Public Wi-Fi advice from NSA. South African ports recover from ransomware. Iranian rail incident was a wiper attack. Developments in the criminal-to-criminal market. Intercept vendors under scrutiny.
Dave Bittner: Advice on Wi-Fi security from NSA. South African ports are recovering from their ransomware attack. The attack on Iranian railroads was a wiper, of unknown origin and uncertain purpose. Developments in the criminal-to-criminal market. Israel undertakes an investigation of NSO Group. Josh Ray from Accenture Security on the road back to the office. Our guest is Duncan Godfrey from Auth0 with insights on managing digital identities. And a bad password is revealed on an open mic during an Olympic broadcast.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 29, 2021.
Dave Bittner: Just after noon today, NSA issued a Cybersecurity Information Sheet that addressed best practices in securing wireless devices in public settings. Rob Joyce, head of NSA's Cybersecurity Directorate, described the advice as clear, actionable guidance for those working remotely or traveling to use public wireless tech securely.
Dave Bittner: The Information Sheet addresses the obvious issues of public Wi-Fi. If you can avoid using it, avoid using it. But if you must, use a VPN and browse only to HTTPS websites. The Sheet also discusses security awareness for Bluetooth and NFC. NSA recommends not using Bluetooth for sharing credentials and also not accepting pairing requests that you haven't initiated. NFC's short range makes it a bit less risky than other wireless technologies, but you should still turn it off when you don't need it, and keep it away from unknown electronic devices that might automatically initiate communication.
Dave Bittner: And finally, of course, don't leave your devices lying around unsecured and unattended.
Dave Bittner: Reuters reports that South Africa's Ministry of Public Enterprises said yesterday that service is being restored at ports operated by the state-owned logistics organization Transnet. The ports of Durban, Ngqura, Port Elizabeth and Cape Town were all affected. Durban is now fully operational, and Eastern Cape ports are expected to return to normal capacity soon. The condition of force majeure should be lifted within a few days.
Dave Bittner: The nature of the incident seems to be growing clearer. It was a ransomware attack. CrowdStrike sees significant similarities between the artifacts found in the attack on Transnet, particularly in the nature of the ransom demands, and those encountered in earlier ransomware attacks by Death Kitty, also known as Hello Kitty and Five Hands. Death Kitty was observed earlier this year in attacks on CD Projekt and the exploitation of SonicWall. The Death Kitty operators are probably based in Russia, possibly elsewhere in Eastern Europe, and appear to be a criminal as opposed to an espionage operation.
Dave Bittner: The cyberattack that affected rail operations in Iran earlier this month is now believed, the Record reports, to have been a wiper attack as opposed to the ransomware originally suspected. There's no attribution so far, although some political taunting on train station message boards may suggest at least a partial motive - things along the lines of, send your complaints to Supreme Leader Khamenei's office. SentinelOne, which has obtained a copy of the malware and analyzed the attack chain, says it's been unable to associate the attack with any known group.
Dave Bittner: They said, quote, "Behind this outlandish tale of stopped trains and glib trolls, we found the fingerprints of an unfamiliar attacker," end quote. They call the campaign MeteorExpress and think that the wiper deployed - Meteor - was designed to be reused. The attack began with an abuse of Group Policy to distribute a cab file necessary to the attack.
Dave Bittner: The Record quotes Juan Andres Guerrero-Saade, principal threat researcher at SentinelOne, on the mixed quality of this new threat actor's performance. Quote, "The attacker is an intermediate-level player whose different operational components sharply oscillate from clunky and rudimentary to slick and well-developed. We see an adversary that doesn't yet have a handle on their deployment pipeline, using a sample of their malware that contains extensive debug features and burning functionality irrelevant to this particular operation. There's features redundancy between different attack components that suggests an uncoordinated division of responsibilities across teams. And files are dispensed in a clunky, verbose and disorganized manner unbecoming of advanced attackers," end quote.
