The CyberWire Daily Podcast 8.13.21
Ep 1396 | 8.13.21

Cyberespionage follows South Asian conflict. LockBit’s $50 million demand. Insider risk. Trend Micro warns unpatched Apex is under attack. PrintNightmare persists. Google and Apple on privacy.


Dave Bittner: ReverseRat is back and better, and it's sniffing at Afghanistan. LockBit wants $50 million from Accenture. When employees leave, do they take your data with them? Unpatched Apex One instances are under active attack. PrintNightmare continues to resist patching. Google bans SafeGraph. Apple explains what's up with iCloud privacy. Caleb Barlow wonders if ransomware payments are financing criminal infrastructure in Russia. Our guest is Oliver Rochford from Securonix on the notion of cyberwar. And the SynAck ransomware gang rebrands.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 13, 2021. 

Dave Bittner: Lumen's Black Lotus Labs report that ReverseRat, which is, as its name implies, a remote access Trojan, is out in an evolved version that has added functionality such as taking remote photos via webcams and retrieving files on USB devices inserted into the compromised machines. 

Dave Bittner: ReverseRat 2.0 is believed to be operated by a threat actor in Pakistan, and its principal targets have been government and energy organizations in South Asia, especially Afghanistan, but with a smaller number of other attacks observed in India, Iran and Jordan. The ongoing turmoil in Pakistan's neighbor suggests an obvious reason for making collection against Afghanistan a priority. 

Dave Bittner: The present campaign appears to have begun on June 28. ReverseRat 2.0 is currently accompanied by a more evasive version of the preBotHta loader, designed in particular to avoid detection by Kaspersky and Quick Heal security products. 

Dave Bittner: Lotus Labs has also identified another agent, NightFury, that replaced the AllaKore RAT previously used in tandem with earlier versions of ReverseRat. The infection mechanism has usually been a phishing email, baited with a PDF file that misrepresents itself as the agenda for a United Nations meeting on organized crime. 

Dave Bittner: Cyble has found communications from LockBit in which the gang claims to have taken more than six terabytes of data from Accenture and in which they demand $50 million in ransom. LockBit also claims they obtained access from a rogue insider who's still employed by the company. While Cyble notes that LockBit has been advertising for corrupt insiders willing to betray their organizations' trust, the firm thinks that in this case, the gang's claims are unlikely to be true. 

Dave Bittner: Accenture hasn't issued any significant statements about the incident beyond its early reports of having contained it with minimal damage. LockBit has indeed followed through with its threat to release some of the stolen data, but, as SecurityWeek observes, the material released so far at least does not appear particularly sensitive. 

Dave Bittner: Code42's analysis of security trends in the first half of 2021 finds that insider risks are surging during what the firm calls the great resignation, employee churn the current seller's labor market is generating. So people are leaving their place of employment, so what? Well, according to Code42, here's what. When they leave, the company information often leaves with them. This trend in the labor market is reinforced by two other trends - increased data portability and more widespread remote work. 

Dave Bittner: Anonymized telemetry from 700,000 endpoints running Code42 tools in the first half of 2021 have shown a strong correlation between data exposure and employee departure. Code42 notes two other trends that suggest a greater insider risk - more exposure of source code and more data incidents involving removable media like USB drives. Both of these suggest that people within organizations are the source of the exposure. Correlation with employee turnover is unlikely to be a matter of mere accident, so think about off-boarding and take some time to help people understand that proprietary material isn't necessarily their property. 

Dave Bittner: Trend Micro says that it's seen signs of threat actors attempting to exploit two vulnerabilities in the company's Apex One security products. Trend Micro addressed the flaws with patches issued on July 28. 

Dave Bittner: The company has said, quote, "Trend Micro has observed an active attempt of exploitation against two of these vulnerabilities in the wild in a very limited number of instances, and we have been in contact with these customers already. All customers are strongly encouraged to update to the latest versions as soon as possible." 

