The CyberWire Daily Podcast 9.2.21
Ep 1410 | 9.2.21

LockBit updates. The BrakTooth bugs infesting Bluetooth. Malicious cable proof-of-concept. EU fines WhatsApp over GDPR issues. Insider threats. Action against an alleged stalkerware vendor.

Transcript

Dave Bittner: The LockBit gang jumps the gun and crows a bit higher than the facts seem to warrant. Ghostwriter seems to ride a much bigger infrastructure than previously believed. BrakTooth bugs afflict billions of Bluetooth devices. OMG cables include a keylogger that phones home. The EU fines WhatsApp over GDPR violations. Insider threats can be difficult to recognize. David Dufour from Webroot thinks it's great that you haven't been breached - yet. Our guest is Mark Nunnikhoven from Lacework with results from their Cloud Threat Report. And an alleged stalkerware vendor is sanctioned by the U.S. Federal Trade Commission.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 2, 2021. 

Dave Bittner: The LockBit operators have jumped the gun on their own deadline for the release of data stolen in its ransomware attack on Bangkok Airways, BleepingComputer reports. 

Dave Bittner: LockBit's proprietors have an uncertain relationship with accuracy when issuing communiques, threats and other inducements to pay. In addition to its sad inattention to deadlines, for example, the gang also claims to have used credentials stolen from Accenture to access and encrypt files at an unnamed airport, and to have successfully pwned other Accenture customers with compromised credentials. 

Dave Bittner: The brag, however, is not only suspiciously short on corroborative detail, but simply seems not to be true. As Accenture commented to Threatpost and other outlets covering this, quote, "We have completed a thorough forensic review of documents on the attacked Accenture systems. This claim is false. As we have stated, there was no impact on Accenture's operations, or on our client's systems. As soon as we detected the presence of this threat actor, we isolated the affected servers," end quote. 

Dave Bittner: Thai authorities are investigating the Bangkok Airways incident. Good hunting to them. 

Dave Bittner: UNC1151, a Russian threat group whose activities are tracked as Ghostwriter, has been determined to have a much larger infrastructure and more extensive operations than previously believed. Security firm Prevailion, which announced its findings yesterday, says that it's unclear whether UNC1151 is a single organization, but that its infrastructure and the Ghostwriter campaign appear to have an overarching theme and direction. Prevailion found 81 malicious domains clustered with the activity that had hitherto gone unremarked, which would make UNC1151's infrastructure about three times as large as earlier reports had reckoned it. 

Dave Bittner: Ghostwriter has so far tended to concentrate on targets in Central and Eastern Europe. Its approach has typically been through phishing, and it's been known to engage in influence operations. 

Dave Bittner: Researchers at the Singapore University of Technology and Design have described a set of Bluetooth Classic protocol vulnerabilities collectively known as BrakTooth. The affected firmware is thought, the Record says, to be found in more than 1,400 chipsets. The Register reports that BrakTooth's impact and severity varies considerably across different devices. 

Dave Bittner: The vulnerable chipsets are in an awfully large number of devices worldwide - billions of them, in the Record's back-of-the-envelope calculation. Those systems include laptops, smartphones, industrial equipment and other smart Internet of Things devices. As is usually the case with Bluetooth bugs, exploitation would require that the bad actors be within short, radio range of the target. 

Dave Bittner: The security researcher known as MG has shared a proof-of-concept hack with Motherboard that involves a Lightning cable modified with a keylogger that transmits its take wirelessly to its controllers. Such cables had been thought to be too small to hold the necessary malicious hardware, but MG's proof-of-concept, part of a suite of pentesting tools, show that this isn't the case. 

Dave Bittner: Motherboard writes, "The OMG Cables, as they're called, work by creating a Wi-Fi hotspot itself that a hacker can connect to from their own device. From here, an interface in an ordinary web browser lets the hacker start recording keystrokes. The malicious implant itself takes up around half the length of the plastic shell," end quote. 

