The CyberWire Daily Podcast 9.8.21
Ep 1413 | 9.8.21

BladeHawk Android cyberespionage campaign in progress. Labor Day was quiet, but the gangs are now back at it. REvil’s remnant stirs. Bulletproof hosting. Phishing keywords.


Dave Bittner: BladeHawk cyberespionage campaign is in progress. Microsoft warns of targeted attacks. Hey, the hoods took a breather over Labor Day, but the straw hats are off now, and they're back at work. Someone is rummaging in REvil's unquiet grave. Bulletproof hosting services and the criminal marketplace. Mike Benjamin from Black Lotus Labs on ReverseRAT 2.0. Rick Howard checks in with Philip Reiner from the Ransomware Task Force. And does a new, urgent message require action? Maybe not.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 8, 2021. 

Dave Bittner: ESET is tracking BladeHawk, a mobile, Android-based cyberespionage campaign targeting ethnic Kurds. There's no attribution, but Kurds have been perennial objects of suspicion on the part of the three governments that control traditional Kurdistan - Turkey, Iraq and Iran. 

Dave Bittner: Microsoft warned yesterday that targeted attacks are exploiting a vulnerability in MSHTML by using malicious ActiveX controls in Word documents for remote code execution. There's no patch yet, but Redmond is working on it. In the meantime, Microsoft has made some mitigations and workarounds available - notably, disabling ActiveX - and CISA "encourages users and organizations to review them."

Dave Bittner: Patch Tuesday arrives next week, and while Microsoft hasn't promised a fix for the vulnerability, many expect Redmond to issue one then, if not an earlier out-of-band patch. And we do mention, Microsoft is a CyberWire sponsor. There's no attribution of the attacks yet, but SecurityWeek thinks that the wording of Microsoft's disclosure strongly hints that a nation-state is behind them. And CISA says if you'd like to stay safer until the final patch is out, do consider what Microsoft recommends and disable ActiveX rendering. 

Dave Bittner: So it turns out that Labor Day weekend was more a day off than the expected extortion doorbuster for ransomware gangs. But now that the holiday has passed, the hoods have returned to business as usual. The Washington Post is prepared to call the quiet holiday an anomaly? CISA, the FBI and the White House had all warned organizations to be on the alert - sound advice on form, but the expected wave of attacks didn't materialize. 

Dave Bittner: The ongoing ransomware infestation at Howard University in Washington, D.C., is still under investigation and in the process of resolution. As the university posted yesterday, quote, "The situation is still being investigated. ETS and its partners" - ETS is the university's IT department - "have been working diligently to fully address this incident and restore operations as quickly as possible. We are currently working with leading external forensic experts and law enforcement to fully investigate the incident and the impact. To date, there has been no evidence of personal information being accessed or exfiltrated. However, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed," end quote. Courses remain suspended today, with physical access to campus restricted to essential personnel only. They are working on setting up an alternative Wi-Fi system, but that's not expected to be ready today. 

Dave Bittner: The other big ransomware news concerns a stirring in the unquiet grave of REvil, the gang also known as Sodinokibi that appeared to bring itself to an end after its high-profile attack against Kaseya. REvil was last heard from in its own voice when it was demanding first $70 million, then a discounted $50 million, in exchange for a master decryption key. The gang disappeared, and shortly thereafter, Kaseya received a decryption key from what it characterized as a reliable source - reliable in the sense that it delivered the goods. BleepingComputer reports speculation that Russian intelligence services quietly comped Kaseya with the decryptor. 

Dave Bittner: REvil may be among the ransomware gangs that's resurfacing. BleepingComputer reports that after an absence of almost two months, the group's dark web servers have reappeared. Researchers with both Emsisoft and Recorded Future have tweeted that among the restored presence is the gang's Happy Blog. But so far, there's nothing new on the Happy Blog, which seems to have resurfaced with the same stuff on deck that was there when it's submerged back on July 13. And the blog's return yesterday was incomplete. While the dump site returned much as it had been, the Tor portal used to negotiate payment was up, but inaccessible. Victims weren't able to log in. 

Dave Bittner: All of this revenant activity could mean any number of things. KnowBe4 wrote us to observe that cybercriminals operate for a while as distinct, recognizable gangs, then break up, reform and operate again. KnowBe4's James McQuiggan wrote, quote, "With this recent activity, it is most likely possible that they are collecting files, data, zero-days or other malware to use in their next group," end quote. It's also possible that some law enforcement agency or agencies are rummaging what they can from the remains to see what forensic analysis will yield. 