Dave Bittner: The Windows vulnerability known as PrintNightmare is proving surprisingly resistant to the fixes that have been applied. Microsoft released a warning at midweek after this month's Patch Tuesday which addressed this family of vulnerabilities, saying that a remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. 

Dave Bittner: There's no new patch yet, although Redmond is working on it. Microsoft says that the workaround for this vulnerability is stopping and disabling the Print Spooler service. And, of course, since the perfect can often be the enemy of the good, users should also apply the fix Microsoft published this Tuesday and not wait for a complete solution to PrintNightmare. Microsoft, we point out in full disclosure, is a CyberWire sponsor. 

Dave Bittner: Two privacy stories of interest come out of Silicon Valley. We'll take Mountain View first and then move on over to Cupertino. 

Dave Bittner: Google has banned SafeGraph, a data location firm, from its ecosystem, which means that developers must remove any of SafeGraph's code from their apps if they wish to continue to distribute their software in Google's store. The move is part of the company's larger effort against location data collection firms that seek to get app developers to include data-harvesting code, the better to collect information for sale to companies and governments. 

Dave Bittner: As Vice reports, quote, "SafeGraph collected at least some of its location data by having app developers embed the company's code or software development kit into their own apps. Those apps would then track the physical location of their users, which SafeGraph would repackage and then sell to other parties. Google confirmed to Motherboard it told app developers in early June they had seven days to remove SafeGraph's SDK from their apps. If they didn't do this, Google told Motherboard the apps may face enforcement. This can mean removal from the Play Store itself," end quote. 

Dave Bittner: And over in Cupertino, Apple continues its attempts to explain why its recent child protection measures don't amount to an abandonment of the company's commitment to privacy. So, they suggest out Cupertino way, that what we have here is a failure to communicate. 

Dave Bittner: In a Wall Street Journal exclusive this morning by reporters Joanna Stern and Tim Higgins, Apple's senior vice president of software engineering, Craig Federighi, explained how the company intended to preserve privacy while enforcing measures against child exploitation. Part of the confusion Federighi attributed to the essential simultaneous announcement of two distinct tools. One of them identifies known - and the emphasis should firmly be on known - explicit images of children uploaded to the iCloud storage service. The other tool gives parents more powerful ways of keeping tabs on the images their children share through text messages. 

Dave Bittner: The simultaneous launch probably led many to conflate the two and to envision them as amounting to a single infusion of privacy-threatening functionality into the Apple ecosystem. Federighi told the Journal, quote, "it's really clear a lot of messages got jumbled pretty badly in terms of how things were understood. We wish that this would've come out a little more clearly for everyone because we feel very positive and strongly about what we're doing," end quote. 

Dave Bittner: Federighi says the new tools don't amount to a digital panopticon. He said people's iCloud storage isn't going to be continuously monitored and rummaged for whatever content Apple might find objectionable. Instead, Apple will be notified when a certain threshold is reached in terms of the number of images uploaded, and only then will it look. The images are specifically identified and appear in a database of known child exploitation pictures. The ultimate guarantor of privacy for the new system, Apple says, will be the multiple levels of audit the company has put in place. So it's not a backdoor and doesn't involve intrusion into a user's device. 


Craig Federighi: I think in no way is this a backdoor. I don't understand. I really don't understand that characterization. Imagine someone scanning images in the cloud. Well, who knows what's being scanned for? In our case, the database is shipped on device. People can see - and it's a single image across all countries. We ship the same software in China with the same database as we ship in America, as we ship in Europe. If someone were to come to Apple, Apple would say no. 

Craig Federighi: But let's say you aren't confident. You don't want to just rely on Apple saying no. You want to be sure that Apple couldn't get away with it if we said yes. Well, that was the bar we set for ourselves in releasing this kind of system. There are multiple levels of auditability. And so we're making sure that you don't have to trust any one entity or even any one country as far as how these images are - what images are part of this process. 