Dave Bittner: MG has been able to trigger the device's payload at ranges up to a mile. 

Dave Bittner: Ireland's Data Protection Commission has reported the outcome of its GDPR investigation into WhatsApp's sharing of data with other subsidiaries of its Facebook ***** 

Dave Bittner: *** parent. The European Data Protection Board has approved a fine of 225 million euros for violations of data transparency rules. 

Dave Bittner: The Ponemon Institute and DTEX Systems have published a study of insider threats. They surveyed North American firms and found that more than half of the businesses who responded were unable reliably to identify certain classes of insider threat. A lot of the clues being missed are unsurprisingly behavioral. Some activities that often, but of course not inevitably, indicate that there may be a problem with an insider, include a user's opening of an unusual number of files, unusual use of USB devices, circumvention of security controls, moving and saving files to unusual locations and taking various steps to cloak whatever it is that the insider is doing online. 

Dave Bittner: The report concludes, quote, "Nearly half of companies find it impossible or very difficult to prevent an insider attack at the earliest stages of the insider threat kill chain. Fifty-three percent of companies find it impossible or very difficult to prevent an insider attack when data is being aggregated, a key indicator of intent of an attack. Only 32% of companies say their organizations are very or highly effective in preventing the leakage of sensitive information. And 15% of organizations state that no one has ultimate authority and responsibility for controlling and mitigating workforce risks." 

Dave Bittner: And insiders can retain their ability to do damage even after they've left. And they may be especially likely to do so if they parted on unhappy terms. A Brooklyn, N.Y., woman, Juliana Barile, this week took a guilty plea to one count of computer intrusion in a U.S. federal court. The U.S. Attorney's Office for the Eastern District of New York said that she accessed the systems of the New York credit union where she'd lost her temporary position and destroyed more than 20 gigabytes of information. 

Dave Bittner: Acting U.S. Attorney Jacquelyn Kasulis described the offense in the case. Quote, "In an act of revenge for being terminated, Barile surreptitiously accessed the computer system of her former employee (ph), a New York credit union, and deleted mortgage loan applications and other sensitive information maintained on its file server," end quote. 

Dave Bittner: While the revenge may have affected her former employer, that wasn't the only victim. Michael J. Driscoll, assistant director in charge of the FBI's New York field office, commented, quote, "Ms. Barile may have thought she was getting back at her employee by deleting files. However, she did just as much harm to customers. Her petty revenge not only created a huge security risk for the bank, but customers also, depending on paperwork and approvals to pay for their homes, were left scrambling. An insider threat can wreak just as much havoc, if not more, than an external crime. The bank and customers are now faced with a tremendous headache of fixing one employee's selfish actions," end quote. 

Dave Bittner: And finally, the U.S. Federal Trade Commission has taken action against SpyFone over allegations that the stalkerware app company secretly harvested and shared data on people's physical movements, phone use and online activities through a hidden device hack, effectively finding the company to have offered stalkerware, the FTC has banned SpyFone from offering, promoting, selling or advertising any surveillance app, service or business. 

Dave Bittner: Mark Nunnikhoven is the distinguished cloud strategist at cloud security provider Lacework. They recently released their 2021 Cloud Threat Report, and I caught up with Mark Nunnikhoven for the highlights. 

Mark Nunnikhoven: The biggest things was - you know, one of the key themes is that cybercriminals are aggressively pivoting to go after businesses in the cloud. They're doing that, I think, because it's a more direct vector, whereas in an on-premise environment, you've got that really strong perimeter with - you know, which it works to some extent. You know, there's pros and cons to that. But when it comes to the cloud, because everything is automated and based on APIs, it's a little bit easier to probe and to see what's going on potentially for cybercriminals. So we're seeing them look to try to get that access to the point where even a new sort of trend in the underground market is these initial access brokers who are selling cloud account credentials, so whether that's Azure, AWS or Google Cloud, to make it easier for these criminals to start pointing their attacks at new victims. 

