The CyberWire Daily Podcast 8.17.21
Ep 1398 | 8.17.21

Consequence of the Taliban victory for influence operations and information security. Privateering gangs described. Data exposures, data compromises.


Dave Bittner: Al-Qaida online sources cheer the Taliban's ascendancy. The new rulers of Afghanistan are likely to have acquired a good deal of sensitive data, along with political rule and a quantity of U.S.-supplied military equipment. Terrorist watchlist data were found in an exposed server - now taken offline. Connections between gangland and the Russian intelligence. T-Mobile was hacked, but it's unclear what, if any, data were compromised. Joe Carrigan on FlyTrap Android Malware compromising thousands of Facebook accounts. Our guest is Liam O'Murchu from Symantec on what keeps him up at night. And some personal information was exposed in the Colonial Pipeline incident.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 17, 2021. 

Dave Bittner: As has been widely foreseen, the Taliban victory in Afghanistan has been generally celebrated in extreme Islamist quarters of the internet. The Wall Street Journal has an overview of the relevant activity in social media. The faithful remnant of al-Qaida, an ally the Taliban never repudiated and a terrorist group that's much diminished, has been particularly prominent in hailing the Taliban conquest of the country, seeing in the fall of Kabul a vindication of their patient endurance. In this case, the inspiration may be at least as important as the prospect of regaining a territorial safe haven. 

Dave Bittner: The sad, immediate and forthcoming human toll of the Taliban's success has rightly dominated coverage of the news from that country. But it's worth mentioning another secondary risk - the threat to sensitive data the events present. CNN reported that on Friday, the U.S. Embassy in Kabul, anticipating trouble, instructed diplomatic staff in the country to destroy sensitive material and anything which could be misused in propaganda efforts. The Washington Post observes that the U.S. probably removed, rendered inaccessible insecure clouds or simply destroyed data it held as its forces withdrew. Emergency destruction can take many forms, including consumption by fire. And government offices, particularly those in the departments of State and Defense, have long given thought about how to dispose of sensitive material quickly. But it can be difficult to destroy all the sensitive data, and it seems almost inevitable that some material will have been overlooked or lost. That's to say nothing of the large amounts of information the U.S. shared with the now-deposed Afghan government. These are now, for the most part, almost certainly in Taliban hands, along with quantities of military equipment also seized in the general collapse. 

Dave Bittner: We mentioned the Post's note that the U.S. held a great deal of its data in cloud as opposed to local storage. And while that would seem to provide a margin of security during an evacuation, the cloud can also be leaky. An unrelated incident shows how not all sensitive data governments hold in clouds are held securely. On July 19, researcher Bob Diachenko found an FBI-administered Terrorist Screening Center watchlist exposed online and that day reported his discovery to the U.S. Department of Homeland Security. The exposed server was taken down on August 9. 

Dave Bittner: Researchers at Analyst1 - a threat intelligence shop headquartered in Reston, Va., just across the Potomac River from Washington, D.C. - outline what they found with respect to the Russian government's toleration and enabling of ransomware gangs. The firm says it's established connections between Russia's SVR and FSB, both successor agencies of the Soviet KGB, and some well-known gangs. They're said to have employed individual criminals and their organizations in its operations. The FSB, Analyst1 says, employed one ransomware gang and a second criminal group that specialized in banking malware. They've also seen code similarities between Ryuk ransomware and the Sidoh espionage tool, which suggests some cross-fertilization between gangland and Russian intelligence services. Sidoh was also used to collect data from the SWIFT banking system. Operationally, the researchers perceive connections between the EvilCorp gang and the SilverFish APT implicated along with Cozy Bear in the 2020 exploitation of SolarWinds. 

Dave Bittner: Several of the figures mentioned in dispatches will be familiar. Take one - Evgeniy Mikhailovich Bogachev, a well-known Russian cybercriminal associated with the Zeus malware and indicted by the U.S. on multiple counts in 2012. Mr. Bogachev has, Analyst1 concludes, prepared a new version of Zeus malware to infect government and military targets, including intelligence agencies affiliated with Ukraine, Turkey and Georgia. Since his indictment, Mr. Bogachev has resided comfortably on the lam at home with his tracksuits and exotic cats, as he remains out of the FBI's reach, by some reports, genteelly rusticated to his Black Sea yacht. Bogachev's colleagues in the Business Club went on to organize, Analyst1 says, EvilCorp. And that gang has effectively worked as a privateer for Moscow's security and intelligence organs. 

Dave Bittner: T-Mobile confirms that it was indeed the subject of a cyberattack, Vice reports. But the mobile provider is still investigating whether customer data were compromised in the incident. DataBreachToday covers underworld rumblings that the data will soon be offered for sale, but the carrier's inquiry remains in progress. 

