Apparent ransomware disrupts Italian vaccine scheduling system. Cyberespionage compromised Southeast Asian telcos. RAT and phishing in the wild. Cybercriminals explain themselves.
Dave Bittner: An apparent ransomware attack hits Italy's online vaccine-scheduling service. A Chinese cyber-espionage campaign hit Southeast Asian telcos en route to high-value targets. Some strategic context for Beijing's espionage. FatalRAT is spreading by Telegram. Crafty phishing spoofs SharePoint. Joe Carrigan has thoughts on HP's latest "Threat Insights Report." Our guest is Marc Gaffan of Hysolate, who reveals the enterprise security paradox. Plus, conversations with BlackMatter and a look at the inside of ransomware negotiations.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 3, 2021.
Dave Bittner: A cyberattack on Sunday took down COVID-19 scheduling capabilities in the Italian region of Lazio. CNN reports that local authorities say they'd received a general, nonspecific ransom demand. Accounts are confusing, but it appears that the incident was a ransomware attack. Sources told CNN that the attackers used a cryptolocker malware that encrypted the data on the system. But that's not necessarily CryptoLocker with a capital C, and the story is still developing.
Dave Bittner: ZDNet says that officials describe the attack as both of a criminal nature and terrorism, which aren't, of course, strictly speaking, mutually exclusive. Italian authorities have offered assurances that those who've already scheduled their vaccination should expect to be able to receive it on schedule.
Dave Bittner: Criminal willingness to hit health care administration systems should be borne in mind when evaluating the pious and high-minded Robin Hoodisms of the promised restraint so many of these gangs are offering nowadays. We'll return to this later.
Dave Bittner: Security firm Cybereason this morning described a major cyber-espionage campaign against Southeast Asian telecommunications providers in five unnamed countries. The researchers identified three clusters of activity run by Soft Cell, Naikon and, possibly, Emissary Panda.
Dave Bittner: Cybereason says, quote, "based on our analysis, we assess that the goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunications providers and to facilitate cyber-espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain call detail record data, as well as key network components such as domain controllers, web servers and Microsoft Exchange servers."
Dave Bittner: A quick disclaimer - Microsoft is a sponsor of the CyberWire.
Dave Bittner: Compromising the telecommunications firms was a means to an end and not an end in itself. The operators exploited Microsoft Exchange vulnerabilities against telcos with a view to facilitating espionage against other high-value targets. Quote, "these targets are likely to include corporations, political figures, government officials, law enforcement agencies, political activists and dissident factions of interest to the Chinese government," end quote.
Dave Bittner: The approach, the tactics, techniques and procedures employed resembled the operation the Chinese government-sponsored threat group Hafnium used in an operation Microsoft and the U.S. government called out earlier this year.
Dave Bittner: A webinar this morning hosted by Recorded Future's Record featured a conversation with one of the company's Insikt Group researchers who specializes in China. In addition to pointing out the value of open-source intelligence, the conversation was interesting for the perspective it offered on the national strategy which China's espionage programs serve.
Dave Bittner: The Chinese Communist Party exhibits an affinity for progressive, authoritarian regimes - Venezuela presenting a Western Hemispheric example. Furtherance of economic and political dominance are the overarching goals, and these play out in what the Insikt Group characterized as colonialist ways. Countering that national strategy would require effective Western competition, and that competition will have to offer value. Simply offering better security won't cut it. Price tends to trump security, especially in the developing world.
Dave Bittner: The discussion also offered some interesting perspective on what counts as smart city technology, from the point of view of both Beijing and its customers, especially customers in Africa. If you thought it meant efficient management of power grids, energy consumption in buildings, nicely synchronized traffic lights - as we admit, we more or less did - well, you thought wrong.
Dave Bittner: Smart city technology means automated street surveillance with facial recognition, comprehensive interception of communications traffic and censorship tech. These are attractive to authoritarian governments of all stripes, including, inter alia, the progressive authoritarians the Chinese Communist Party finds simpatico. And best of all in the customers' eyes, all that technology of social control has been proven in China itself.