Dave Bittner: Now, can you differentiate for us sort of the spectrum of things we're talking about here? Because we have - you know, there's never a shortage of stories about people who accidentally leave their data waving in the wind in a cloud bucket. And I suspect that's part of this. But there's more to it as well, yes? 

Mark Nunnikhoven: Yeah, absolutely. And that's a very astute observation because that bucket thing is **** 

Mark Nunnikhoven: ***** one of my biggest challenges. It is my mountain to climb in that - that is constantly a challenge. And I mean, for me, it always highlights the complexity of configuring cloud services. And there's always something changing. There's always new features and functionalities. And as someone building in the cloud, it's hard to keep on top of that. So, you know, people are making mistakes, and that's natural. That's what we do. But in particular with those buckets is that they start locked down, is what really frustrates me. And they get explicitly opened up by a mistake somewhere. But what we're talking about in this report is different than that. Even though misconfiguration has continued to be the No. 1 security issue in the cloud, what we're talking about is the specific actions that cybercriminals are taking. So instead of you making a mistake, we're looking at the adversarial motion of them coming in and saying, I know you're in the cloud, Dave. I'm going to come after you. 

Dave Bittner: You know, I think there's a perception that part of the move to the cloud involves taking advantage of the greater security capabilities that are provided by these large providers, that they're going to be able to have a bigger team than you would individually. Is that a misperception? Are we - do we have a false sense of security there? 

Mark Nunnikhoven: I think it's not inaccurate, but it's also not the complete picture. So the way that security works in the cloud and operations work in the cloud is through something called the shared responsibility model. Now, that's not specific to any CSP. That's just how it works, is that you as a builder or as a user are sharing these responsibilities with the providers. And there's roughly six areas where work needs to be done every day. So you start way down at the physical infrastructure layer - virtualization, OS, apps and data. And at the lowest sort of most primitive level in the cloud, if you asked for a server, you're going to see three of those things. So half of those things go to the cloud service provider. You're never going to touch physical. You're never going to touch the core infrastructure. And you don't run that virtualization layer. They do all that, and they do it at a world-class level. 

Mark Nunnikhoven: But it's up to you to run that server. So if you want to set your administrator password or your root password to password, you can do it. That's absolutely not a good move, but it's your area of responsibility. So you can take that step. And as you go into something like a container, you can get rid of that operating system that goes to the CSP. As you go into SaaS levels of things like buckets, even the application is the CSP. But at the end of the day, you still have a ton of power with these services and a lot of options. So you're responsible for that part of the model and configuring the service. And that's where we see those mistakes bubble up. With the general sense of security, the challenge is just scope. And that's why we see attackers coming after those cloud credentials and using those initial access brokers, because what they're trying to get there is not one particular service. They're trying to be able to log in as you into AWS or into Google or into Azure and then spin up whatever they want. So they're going - undercutting what you've built and saying, we just want the tools that you're building with, and we're going to take advantage of that. 

Dave Bittner: So given the information you gathered here, what are your recommendations? How can organizations do a better job of protecting themselves? 

Mark Nunnikhoven: Yeah, and that's a really good question, because every situation is somewhat unique. But there are some generic things that we can recommend to people. And the first is really understand that shared responsibility model. Know what you are on the hook for, what you should be looking at and what you can let AWS or Google or Microsoft concern themselves with. But from there, you really need to start to understand what standard or normal looks like in your account. Because the criminals are coming in as authenticated users, they're not trying to, you know, blow away the firewall or evade your security controls. They're coming in as Mark or as Dave. And now you as a defender need to know, what is our normal activity? What do we normally do? 

Mark Nunnikhoven: So if you normally only have five to 10 servers running in your account and all of a sudden there's a thousand, you should know that that should raise some questions. So as a defender, you need to change - as opposed to looking for binary answers - were stopping them, we're not stopping them - you need to really understand your environment and say, this is standard or normal behavior and this is anomalous behavior. When it's an anomaly, you need to figure out whether that's a bad thing or a good thing. 