Dave Bittner: It's worth noting that SentinelOne acknowledged the work of an Iranian firm, Aman Pardaz, which published an early assessment of the incident that SentinelLabs was able to confirm and use in its own analysis.
Dave Bittner: McAfee Labs yesterday published a warning that the Babuk ransomware operators are apparently making good on their promise to develop their attack tools into a genuinely cross-platform threat. Quote, "in recent months, we noticed that several ransomware gangs were experimenting with writing their binaries in the cross-platform language Golang - Go. Our worst fears were confirmed when Babuk announced on an underground forum that it was developing a cross-platform binary aimed at Linux/UNIX or ESXi or VMware systems. Many core backend systems and companies are running these dot-nix operating systems or, in the case of virtualization, think about the ESXi hosting several servers or the virtual desktop environment."
Dave Bittner: Babuk is one of the relative newcomers to the ransomware underworld, but it's already operating an affiliate network that's bothered some high-profile targets. It has, McAfee says, struggled with making its encryption work, which means two things. First, it's likely that Babuk will move toward data theft as its principal mode of extortion. And second, if you are hit by Babuk ransomware, don't count on any decryptor you may actually pay them for working as advertised.
Dave Bittner: Summing up recent discussions and suggesting a possible answer to the question, where did DarkSide and REvil go, anyway? CyberScoop points out that Flashpoint, Mandiant and Recorded Future all see signs that some or all of their operations may have been reconstituted as BlackMatter. Why rebrand and resurface? It's a matter of self-presentation. Russophone dark web fora catering to criminal markets have, in the face of widespread outrage over large-scale ransomware attacks and desiring to stay out of the crosshairs of increasingly impatient international law enforcement agencies, sought to exclude obvious ransomware operations from their platforms.
Dave Bittner: So BlackMatter is coy. As Flashpoint puts it, quote, "BlackMatter does not openly state that they are a ransomware collective operator, which technically doesn't break the rules of the forums, though the language of their post, as well as their goals, clearly indicate that they are a ransomware collective operator," end quote. At least they're not claiming to be Robin Hoods.
Dave Bittner: Where else are the cybercriminal markets moving? Positive Technologies says that initial access brokers - criminals who offer to sell other criminals access to targets - are doing a land office business. Positive Technologies' observations of the criminal-to-criminal market lead them to conclude that about $600,000 of trade and corporate network access is being done each quarter.
Dave Bittner: In Paris for meetings with his French counterpart, Israel's Defense Minister Benny Gantz addressed concerns about NSA Group and its export of intercept technology that the Pegasus Project and others have alleged is being abused by repressive regimes to target journalists, dissidents and others who ought to be outside of the usual scope of legitimate law enforcement or counterterror operations. Gantz said, quote, "Israel is investigating the matter with the utmost seriousness. Israel gives cyber licenses exclusively to countries and exclusively for dealing with terrorism and crime," end quote.
Dave Bittner: Israel's Ministry of Defense yesterday tweeted that representatives from a number of bodies came to NSO today to examine the publications and allegations raised in its case. NSO Group confirmed to Motherboard that they had indeed been visited, that they welcomed the visit, which had been conducted by prior arrangement, and that the company expected any investigation to vindicate them of the allegations surfacing in the Pegasus Project.
Dave Bittner: Other firms are also receiving scrutiny - although not, as far as is publicly known, official scrutiny. Haaretz, which is no friend in general to this particular Israeli business sector, takes a shot at NSO's quieter competitor, Cellebrite. An anonymous essay from a writer whom Haaretz identifies as a former Cellebrite employee says the company, quote, "knowingly sells products and services to users of dubious repute belonging to autocratic regimes," end quote. Sales to China and Belarus stopped only after inquiries by human rights groups exposed the practice.