Dave Bittner: And, of course, go to The Wall Street Journal to read and listen to the whole thing. 

Dave Bittner: And finally, there's been another transition in the ransomware subsector of the criminal marketplace. The Record reports that the gang formerly known as SynAck has released decryption keys for ransomware it used between July 2017 and the early part of this year. It's not, however, a sign that the SynAck operators have grown a conscience. They've simply rebranded as E_Cometa (ph), are retiring their old code and are moving on to new ransomware-as-a-service products they hope will enable them to gain a healthy share of the C2C market. Although SynAck is one of the older ransomware gangs out there, they badly lag several of their younger competitors, like that gang formerly known as REvil you may have seen in the news lately. 

Dave Bittner: There's active discussion in cybersecurity over the appropriate use of terms like cyberwar and cyberweapons, when and under what circumstances, if any, these are the right words to use. And if not, then what are better options? Joining me to help unpack this is Oliver Rochford, senior director and security subject matter expert at Securonix. 

Oliver Rochford: So I think there are two definitions of that term, right? There's an international legal definition, which belongs to the realm of policy and actual warfare, which we're definitely not hitting. If you look at the - kind of the statement that was given out today by the U.K., the U.S., the EU, they were very careful to call it systematic cyber sabotage. And that's because how can you have a cyberwar without an actual war? You know, there's been no war declaration. 

Oliver Rochford: And more importantly, this whole issue has been confused just pure and simply by the fact that, of course, there's this mix between civilian and between essentially what's military, government and public infrastructure. And so that's confusing the issue for sure. But if we think in terms of describing offensive actions within the realm of cyber, I think it's an apt term. It's one which we can use. 

Dave Bittner: And where do you suppose things are headed? Where do you suppose - I don't know. Is it possible to imagine a future state of equilibrium here? 

Oliver Rochford: So the future state or the solution to this - it's not going to be technological. In reality, almost every nation-state is a glass cannon. We can successfully attack. We can't successfully defend. The attack surface is mixed civilian and government, and so we can't even defend it sufficiently. Barring some kind of light-year, you know, forward jump in terms of AI - which to be honest, I don't see coming right now; we're improving iteratively - the solution is going to be based on agreements. And that is purely and simply because there's a lot at stake here. 

Oliver Rochford: Right now, it's just a little bit of competitiveness. But going forward, it's about whether we're going to have the same going forward the next 50 years as we've had the last 50 years, where we have been very open about sharing innovation and technology. And I believe that's the biggest thing at stake here, that if we don't agree on solving this outside of the technological sphere, everyone is going to go back into a mode of protectionism and not sharing their IP. 

Dave Bittner: Is there an area here that has you particularly concerned? Is there any area that you feel isn't getting the proper attention it deserves? 

Oliver Rochford: So right now, I think that our attempts to deal with this are unevenly distributed. The weakest link is going to essentially jeopardize everybody. So I'd like to see us share more of these approaches, definitely in Europe with the U.S., I would say worldwide in terms of how we can avoid confrontation. I don't think anyone can win in the long term out of that. This is something where once we stop sharing all of the information, especially if we want AI to work, well, it's about huge amounts of data sharing. Going it alone is probably not going to be a valid way, even for a giant like China. 

Oliver Rochford: I think one thing which is very important to keep in mind with this entire thing around cyberwar is that it's very visible. So what I mean by that is we're reporting on it. There are a whole lot of parties who only have partial information. So I think there's a lot of misinformation in this. I think there's also a lot of exaggeration in terms of what can actually happen. 

Oliver Rochford: At the same time, the true impact of this, I'm not sure if it's being reported on well. We are always looking at these anecdotes and incidents of things which have happened. You know, we're looking at Iran, Israel because, well, that's about the only hot cyberwar we have in the moment. We had Ukraine-Russia, which I think would qualify to a certain degree. But we're always trying to look in the rearview mirror. This is not how it's going to work. 