Dave Bittner: Steve Moore, Exabeam's chief security strategist, wrote that REvil is itself probably a reincarnation of an earlier group. It's likely that there are further incipient campaigns already under preparation against organizations that were vulnerable to the old version of REvil. He thinks that, quote, "Directly, REvil took time to refit, retool and take a bit of a holiday over the summer. The fact their sites are back online means they are, again, ready for business and have targets in mind," end quote. KnowBe4's McQuiggan closed his comments by comparing the gangs to the hydra Hercules fought. When one head was cut off, another nine grew in its place. Or as one might say, when you're looking at bad actors, their name is Legion. 

Dave Bittner: Security firm RiskIQ complains that bulletproof hosting services continue to play a major role as enablers of the underground criminal economy. Their researchers today are drawing attention to Flowspec, which they call a one-stop shop for threat groups, facilitating phishing campaigns, malware delivery, Magecart skimmers and large swaths of other malicious infrastructure. At least 19 Flowspec domains are, according to RiskIQ, associated with Magecart, and the researchers allege that the well-known ransomware gangs that have used Flowspec include Ryuk, Genasom, Ergop, Ymacco, Sodinokibi, Gandcrab and Crysis. RiskIQ's bottom line on Flowspec, which has operated in a twilight zone, one foot in darkness, the other in light, is this - Flowspec's current IP allocation should be considered suspicious, if not outright malicious. 

Dave Bittner: And finally, what are the keywords most commonly used in phishing nowadays? Expel has just published a list, complete with brief analysis of how each word appears in its social engineering context. They're words that are common enough to appear benign, even anodyne, but with enough suggestion or routine interest or urgency to possibly prompt the jaded and the unwary to click away. Some of the words are invoice - as in, say, missing invoice - new - as in new message, and by the way, message is another one of those commonly abused keywords - required, document, action, verification, request and, among others, the ever-popular blank subject. Think when you're contacted, and remember that security, like Fortune herself, favors the prepared mind. 

Dave Bittner: The CyberWire's own chief analyst and chief security officer, Rick Howard, recently caught up with Philip Reiner, chief executive officer at the Institute for Security and Technology. Here's their conversation. 

Rick Howard: Philip, back in January of this year, you formed something called the Ransomware Task Force. Tell me what that is. 

Philip Reiner: This is an effort to get all of the best people that we could talk to and get their advice on what a comprehensive strategy could look like to tackle the ransomware problem. And this is public and private, civil society, government industry - as many folks that we could pull in, quite honestly, to cover the waterfront. Over 100 experts participated. We had everybody from Microsoft to Coveware to the financial sector, the health care sector, small- and medium-sized businesses. Yeah, it's been a sprint, you know, January through March. And we're set to release the report here and get the word out about what our recommendations are. 

Rick Howard: The result of that group getting together after many weeks is that you published a paper back at the beginning of May that describes some international strategic goals. 

Philip Reiner: The attempt here is to actually put together a real strategy. Ransomware is a pernicious, broad threat that touches a number of different sectors. One of the things we always like to reemphasize here is there's really great work that's already going on. There's a lot of people out there fighting in this fight every day. And we don't mean to say that any of that should stop or that any of that isn't any good. It's just in stovepipes. And so, how can you actually put together a strategy that, in a coordinated way with resources, intentionally goes after the full spectrum of ransomware-related actions? As far as we could tell, nobody had put together that framework. And that's what we've done through the task force. 

Philip Reiner: There's a range of things that need to be done. But if you only do some of them, it's not going to have the effect you're looking for. At the outset, the challenge was to try and come up with that comprehensive framework. And what we devised was a four-pronged approach where you've got to look at how to actually deter folks from getting into this. You've got to actually be able to not just put them in handcuffs, but disrupt the actors and their infrastructure proactively, not always just reacting to them after you've gotten hit. You've got to go after them. You go left of boom. How do you actually better help people prepare? So how do you make - municipalities and small- and medium-sized businesses, how do you make them more resilient? How do you get them the resources they need? And how do you help people respond? 

Philip Reiner: I know, you know, deterrence in this space is almost cliche and laughed at. But these guys are acting with impunity because they know nobody's going to come after them. There needs to be White House- and State Department-led initiative to actually get a collaborative international effort to deter these folks, squeeze their safe havens while you're disrupting their activities and while you're shoring up people in order to protect themselves. That's why we argue there has to be a comprehensive top-down framework and strategy. Because otherwise, you're not really going to make much of a dent. 

Rick Howard: That's Philip Reiner, the CEO and co-founder of the Institute for Security and Technology. And you can find his report at securityandtechnology - all one word - .org/ransomwaretaskforce - again, all one word - /report. 