Dave Bittner: That's Mark Nunnikhoven from Lacework. 

Dave Bittner: And joining me once again is David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, it's always great to have you back. You know, there is a phrase that gets tossed around a lot. And it is, it's not a matter of if, it's a matter of when. When it comes to companies being breached, there's a variant on that. That is, you may not think you've been breached, but you just haven't discovered the breach yet. I wanted to check in with you. What's your take on that approach? 

David Dufour: Yes, David, it's great to be back, as always. And I couldn't agree more. It's that - what's the sailor's saying there? Those who get seasick and those who have yet to be seasick, because... 

(LAUGHTER) 

David Dufour: It's ***** 

David Dufour: ** going to happen. And, you know, you just have to prepare for it. It's one of those things that if you're not preparing for it, you're crossing your fingers and hoping it happens to the next guy because data breaches happen constantly. And we're not just talking about ransomware attacks. We're talking about data being stolen, things of that nature. It's going to happen. 

Dave Bittner: How does this change an organization's approach, though, when you come into it assuming that either the breach is going to happen, or a breach has happened? How does that change how you design your defenses? 

David Dufour: Well, that's a great question, and it depends. A lot of times the security folks, your CISO me live in a vacuum from your your data protection folks. Hopefully, that's starting to to really coalesce and come together. There's a couple of things people really have to do. You have to understand what data you're collecting. You know, every year at our company, we have to take our PCI compliance. And it's a little bit mundane, but it's important because it reminds us. And I'm saying that because I believe it. I hate taking the stuff, but you do need to do it. Now we have to do GDPR compliance testing as well. And so what that really points to is you have to take the time to know what data you have and then isolate that data, because a lot of times companies grow from these little startups, where there was, you know, five people, and they had to know everything. And they never have taken the time to really isolate and understand the data that they have to ensure that if they are breached, they - if it's a ransomware attack, they can get it back. If the data has been stolen, they know what was stolen and what their, you know, exposure is. 

Dave Bittner: How do you go about that sort of inventory while you're in the midst of business? You know, it's it's that old phrase or that old saying about, you know, changing the oil in your car while the engine is running. 

David Dufour: That's exactly right. And you have to just decide you're going to do it. And it does cost money. And there are, you know, tools that help you. But those tools will not do it for you. So you have to find people to bring on board. And it's something you have to commit to at a senior level that you want to have that understanding because you want to protect yourself in your exposure. And I'll tell you what - I've been involved in many of them, and it's not fun. There are crazy people out there who love doing it. And my hat's off to them... 

Dave Bittner: (Laughter). 

David Dufour: ...'Cause they really like - I am not one of them. But it is so important, David, that you understand your data, where it lives, how it traverses - that kind of thing. 

Dave Bittner: Do you think that this is the right approach? Are you on board with taking this avenue that you assume a breach? 

David Dufour: I definitely am. And not just a breach from the point of it might be ransomware or a breach from the point of it might be, you know, someone steals our data. A lot of your folks listening know I talk about the Air Force a lot. I was in the Air Force, and I saw that whole, you know, hierarchical, monolithic way of approaching security. And I'm a huge believer in it needs to be smaller, more nimble teams that understand stuff because then you can react to how breaches happen. And you have groups that can quickly define what happened, understand it because these things don't happen in a vacuum. You might have multiple things fail at once, and you need to be able to respond to them and know what is going to happen. And most of the time, you need that team to be able to communicate with each other, to be able to have the air cover from executives to take the time to understand what really happened because a lot of times, what you think happened in the first hours is not what you find out happened two days later. You've got to really have those teams who can dig into it and understand. 

Dave Bittner: All right. Well, David Dufour, thanks for joining us. 

David Dufour: Hey, great being here, David. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.