Dave Bittner: AT&T Alien Labs has published a report on FatalRAT, which, as its name suggests, is a remote access Trojan. FatalRAT has recently spread through Telegram. Its capabilities include evasion, system persistence, keylogging, collection of system information and exfiltrating data via encrypted command-and-control channels. Alien Labs says it's collected a range of FatalRAT samples over the last few months. Activity dipped a bit during July, but the researchers don't intend to relax their vigilance yet.
Dave Bittner: Microsoft warns of an unusually crafty phishing campaign currently in progress. The emails use legitimate-looking original-sender email addresses, spoofed display-sender addresses that contain the target usernames and domains and display names that mimic legitimate services to try and slip through email filters.
Dave Bittner: ZDNet reports that, quote, "the phishing group is using Microsoft SharePoint in the display name to entice victims to click the link. The email poses as a file share request to access bogus staff reports, bonuses, price books and other content hosted in a supposed Excel spreadsheet. It also contains a link that navigates to the phishing page and plenty of Microsoft branding," end quote.
Dave Bittner: Security firm Recorded Future talked with someone claiming to represent BlackMatter, the presumptive ransomware successor to REvil and DarkSide. The BlackMatter spokesperson represents his gang as having learned from REvil, DarkSide and, for that matter, LockBit but doesn't claim to be any or all of these groups rebranded or reconstituted. It's just a matter of learning from the best, says they.
Dave Bittner: BlackMatter attributes its predecessors' occultation to the geopolitical situation. Quote, "yes, we believe that to a large extent their exit from the market was associated with the geopolitical situation on the world stage. First of all, this is the fear of the United States and its planning of offensive cyber operations, as well as a bilateral working group on cyber extortion. We are monitoring the political situation, as well as receiving information from other sources. When designing our infrastructure, we took into account all these factors, and we can say that we can withstand the offensive cybercapabilities of the United States. For how long? Time will tell. For now, we are focusing on long-term work. We also moderate the targets and will not allow our project to be used to encrypt critical infrastructure, which will attract unwanted attention to us," end quote.
Dave Bittner: The gang is hiring. They want only experienced, capable coders. Script kiddies need not apply. They also say it's fairly easy to set up an affiliate program.
Dave Bittner: So why do they do what they do? They are just hardworking patriots and family men. Their rep said, quote, "we believe in our motherland, we love our families, and we earn money for our children," end quote. They don't deny that their business is destructive, but at least it's a creative destruction. Quote, "if we look deeper, as a result of these problems, new technologies are developed and created. If everything was good everywhere, there would be no room for new development," end quote.
Dave Bittner: In extenuation and mitigation, the spokesperson claims that the gang doesn't harm individuals, only companies that can afford to pay and have the ability to restore their data. At least they don't go full Robin Hood. Their restraint is a matter of calculated ROI and marketing, especially marketing designed to keep them out of law enforcement's crosshairs.
Dave Bittner: Bear in mind that these are reports of criminals, not generally truth-tellers. The Daily Beast has an interesting account of some negotiations between ransomware gangs and their victims. If you've wondered, as we have, why you should credit a gang's assurances that they'll delete the data they stole from you, apparently the answer rests on the hope that self-interest will move the gang to do so.
Dave Bittner: FireEye's Dave Wong told The Daily Beast, quote, "I think the reality is nobody trusts a criminal. But what you're trusting is their greed and that if an organization like Conti expects people to pay them in the future, they're going to follow through with what they said they're going to do. But it still makes you nervous," end quote. It certainly would.
Dave Bittner: Marc Gaffan is CEO at Hysolate, a provider of isolated virtual environment workspace technology. His team recently published research outlining what they describe as the enterprise security paradox - the notion that enterprise leaders want both an increase in IT freedom and more IT restrictions placed on employees.
Marc Gaffan: The main thing that stood out to us is the - this paradox. Essentially, when we interviewed both IT and security professionals, 87% of the audience essentially said to us that they need to increase IT freedom for employees working from anywhere. So almost 9 out of 10 IT or security professionals believe that more freedom is required. But on the flip side of that, 79% told us that they also need more IT restrictions to be imposed on employees, which essentially are contradicting metrics.
