect, respond, counter your adversary on your network. And you are allowed to do that by law. So - and there are different levels of detection and response you can take. You know, active defense is something that is getting more fluency now in security circles as a philosophy, as a doctrine, if you will. 

Dave Bittner: Do you suppose there might be a communications gap here? Because, you know, as you and I have been talking about, I think there is that powerful emotional component. And I think sometimes people feel as though they're not being heard, that, you know, they're not seeing a direct and immediate response. And perhaps if there was a way for law enforcement to say, look; we hear you. We see what's going on. You know, we're working on it. And trust us (laughter). You know, things are being done even though they might not seem, you know, evident or immediate. 

Anup Ghosh: Yeah, I don't think you'll really be able to build that trust until we see better results. So, for example, an individual's business or machine being held ransom is not going to get the attention of the FBI, right? But a critical infrastructure that - like Colonial Pipeline, that ends up causing gas lines throughout the East Coast in the summer, that's going to cause a lot of pain for politicians, for the president in particular. And we have seen some stronger words come out recently from the Biden administration that it will hold Russia accountable. And I think that is the right strategy going forward. 

Dave Bittner: That's a Anup Ghosh from Fidelis Cybersecurity. There's a longer version of our conversation over on the "Caveat" podcast. Check it out. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting article caught my eye - this is written by Danny Palmer over at ZDNet. And it is about the ransomware gang Mespinoza, who, you know, we - over on a "Hacking Humans," you and I talk about ransomware a lot. And one of the things we followed is kind of the evolution of ransomware, the ratcheting up of ransomware. Real quick before we dig into this group, you want to just walk us through sort of the, you know, where ransomware began and where we are right now with it? 

Joe Carrigan: Right. Ransomware began as a way of encrypting individuals' files, right? 

Dave Bittner: Yeah. 

Joe Carrigan: They would attack people - they would - you know, home users, anybody they could get their hands on. 

Dave Bittner: Right. 

Joe Carrigan: Then ransomware started being able to spread itself, and that gave the ransomware operators the opportunity to go after larger targets, right? So if I can go into an enterprise now and encrypt all of their computers, then I can demand a larger ransom. And rather than asking Dave Bittner to pay me $200 to decrypt his computer, I can ask Super Corp... 

Dave Bittner: Right (laughter). 

Joe Carrigan: I can ask Super Corp for millions of dollars, and they might pay it. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: So that's a higher rate of return. Eventually, corporations started saying, well, we're just not going to pay the ransom. We have backups. We'll restore from that. It's cheaper. It's faster. It's more ethical. And then the ransomware guys, not wanting to lose their revenue streams, started exfiltrating data. And that exfiltration of data then became a - essentially a data breach. And they would approach the people who they - these enterprises and say, not only have we encrypted your data, but we've also exfiltrated it, and we have it here. And if you don't pay us, you can restore your own data - that's fine - but we're going to publish or sell this other data. 

Dave Bittner: Right. 

Joe Carrigan: We're going to publish or sell what we stole. 

Dave Bittner: Yeah. 

Joe Carrigan: And that's been pretty effective. Well, there's a new tactic from this Mespinoza group that is - they go through the data that they've exfiltrated, and they look for evidence of criminal activity, which they then use to ratchet up the demand for the ransom. 

Dave Bittner: So let's say I'm an organization, and I fear - I've been having interactions with my law firm or my legal team... 

Joe Carrigan: Right. Yep. 

Dave Bittner: ...Or my in-house lawyers. And I'm saying, hey, I think we may have an exposure here. You know, maybe we didn't do things right. Maybe - who knows what it is? 

Joe Carrigan: Right. 

Dave Bittner: But it's a problem, and I don't want anybody to know about it. And there's potential legal problems here. 

Joe Carrigan: Right. 

Dave Bittner: Mespinoza does what? 

Joe Carrigan: They use that as a factor in the double extortion. So I've said often that you should not let the fact that these guys have exfiltrated your data influence the calculus on whether or not you pay the ransom. That's been my advice and my stance. 

Dave Bittner: OK. 

Joe Carrigan: And my reasoning for that is you're dealing with criminals. You really don't have any reason to trust them. 

Dave Bittner: Right. 

Joe Carrigan: There's no - there's actually evidence to the contrary that they're going to keep the data confidential. They're going to publish or sell it anyway, or they're going to come back and demand more money. 

Dave Bittner: Right. 

Joe Carrigan: All that stuff happens. And you've still suffered a data breach. That has still happened. By paying them off and getting them to agree to silence, you have not eradicated a data breach. That has still occurred. But now if they go through the data and they see the evidence of some of illegal activity, now they're going to say, oh, and by the way, not only are we going to disclose this data, but we might also notify law enforcement about this piece of information... 

Dave Bittner: Right. 

Joe Carrigan: ...Whatever it is you found. It's the same tactic, but it's a new angle on that tactic that would make a vulnerable organization much more likely to pay up. 

Dave Bittner: Much more embarrassing and, well, you know, potentially legal implications as well. 

Joe Carrigan: Right. Yeah. Not only now are you dealing with the legal problems of a data breach, but now you're dealing with legal problems of past activity that may or may not have been illegal. And in fact, the information or the activity may not be illegal. It may just be something that you were like, OK, we have to mitigate this - right? - or maybe something you've already taken care of and there's no more concern about it. But you do not want that information becoming public, and you don't want it - certainly don't want law enforcement knowing about it. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? That's just more motivation. 

Dave Bittner: What about ways to take the sting out of data exfiltration? In other words, we hear about folks talking about encrypting all of your data at rest. So is that effective? Is that practical? What do you think? 

Joe Carrigan: It's effective and practical. You just got to make sure that you don't give these guys the access at some point in time 'cause they're still going to go after that. You know, if somebody exfiltrates a bunch of encrypted data, you can tell them, well, go pound sand. You know, the data is encrypted. Good luck finding the keys for it. 

Dave Bittner: Right. 

Joe Carrigan: But if they're smart enough and they're good enough - and this group is - I think Unit42 calls them highly disciplined. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? They're a - they know what they're doing. They're pretty good. And nobody knows where they're operating out of. So that's impressive that nobody knows where they're operating out of, and they've been doing this for over a year. So if they do exfiltrate encrypted data, that kind of mitigates that problem. And then you technically have not suffered a data breach. But these guys - what they're doing is fairly standard. They're getting into enterprise computer systems via remote desktop protocol, or RDP. 

Dave Bittner: Yeah. 

Joe Carrigan: And the article says they don't know if they're using brute force or if they're phishing for credentials. My money is on phishing. I'll bet they're phishing for credentials because that's fairly easy and inexpensive to do. It's not a lot of overhead. 

Dave Bittner: Yeah. 

Joe Carrigan: And it produces pretty good results. 

Dave Bittner: Yeah, pretty effective. 

Joe Carrigan: Right. So once they get in, they also install backdoors of their own making, which is devastating and very hard to get rid of. I mean, you're going to have to go through and do all kinds of scanning of your network in every single endpoint on that network to find everything that they've put in there. 

Dave Bittner: Right, right. 

Joe Carrigan: And these guys are very good at maintaining their presence. So best thing to do to mitigate this is before you suffer the data breach, before you - actually, before you suffer the credential leaking is to implement multifactor authentication on your remote desktop protocol. 

Dave Bittner: Yep, yep. Yeah. And if you're worried about crimes you may have committed, encrypt your conversations. 


Dave Bittner: I guess, maybe we could back up and say don't do crimes (laughter). 

Joe Carrigan: Yeah, yeah, you could do that. 

Dave Bittner: Don't do crimes. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Tre Hester, Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.