Dave Bittner: And finally, the ransomware incident at Colonial Pipeline has also resulted in the compromise of some personal information. The Daily Signal reports that almost 6,000 people - current or former employees or members of employees' families - had their data accessed during the attack. Colonial Pipeline has notified those affected. 

Dave Bittner: My guest today is Liam O'Murchu, director of the Security Response Group at Symantec. Like a lot of security professionals these days, he's been focused on helping organizations protect themselves from ransomware. 

Liam O'murchu: So to start it off a couple of years ago, with the profit-sharing model, whereby if you contributed to the successful ransomware, you got a percentage of the ransom. So they were no longer paying, you know, $10 to get onto a machine. Now, they were paying potentially millions of dollars, a percentage of the ransom at least. And those ransoms have been growing - $40 million is an example that we saw recently. So I think the first thing is the economic model. There's such a huge incentive for anybody in the underground to participate in these affiliate programs to take a slice of that very large payout. And so that's one thing. And then the other thing is the aggressiveness. The ransomware gangs have really understood that the way they're going to make the most money is by getting the ransom paid quickly and moving on to their next victim. So they've really stepped up the aggressiveness there, all the way from, you know, creating leak sites, where they - when they steal information from a victim, they will then publish that slowly on the underground, where they're leaking financial information or confidential information IP. And so that's kind of, you know, maybe a couple years old. 

Liam O'murchu: But they've also added phone calls, getting the phone calls for your executives and calling them up and threatening them, doing DDoS against enterprises' websites and just trying to leak embarrassing details. We saw an event recently where the CEO was having an affair, and they leaked details about the affair. That was one of the ways to ramp up the pressure and try to get the company to pay the money as quickly as possible. And that really means that there is more victims because they can get into an environment quickly. They understand as well that they don't need to encrypt every machine in your environment. If they can find the critical machines in your environment and encrypt them, then put pressure on you to pay the ransom as quickly as possible, then they can move on to their next victim. So they've really sped up the whole infection-to-ransom payout cycle, which, again, leads to more victims. And then, of course, the last thing is the immunity if you live in Russia, right? We've really - that's really come into play in the last while. And we see that in the news and politics, statements from the White House, you know, sanctions against some of the radical groups, like REvil, where they know who the attackers are. They know they're in Russia. They know their identity. But they're unable to - the authorities are unable to get any action taken to have these people arrested or, you know, taken in. 

Liam O'murchu: So all of that together creates sort of a perfect storm, where ransomware is kind of out of control right now. We're seeing, you know, so many victims pop up in the news all of the time. The ransoms are getting huge. And it's just a very big concern for all enterprises right now. 

Dave Bittner: You know, as you mentioned, I mean, we hear all these stories in the news about companies being hit, organizations, even, you know, municipalities. Are there examples of folks who have properly prepared, find themselves hit with ransomware but because they've done everything right ahead of time are able to pretty much continue - implement their backup plans and go on without a hitch? 

Liam O'murchu: Yes, yes, yes. We see that all the time. The problem is they don't make the news. 

Dave Bittner: Right. 

Liam O'murchu: So we do see that. It's just that the bad news is what's being promoted. But there are - you know, there are a lot of companies that are not properly prepared for this. But when we see companies properly prepared, not only what we see is that they're attacked - the attacker may get in successfully. Even if the attacker gets in successfully, the amount of damage that they do is limited to a small number of computers. Even if they can move laterally, they're not able to move throughout the entire organization. And a small number of machines will get hit, especially for a large enterprise with, you know, 50,000 or 100,000 or more endpoints or machines to protect. They might have 10 or 15 machines and - affected by this. And in those cases, it's pretty straightforward for the enterprise to be able to just rebuild those machines and kind of sort of ignore the ransom and make sure that however the attackers got in, that they're blocking that in future. 

Liam O'murchu: So that's the scenario that we see where we have unsuccessful - you know, apart from all of the ransomware attacks that are just blocked on a day-to-day basis that, you know, we don't even really report on. The ones that do get through - that's what we see when an enterprise has successfully prepared for this sort of scenario. You know, the attackers are using a lot of different techniques. They're still using packers still and customizing their payloads. And they're still doing memory injection. They're still doing a lot of traditional things. They may have wrapped them up in slightly new clothes. But they're doing a lot of the traditional things, which security products are able to protect against and - something that, you know, in security response, in Symantec, that's what we do on a daily basis, is we monitor for all the changes in the threat landscape and protect against all of those. So, you know, you really want to make sure that you are running some sort of endpoint protection that's going to be able to protect against all of the traditional attacks and that are all culminating in what ransomware attackers are doing right now. 