Marc Gaffan: What was even more important - or not more important, but the - this dissonance was even more pronounced within the security community. So we interviewed both IT folks and security folks. Within the security segment, it was even more pronounced; 96% of security professionals said to us that we need to increase employee IT freedom, and 90% of them told us that we need to also impose more restrictions, which is really trying to eat your cake and have it, too.
Dave Bittner: So what do you take away from this? I mean, how do we solve the tension that we see here in these survey results?
Marc Gaffan: So that's a very good question. The - obviously, this is quite a paradox, or dissonance, and the way we've been able to essentially resolve it is - you know, this is essentially the holy grail from a security perspective. You know, security professionals are typically the ones in an organization that are imposing more hurdles or restricting employees from doing certain things. Security is an unnecessary evil, but it's required. It's required today more than ever. And at the end of the day, many employees in an organization are feeling some of the pains of the security restrictions.
Marc Gaffan: I mean, security is a challenge everywhere. You know, we've changed our model of employment to an extent that so many people are working now remotely. Everyone's concerned about levels of productivity. It's definitely, you know, under a magnifying glass. And therefore, the question about how much is IT inhibiting productivity is definitely a significant question that lots of security and IT guys are trying to address these days.
Dave Bittner: And so what are your recommendations for folks who are trying to strike the right balance here?
Marc Gaffan: Yeah, so there's different approaches that organizations can take. And I think one of the biggest challenges that we're facing is the fact that we're using one device today, so typically our laptop, to do different types of activities. We use the same device to browse the web, potentially to do even some personal browsing. We use the same device to open up emails, to access corporate systems. Some of these could be sensitive systems. These could have access to sensitive data. We're mixing essentially a very broad bag or a mixed bag of activities in the same environment.
Marc Gaffan: What typically you would like to do is compartmentalize the environments you have on your PC into different areas. And you can say from this area on your PC, from this isolated environment on your PC, this is where you touch all the most sensitive tasks. These could be productions environments in an IT - you know, at an IT shop. This could be the financial systems in a bank. These could be the sensitive data rooms in a financial institution or in a law firm or in a - in an accounting company.
Marc Gaffan: And you use another environment or another zone or operating system on your device to do the other things, the more riskier things like browse the web and maybe open up email attachments - essentially splitting up your device into multiple components in which you can optimize the security and the functionality in each of those environments and really strike the right balance between, A, giving people what they need in terms of capabilities so that they can do all the things that they do, but on the other hand, they're not compromising security because they're doing the right types of activities in the right types of environments with the right, appropriate - or the appropriate security measures in each of those areas on their endpoint.
Marc Gaffan: You know, I think one thing that's - that we're seeing as well is the amount of frustration that's building within, you know, within large enterprises around the challenges that the - that employees are seeing. And I think that one of the agendas now within, you know, CIOs and even CISOs - the security chiefs - is how do we alleviate some of that frustration?
Dave Bittner: That's Marc Gaffan from Hysolate.
Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Interesting report came from the folks over at HP.
Joe Carrigan: Yep.
Dave Bittner: It was their latest version of their "Threat Insights Report." And there's some pretty remarkable stuff in here. What - let's go through this together, Joe.
Joe Carrigan: Right. Well, a lot of bullet points in here that are worth noting. First, and the biggest one, is cybercriminal collaboration is opening the door to bigger attacks against victims. What they're talking about here is there is a lot more collaboration between these groups of actors, and some of these organized crime organizations are becoming much more powerful, and they are more readily affiliating themselves with low-level actors. So what that's doing is it's raising the threat level for everybody. So now these low-level actors have tools that are really sophisticated thanks to these criminal organizations.
Dave Bittner: So the organized crime is getting even more organized, yeah.
Joe Carrigan: Right, and growing. I mean, it's not anything we wouldn't expect, but it is happening, and that's important to note.
Joe Carrigan: There's one thing that says information stealers are actually being used to deliver more malware. So once you have a backdoor inside of somebody's system, people are selling that access. And then other people are - once they buy that access - are installing more bad stuff on your network.