Oliver Rochford: Right now it's this cat-and-mouse game going on of people building up arsenals, of all parties building up arsenals, all of them laying backdoors, all of them laying logic bombs. And there is no cyberwar independent of kinetic war. The truth is that we're going to see the first cyberwar in the first couple of minutes in the next big kinetic war. And it's just going to be a part of the whole, but it's going to be very decisive. I think that if you can disable the infrastructure of your opponent, you don't need to throw a bomb or shoot a single shot. It's done, isn't it? 

Dave Bittner: That's Oliver Rochford from Securonix. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at CybergisTek. Caleb, we are seeing - I would say it's fair to say - a ramping up of ransomware payments. So... 

Caleb Barlow: I hadn't noticed, Dave. Really? 

Dave Bittner: (Laughter) We had JBS - I think it was $11 million. Colonial Pipeline - legend has it was $5 million. What happens on the other side of this? When that money is being invested on the other side, what's your take on that? 

Caleb Barlow: Well, you know, Dave, I had one of those moments where I was thinking about silly things, and I'm like, what could you do with that kind of money in Moscow? And, you know, this wasn't some in-depth research. But I got to tell you, it's pretty interesting. 

Caleb Barlow: So, you know, take the case of Colonial Pipeline, right? So the Justice Department got $2.3 million back. The thought is that was probably - you know, came back from one of the affiliate payments, is at least the kind of prevailing idea. It's probably the case. But what can you do with a few million dollars in Moscow? Well, I don't know about you, Dave, but if you're kind of a cool bad guy, like, the first thing I'm going to do if I get that kind of haul is buy a car, right? 

Dave Bittner: Yeah, yeah (laughter). 

Caleb Barlow: So, you know, a Lamborghini - if you want the Lambo, Dave - and I think you would look good in a Lambo with the top down. About a quarter... 

Dave Bittner: Yeah, I can't disagree with you there. 

Caleb Barlow: OK. About a quarter million U.S. - if you're more of a Porsche guy, that's more of $100,000 U.S. 

Dave Bittner: Sure, sure. 

Caleb Barlow: And - but in some cases, interestingly enough, the prices for these new cars are actually cheaper than here in the U.S. Now, the second thing we need to do, Dave - we got to throw a party, right? I mean, I'm thinking booze, drugs... 

Dave Bittner: (Laughter) That'd be a blowout party. Yeah, yeah, yeah. 

Caleb Barlow: ...You know, men, women, whatever you're into. You know, let's say that runs - I mean, let's say it's another $100,000, right? I mean, we need a blowout party. 

Dave Bittner: OK. Right, right. 

Caleb Barlow: So we bought the house. Well, we need a house now, right? I mean, where are we going to throw the party? I don't know about you, but I'm not going to rent a place. 

Dave Bittner: No, no. 

Caleb Barlow: We need a fun house. So let's just buy the darned thing. And luxury homes in Moscow aren't actually all that expensive. I think we need a place with a pool. What do you think? 

Dave Bittner: Yeah. Oh, of course. You can't throw a party without a pool. 

Caleb Barlow: So that's another quarter mil. So we've bought the car, the house, the party. But, you know, let's get back to business, Dave. 

Dave Bittner: Yeah. 

Caleb Barlow: You know, I mean, this is a business, right? 

Dave Bittner: Right. 

Caleb Barlow: We can have some fun, but we need more developers and engineers for the next attack. So let's say we spent the $250- on cars because we got you the Lambo, another $250- on a fun house, $100,000 on our party. Well, that's only $600,000. So in the case of JBS, we had $11 million in total. 

Dave Bittner: (Laughter). 

Caleb Barlow: Well, about half of that goes to the affiliate. We kind of know that, right? So we got to pay off the people that helped us get there. 

Dave Bittner: Sure. Fair is fair. 

Caleb Barlow: Fair is fair. So let's just say, to use round numbers, that leaves us with a cool five mil off of this... 