Dave Bittner: And finally, have you heard about this Olympics thing that's going on - all the stories of triumph and struggle and the international good feeling that sport brings? We have. We've also heard that a broadcaster on an open mic revealed the password for the computer he was using in his broadcast booth. That he would do so on an open mic is, of course, not a good thing, but it happens, and the open mic is one of the inherent risks of live broadcasting. The real scandal is the password those who provided the equipment for the media booth selected. The password, Motherboard reports, was Booth.03 - just the identifier for that particular booth. Better than using Password or 123456789, but only marginally so.
Dave Bittner: The team at Auth0 recently released their "State of Security Identity Report" examining the exponential rise of credential-stuffing attacks, fraudulent registrations and the widespread use of breached credentials. Duncan Godfrey is vice president of security engineering at Auth0, and he joins us with highlights from the report.
Duncan Godfrey: We knew that credential stuffing was a plague on the internet and a plague on our customers, but even I wasn't expecting it to kind of be - we have 16.5% of all login traffic that we see is a credential-stuffing attack. So it was nearly a fifth of all traffic. And on some days, we see it reaching a peak of 40%. So that's when a customer or our platform is kind of coming under intense attack. So that's something that jumped out as very interesting and something that we need to be thinking carefully about.
Duncan Godfrey: So another thing was that roughly 15% of all registration attempts resulted in failure. So that is something that is particular to consumer-facing identity, which is - it's called a sign-up attack. And again, I really wasn't expecting the figure to be that high, and I really don't think it's something that most of our customers were tracking. So now it's something we wanted to focus on because it's - it can really be an indicator that an attack is on the way, once you see an uptick in things like that.
Dave Bittner: What exactly is a sign-on attack?
Duncan Godfrey: So a sign-up attack is - it's when someone will try and create a number of fake accounts in your application. So they're basically trying to overwhelm you to either - in one example, they could be trying to get access to accounts so they can, you know, commit some fraud, but also they could just be trying to slow you down and bring your infrastructure down. So yeah, it's something that everyone should be wary of.
Dave Bittner: Gotcha. Another thing that you all took a look at were multifactor authentication bypass attacks. What was going on there?
Duncan Godfrey: Yeah, MFA was another interesting focus of the report. So MFA has become ubiquitous for most even regular users who are protecting a lot of their online accounts, when they have our authenticator. And it's often protecting high-value accounts. But I think what people don't realize is that it can actually be targeted in MFA bypass attacks. So that's where an attacker will try and capture the authentication factor or the code through phishing or spoofing. So what we saw in the report is that there are some industries that are susceptible to this. So we saw that the tech industry in particular experiences the most MFA brute-force attempts. So that was - we saw that 42% of all these attacks were the technology industry. But also consumer goods industries, financial services, industrial services - they're all susceptible to attacks of this nature.
Dave Bittner: So what were some of the key takeaways here from the information you gathered? What were the lessons learned?
Duncan Godfrey: Really what we wanted to do here is establish a baseline for moving forward. So there is something for anyone who is trying to secure an application on the internet - that they have data, that they have some basic attack type so they can start thinking about how they can secure their application and the types of attacks that they're going to be facing. So we talked about credential-stuffing attacks, brute-force attacks. We talked about sign-up attacks. So that's what everyone should be thinking about, and that's where a technology platform like Auth0 can certainly help, with some of the features we offer. But the main takeaway from the beginning was that, you know, MFA is still a basic and the most effective countermeasure that we should be deploying. So we encourage everyone to be thinking about how they can, in the most frictionless way possible, introduce MFA into their users' login flows to secure those accounts.
Dave Bittner: Was there anything coming out of the data here that was particularly surprising for you and anything that was unexpected?
Duncan Godfrey: So I think, as I mentioned before, it was the sheer volume of attacks. I mean, I think almost - this is something that we've lived and breathed for a period of time, you know? This is what I obsess about. This is what the security team obsesses about. And so being able to share just really that if you're going to put an application on the internet, you should expect that up to a, you know, fifth of the traffic that you're going to receive is going to be malicious traffic and that you should be prepared for that, and you should be prepared for dealing with peaks where you come under sustained and very high-volume attacks that could have a significant impact on you and your business.