Dave Bittner: So the volume of stuff they're putting on a system when they have the opportunity is going up.
Joe Carrigan: Yeah, absolutely. And there's more people with that opportunity. Once you're compromised, it looks like, you're compromised multiple times.
Dave Bittner: OK.
Joe Carrigan: It's a bad situation.
Joe Carrigan: There is a VBS campaign - Visual Basic Script - that is targeting business executives. So it's a multiphase campaign that uses malicious zip attachments named after the executives it's targeting. And it employs a stealthy downloader before using legitimate sysadmin tools to just live off the land.
Joe Carrigan: And then the final thing in the notable threats section is that there's this resume-themed attack that makes use of an old Microsoft exploit or vulnerability that's out there. People are sending in resumes to HR departments, and these malicious documents - these resumes are malicious, and they're installing a remote access Trojan to gain backdoor access to the affected computers.
Dave Bittner: Yeah. One of the things that caught my eye was they pointed out when it comes to email phishing lures that phishing lures mentioning COVID-19 made up less than 1%, dropping by 77% from the end...
Joe Carrigan: Right.
Dave Bittner: ...Of 2020 to 2021.
Joe Carrigan: Well, we're not thinking about COVID-19 anymore, Dave. That's - that's why. It's not top of mind.
Dave Bittner: We've moved on to the next big thing.
Joe Carrigan: Right, exactly.
Dave Bittner: Yeah.
Joe Carrigan: And right now they're focusing on business transactions, which is - you can read this as business as usual, right? Rest assured, when the next crisis happens, those will become the key phishing lures, whatever it is.
Joe Carrigan: Other interesting stats are that 75% of malware that HP detected was delivered via email and the other 25% via some internet download. I think it's interesting that 75% is delivered via email. I don't know how you motivate people to go to the web browsers. They really don't - to get the download. But I imagine a good portion of that is also email. But there's also other - you know, there's a myriad of ways you can convince people to go to a website.
Dave Bittner: Right.
Joe Carrigan: And I don't know how if - or if HP tracked that during this study. But it's amazing to me that 75% of malware is still coming through email.
Dave Bittner: Yeah.
Joe Carrigan: And it's also - email's terrible. We need a new solution.
Dave Bittner: (Laughter) Well it works, right? They use email 'cause it works.
Joe Carrigan: Right, exactly.
Dave Bittner: Yeah.
Joe Carrigan: And we use it because it works.
Dave Bittner: Yeah.
Joe Carrigan: The most common types of malicious attachments that are sent - archived files - about 29%, and then spreadsheets and documents, followed by executable files at 19%. Unusual archive types, such as JAR files, which is a Java archive file, are being used to avoid scanning tools. So...
Dave Bittner: Interesting. I suppose one of the things with making use of unusual archive file types...
Joe Carrigan: Right.
Dave Bittner: ...Is that, even for some of these legacy types, that the utilities that open them...
Joe Carrigan: Right.
Dave Bittner: ...Have the utility to do that. They - for convenience, they will open the old stuff.
Joe Carrigan: Yep.
Dave Bittner: Right? Even if they're not top of mind for the scanning tools.
Joe Carrigan: Let me help you with that (laughter).
Dave Bittner: Yeah, right. Exactly. Wow.
Joe Carrigan: Here's an interesting statistic. This report states that 34% of the malware captured in the first half of 2021 was new malware, previously unknown. And that's a small drop from last year, but - or the second half of last year. But what that says is that about every six months, one-third of the malicious software is new. There's a constant rotation of this stuff, and it is being developed all the time.
Dave Bittner: Yeah, yeah. A real churn there.
Joe Carrigan: Yep.
Dave Bittner: All right. Well, it's an interesting report. Again, this is from HP's Wolf Security team. It's their "Threat Insights Report." Joe Carrigan, thanks for joining us.
Joe Carrigan: It's my pleasure.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. Find out more about sponsoring our programs at thecyberwire.com/sponsor.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Tre Hester, Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.