Dave Bittner: Our thanks to Symantec's Liam O'Murchu for joining us. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Some interesting research from the folks over at Zimperium. This is titled "FlyTrap Android Malware Compromises Thousands of Facebook Accounts." What's going on here, Joe? 

Joe Carrigan: Well, they think this is a threat actor out of Vietnam. And they have this Trojan that initially spread through the Google Play store and third-party app stores. 

Dave Bittner: OK. 

Joe Carrigan: And the hook was a coupon app. 

Dave Bittner: Oh, OK. 

Joe Carrigan: Get some coupons. I get some free Netflix or maybe get some Google AdWords coupon codes. 

Dave Bittner: OK. 

Joe Carrigan: Or there was also the opportunity to vote for your favorite soccer team. I mean, I don't know. 

Dave Bittner: All right. 

Joe Carrigan: Who has favorite soccer teams? 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: But once you started interacting with this app, it would lead you through a process that would eventually say, OK, well, in order to collect your coupon, you need to log in to Facebook. And that was just a credential-harvesting app that would then exfiltrate your data out to the command-and-control servers. But they also had an interesting way of stealing credentials here as well. They didn't steal just the credentials, but they had a way of injecting JavaScript into a WebView component that is a legitimate component on Android, and then the injected JavaScript will also exfiltrate your session tokens out to the command-and-control server, which I think is really interesting on how that works. I mean, not that it's great that these people are losing their session cookies... 

Dave Bittner: Right. But it's clever. 

Joe Carrigan: But it's clever. 

Dave Bittner: Yeah. 

Joe Carrigan: It gets better, Dave. 

Dave Bittner: (Laughter) By better, do you mean worse? 

Joe Carrigan: Yes, of course (laughter). 

Dave Bittner: (Laughter) OK, go on. 

Joe Carrigan: Do I ever mean - do I ever actually mean better when I say that? 

Dave Bittner: Right. 

Joe Carrigan: No. Zimperium found the command-and-control server. 

Dave Bittner: OK. 

Joe Carrigan: Right? Now it's secured by a password. But guess what? There's a vulnerability on that server that, if you exploit it, just shows you all of the database of all of the compromised credentials and tokens out there. So if you've been victimized by this account - or by this Trojan, rather, all of your information is available to anybody who has the wherewithal to go look for it. 

Dave Bittner: Wow. 

Joe Carrigan: Not just the attackers but anybody who wants to attack the attackers. 

Dave Bittner: What are they recommending in terms of protecting yourself against this thing? 

Joe Carrigan: OK, well, good question. The first thing is happening right now, is this thing is spreading via messages sent from compromised phones. 

Dave Bittner: I see. 

Joe Carrigan: So if you get a message from somebody, don't click the link, right? 

Dave Bittner: Yeah. Somebody says, hey, check out this great app where I can vote on my favorite soccer team. 

Joe Carrigan: Right, yeah. Don't do that. 

Dave Bittner: OK. 

Joe Carrigan: Don't do that 'cause that's going to lead you to some third-party site with another version of the infected Trojans. So don't click on any links that somebody sends you. The other thing you can do is always, always, always have multifactor authentication on your social media accounts. 

Dave Bittner: Right. 

Joe Carrigan: You know, there are some indicators of compromise on here as well. But, you know, if you don't have a malware detection application on your phone, you'll probably never know that you've been compromised. You can go into your Facebook account and log yourself out of everything if you still have control over it. That's a good way to kill those session tokens that may have been exfiltrated. 

Dave Bittner: Right, and then change your password. 

Joe Carrigan: And then change your password and enable two-factor authentication. And you should be good. If you're worried that you've been compromised, you can do that. 

Dave Bittner: Yeah, yeah. One thing I thought was - oh, curious, I guess is a way to say it. The Zimperium folks include a map of all the areas that have been hit by this, and one area is conspicuous in its absence. 

Joe Carrigan: Yeah. 

Dave Bittner: What is that, Joe? 

Joe Carrigan: China. 

Dave Bittner: China. 

Joe Carrigan: China has not been hit by this, neither has anybody in Iran. 

Dave Bittner: Yeah. What a crazy, random happenstance. 

Joe Carrigan: Yeah. It's - there are couple other countries that aren't on the list as well, like Ireland - not notorious for being a repressive regime. 

Dave Bittner: Right, right. 

Joe Carrigan: But China and Iran both have strict controls on what their people see. And actually, in China, WeChat is much bigger than Facebook is. 

Dave Bittner: Right, right. So it may not be that the folks who are running this are specifically avoiding those areas. Although it could be. 

Joe Carrigan: Oh, it could be, absolutely. 

Dave Bittner: Yeah, yeah. All right. Well, again, this is from the folks over at Zimperium. And it's titled "FlyTrap Android Malware Compromises Thousands of Facebook Accounts." Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.