Dave Bittner: That's Duncan Godfrey from Auth0.
Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He is a managing director and also global cyber defense lead at Accenture Security. Josh, always great to have you back. You know, you and I were talking before we started recording here about this sort of sense of hope that we share as people are getting vaccinated and even just the spring weather as being nice. And I think that means - for a lot of organizations, they're going to be thinking about people heading back to the office. What are some of your thoughts there?
Josh Ray: Yeah, Dave. You know, it is great to see this kind of sense of hope. And I think if this global pandemic has proved anything, is that cyber-adversaries will exploit any technical or physical circumstance that they can use to further their objectives. And, you know, we saw this early on in the pandemic where, you know, attackers were exploiting organizations that were really in this crisis mode of having to accelerate a massive digital transformation, trying to figure out how to secure a remote workforce and really just the security teams trying to keep pace. But to your point, I think now in the coming months, as some organizations are beginning to journey back to the office, we need to collectively think, I think as a community, how the threat is going to leverage this phase to their advantage.
Dave Bittner: Yeah. I mean, that's an interesting thought. And we have all these devices that have been sort of out there in the wild, and now they're going to be - I don't know - to mix metaphors, they're going to be back inside the castle walls, right?
Josh Ray: Yeah. And, you know, there's that kind of traditional IT security problem. But one of the things that actually our CTI team has been thinking a lot about is really the exploitation around business travel during this transition back to normal operations. And I think that comes in kind of three main areas. One of the things that the team has, you know, done some really in-depth assessments on is the market for compromised traveler data has flourished. And our team believes that this is really going to continue in the form of accounts being targeted based on their higher volumes of frequent flyer miles, so the greater perks and also the higher credit limits.
Josh Ray: And then now, to kind of further complicate this whole notion of how we travel and how we interact at borders and such, since February, our team has seen multiple markets selling this false vaccination records. Similarly, there's a market for forged negative test results as well. So many countries now require this for travel, you know, not only to events, but also back into the country. So I think this is going to further complicate our ability to operate.
Josh Ray: And then threat actors are very much aware of this, you know, rush to implement these contactless mobile apps and the pressure on travelers to use these apps. And since the beginning, you know, we've seen threat actors using pandemic themes in their operations to, you know, deploy spyware and banking Trojans and adware. But this really especially is relevant to those senior business executives that have been continuously targeted by some of those cyber-espionage threat groups. And that's something that especially that - those executives need to be aware of.
Dave Bittner: And what are your recommendations there for folks to best prepare and protect themselves against these sorts of things?
Josh Ray: Yeah. I think that's - right now, I think it's really remaining and focusing on that information that you trust from those travel advice requirements from official government tourism board websites - but, you know, more subtle tradecraft around operational security, carrying only essential corporate devices on travel, ensuring those accounts and devices are secured with multifactor authentication where possible; but also educating staff on staying secure when traveling, you know, so not connecting to open Wi-Fi networks, making sure that they, you know, leverage their VPNs whenever possible, don't install any apps that, you know, are suspect in nature or are not, you know, approved by your corporate folks. So, you know, these are all things that I think are table stakes, but at least will provide you with some level of security and lower your risk of being a target, you know, while you're traveling.
Dave Bittner: Yeah. So it's an interesting thought that, you know, when it comes to traveling, I suppose on a certain level, a lot of folks are going to be just plain rusty.
Josh Ray: Yeah. No, that's exactly right. We're going to probably start to see longer lines in security, too, as, you know, folks that are used to kind of going through security really quick and just, you know, throwing their bags on - but I also - goes probably for their IT hygiene and their security practices and how they operate that way, too.
Dave Bittner: Yeah, yeah. All right. Well, good advice. Josh Ray, thanks for joining us.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. Could your company benefit by reaching our large and influential audience? Send us a note at thecyberwire.com/sponsor.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Tre Hester, Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.