Dave Bittner: And I'm pleased to be joined once again by Mike Benjamin. He's vice president of security at Lumen Technologies and also is the head of their Black Lotus Labs. Mike, always great to have you back. 

Mike Benjamin: Thanks, Dave. Good to speak with you. 

Dave Bittner: I want to focus today on the research that you and your colleagues have been doing when it comes to ReverseRAT and some of the things you all have been tracking there. Can we start off sort of at the beginning here? I mean, what first drew this to your attention? 

Mike Benjamin: Well, ReverseRAT is a Trojan that we uncovered here, that we published some details around about the end of June in the first iteration and more recently followed up on some more details. The RAT came across our sort of purview due to the way it does a certain type of host enumeration. And so we search for a variety of - call them - signatures that actors use in their day to day of infection and post-exploitation and other things. And this one matched one of our triggers and, you know, led the team to take some time to understand more about what it was, you know, ultimately uncovering something that wasn't known at the time. 

Dave Bittner: So of course, RAT stands for remote access trojan. Can you take us through - what are some of the unique things about ReverseRAT itself? 

Mike Benjamin: Well, I think most folks understand either the concept of remote access trojans or even just commercially available remote access tools. A lot of enterprises' help desks, other things, use them. And the criminal-used RATs are not really that dissimilar in regards to what they can do. And so, you know, simple things like desktop control, information about a host, screen-sharing - those are the kinds of things that either RATs or the more reputable tools allow. 

Mike Benjamin: What's unique about ReverseRAT is that it was custom-built. And so there are some very well-developed RATs that are used pretty widely. And if you, as a criminal, wanted to go out and take control of a computer and do something, you'd just download one of those tools. They work. They're effective. However, as you might believe, they are detectable, right? Because they are more widely used, they are more widely able to be detected and mitigated or blocked or just, you know, flat-out removed. And so the actors who take the time to go develop their own are those that are either going to have more time, more money - something at the end of that campaign that makes it worth their while, not the common criminal that's out there to just encrypt a hard drive or steal a credit card number. And so that's what really stands out, is the fact that it was custom developed. 

Dave Bittner: I see. Well, you all continued your research here, and you published some information about what you're describing as ReverseRAT 2.0, which had some additional capabilities here. What was the iteration here? What changed with the second version of ReverseRAT? 

Mike Benjamin: Well, the first thing that the actor group did was add some more functions. Like I mentioned, you know, RATs have a variety of functions that they perform. They added the ability to take pictures with the webcam - so that was a new feature function that they had added - and some other minor changes to evade antivirus. They, in the first iteration, had focused on evading a certain path to avoid detection. And Kaspersky - they added one focused on the antivirus software Quick Heal, which is popular inside India. And so they installed themselves in different ways in order to evade the toolchain being detected by those antiviruses. 

Mike Benjamin: But really, the big shift in this second iteration of research that we posted is focused on a new agent that came as a component of it. In the first campaign, we saw ReverseRAT 2.0 - or, excuse me, ReverseRAT 1.0 deployed in parallel with the open-source framework AllaKore, which is another RAT. 

Mike Benjamin: And in the second iteration of the research we published, they had stopped using that open-source framework and had installed a sideloaded DLL that we call NightFury. And this particular agent enumerates all files of interest within the computer as C2 commands in order to transfer that file of what it enumerated from a host perspective as well as to be able to execute subsequent commands. And so given its limited functionality of enumeration and execution, we believe it's an earlier-stage loader in the process. However, it has a number of functions not defined yet. It's literally a loop. If the C2 were to send a command, it would just go back to the C2. And so we believe it's still in development. And no doubt we'll see future development within that framework as well. 

Dave Bittner: I see. Can you take us through some of the other recommendations here? How do you recommend people protect themselves? 

Mike Benjamin: Well, first is being aware of this actor group, their exact TTPs. So reading through the research we published, understanding exactly how they're carrying out their actions - that's important. Then, being able to compare those against the defenses of your particular organization - so do you have adequate endpoint telemetry where you could detect, mitigate, stop these things? Do you have an ability to monitor network traffic for C2 callbacks to infrastructure you don't expect? And so this is, from a defensive perspective, a lot of the standard items that every entity should be doing. But really, it's staying on top of current-generation TTPs, making sure that you can search, mitigate and stop, and then making sure that, you know, everything's patched and everything that this actor group would do after they had this initial foothold can be detected and mitigated as well. 

Dave Bittner: All right. Well, good advice, as always. Mike Benjamin, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.