Dave Bittner: OK. 

Caleb Barlow: ...To put in engineers, development needs, future attacks, office space - whatever. Well, you can get a software engineer in Moscow for under $20,000 U.S. a year. But - I don't know about you, Dave, but I'm not hiring average people. Like... 

Dave Bittner: Well, you got to spend money to make money, right, Caleb? I mean, that's - yeah. 

Caleb Barlow: Yeah. And, you know, we want to - I don't know. We want to fund culture, right? So let's just assume we're going to pay them double that. 

Dave Bittner: OK. 

Caleb Barlow: We're going to pay $40,000 U.S. a year. So double the... 

Dave Bittner: Office full of Aeron chairs, pingpong tables, yeah (laughter). 

Caleb Barlow: Oh, got to have Aeron chairs. And we didn't include that in the budget. We may need to add that. 

Dave Bittner: Foosball. 

Caleb Barlow: We need some, you know, snacks, foosball. 

Dave Bittner: Sure. 

Caleb Barlow: So that $5 million funds a team of 125 developers for an entire year. 

Dave Bittner: Wow. 

Caleb Barlow: One attack. 

Dave Bittner: That's a lot of foosball. 

Caleb Barlow: That's a lot of foosball. So the point here, Dave, is when you pay a ransom of that size - and I'm not picking on anybody that's paid a ransom before. But this is the problem. When you pay a ransom of that size, you are literally the series B round venture capitalist for the next attack that's targeting the entire sector, right? You are literally the venture capitalist for the bad guys when you pay a ransom of that size. 

Dave Bittner: OK, so that's the reality. Does that put you on either side of the equation when it comes to paying or not? I mean, it's a tough thing to figure out, right? 

Caleb Barlow: Well, it is a tough thing to figure out. And historically, we've been deferring this risk to cyber insurance. And, you know, we've all gotten drunk on cyber insurance, right? I mean, that market took off like crazy. You and I have talked, actually pretty recently, about how cyber insurance is tightening up. And, you know, they're trying not to pay in some cases. Treasury Department's stepping in and actually blocking some of those payments by sanctioning ransomware operators. So unfortunately, that risk is now coming back on us. 

Caleb Barlow: And I think the real thing that we've got to think about as a society is maybe we need to change the economics for the bad guys and just stop paying the ransoms. It's going to be painful, particularly the first time we do it. But if we stop paying the ransom, we stop the venture capital. You can't hire the 125 developers, buy the Lambo, buy the funhouse or throw the party. All of a sudden, it's not cool anymore. And why do it? 

Dave Bittner: Yeah, yeah, yeah. And there'll be good deals to be had on slightly used Lambos, right? 

Caleb Barlow: There will. 

Dave Bittner: (Laughter). 

Caleb Barlow: And, you know, how cool would that be? 

Dave Bittner: (Laughter) It would be. 

Caleb Barlow: I mean, I can see the used car operator - I can see the used car dealer in Moscow after we banned ransomware payments going, oh, well, you know, these are all - these are great deal. These are all former ransomware operators. We can get you a great deal on a used Lambo. 

Dave Bittner: I think it was Alan Liska from Recorded Future who made the point that if you want to try to track some of these folks down, track the purchases of exotic cars, that there's more than a dotted line between those two things. So I think you're on to something. 

Caleb Barlow: Absolutely, absolutely. So look. I mean, here's the point. This is a little fun... 

Dave Bittner: Yeah. 

Caleb Barlow: ...But the point here is, in all seriousness, what do you think you're funding when you pay a ransom at that size? And is there a better way? And maybe the better way is just to change the answer for everybody and change the economics for the bad guys. 

Dave Bittner: All right. Food for thought. Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Don't forget to check out this weekend's episode of "Research Saturday" and my conversation with Lee Christensen and Wil Schroeder from SpecterOps. We're discussing their research on abusing Active Directory Certificate Services. That's "Research Saturday." Check it out. 

Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.