The CyberWire Daily Podcast 9.10.21
Ep 1415 | 9.10.21

Investigations--the SEC looks into Solarigate, German prosecutors inquire into GhostWriter. The Meris botnet is responsible for recent DDoS attacks. Implausible deniability. The SINET 16 are announced.

Transcript

Rick Howard: Hey everybody, Rick here. On September 11, 2001, I was stationed at the Pentagon running the communications systems for the Army Operations Center. For the 20th anniversary of that horrific day, I decided it was time to dust off my notes and revisit those memories to see what insights I could pull from my experience. I'll be sharing those thoughts about the events of 9/11 and their aftermath tomorrow on the "CSO Perspectives" podcast. For Pro subscribers, it will automatically show up in your feed. For everybody else, you can sign up for the "CSO Perspectives" public version in your favorite podcast app or wherever you get your podcasts from.

Dave Bittner: The SEC's inquiry into the SolarWinds incident may expose other unrelated data breaches. Researchers identify an IoT botnet responsible for DDoS attacks against a number of banks. German prosecutors have opened an investigation into the GhostWriter campaign. Researchers look at the cozy, implausibly deniable relationship between Russia's security services and cyber gangs. A money-launderer gets 11 years. David Dufour from Webroot has straight talk about paying the ransom. Our guest is Jeff Williams from Contrast Security with a look at AppSec Observability. Congratulations to the SINET 16 winners. And we remember 9/11 - hard to believe it's already been 20 years. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 10, 2021. 

Dave Bittner: The U.S. Securities and Exchange Commission, best known by its acronym SEC, is investigating the SolarWinds incident. And Reuters reports that the inquiry is spooking some large U.S. companies who fear that the results of the probe will expose them to liability. Reuters says, quote, "The SCC is asking companies to turn over records into any other data breach or ransomware attack dating back to October 2019 if they downloaded a bugged network-management software update from SolarWinds Corp., which delivers products used across corporate America, according to details of the letters shared with Reuters." It's the any other that's got companies spooked. They're unsure what the consequences may be if the inquiry turns up previously undisclosed data breaches. 

Dave Bittner: There may be some clarity forming around the distributed denial of service attacks that have hit organizations, including Russia's Yandex, New Zealand's ANZ Bank - which went down again yesterday according to the New Zealand Herald - and other targets in the U.S. and the U.K. 

Dave Bittner: Qrator Labs today released a description of Meris, an IoT botnet with a quarter of a million devices. There have been larger botnets. Mirai, for one, had an excess of 300,000. But unlike its well-known predecessors, Meris relies on transmitting a high number of requests per second. The Record describes the difference between Meris and the usual sort of DDoS attack like this. Quote, "Called volumetric or application-layer DDoS attacks, RPS attacks are different because attackers focus on sending requests to a target server in order to overwhelm its CPU and memory. Instead of clogging its bandwidth with junk traffic, volumetric attacks focus on occupying servers’ resources and eventually crashing them," end quote. Most of the devices exploited to form the botnet were networking gear from the Latvian vendor MikroTik. Items include routers, IoT gateways, Wi-Fi access points, switches and mobile networking gear. The Record reports that sources tell it the target of the Yandex DDoS attack wasn't Yandex itself, but rather a bank that used Yandex's cloud services to host its e-banking portal. 

Dave Bittner: German prosecutors have opened an investigation into the GhostWriter campaign Berlin has attributed to Russian intelligence services, Der Spiegel reports. Germany's Foreign Ministry has warned that Russia will face unspecified consequences should the cyberespionage and election-related disinformation persist.

Dave Bittner: Recorded Future's Insikt Group yesterday issued a report on what it calls the dark covenant between Russian intelligence services and cybercriminals. The security organs aren't directing the criminals, but the gangs operate at their sufferance and shape their operations and target selection to conform to their understanding of what those services want. It's too soon to tell whether U.S. carrots and sticks will inhibit the privateering, but the Insikt report thinks there are signs Russian President Putin is feeling some pressure to make a gesture in the direction of international good citizenship. 

Dave Bittner: The report's executive summary says, quote, "The open assertion made by U.S. President Joe Biden that Russian cybercriminals are protected by the Russian government has placed Russian President Vladimir Putin on the defensive." The report adds that this is forcing Russian domestic law enforcement to demonstrate that they are cracking down on ransomware operators. U.S. cyber czar Chris Inglis cautions against expecting any quick Russian reform or a departure from long standing Russian intelligence and security practices. He sees deterrence in cyberspace as complicated. It's not, he thinks, a problem we're going to shoot our way out of. 

Dave Bittner: A cybercriminal associated with North Korean hackers, Ghaleb Alaumary, a native of Mississauga, Ontario, and 36 years young, has been awarded an 11-year sabbatical courtesy of the U.S. Bureau of Prisons. Mr. Alaumary, who holds both U.S. and Canadian citizenship, took a guilty plea to two federal counts of money laundering. The U.S. attorney for the Central District of California explained that Mr. Alaumary received funds from bank cyber heists and fraud schemes. And once the ill-gotten funds were in accounts he controlled, Alaumary further laundered the funds through wire transfers, cash withdrawals and by exchanging the funds for cryptocurrency. The funds included those from North Korean-perpetrated crimes, including the 2019 cyber heist of a Maltese bank and the 2018 ATM cash-out theft from BankIslami in Pakistan. Other victims of Alaumary's crimes include a bank headquartered in India, as well as companies in the U.S., the U.K., individuals in the U.S. and a professional soccer club in the United Kingdom. Mr. Alaumary's North Korean friends, the Hidden Cobra gang, are generally held to be connected to the Lazarus Group and to be stealing on behalf of the Kim regime in Pyongyang. He's thought to have collaborators elsewhere, too. One of his co-conspirators is allegedly the Nigerian social media star influencer Ramon Olorunwa Abbas, known by his hacker name Ray Hushpuppi or just Hushpuppi for short. Mr. Puppi is also currently in U.S. custody. 

Dave Bittner: The SINET16 were announced this week. This annual competition has for years brought some of the most promising startups in cybersecurity into the spotlight. This year's winners in reverse alphabetical order are Valtix, specialists in multi-cloud network security, whose solution promises both simplicity and adaptability. Strata, which delivers enterprise identity management, also for multi-cloud environments. Sevco Security, provider of asset inventory necessary for the dynamic self-awareness necessary to security. Securiti, with a final "i," offering artificial intelligence solutions for security, privacy, governance and compliance for multi-cloud, SAS and self-managed data systems. Perimeter 81, which has a secure access service edge platform designed to support a remote workforce. Pentera, an automated pen-testing shop for safe emulation of attacks. JupiterOne, an asset management company that provides security context to cloud users. INKY, the Maryland-based antiphishing company, whose cloud-based artificial more-than-intelligence spots fraud and social engineering in email. Greynoise, whose solution tells security practitioners what they don't have to worry about, saving labor by cutting down on false alerts and security noise. GrammaTech, developer of software-assurance tools and advanced cybersecurity solutions designed to ease the challenges of DevSecOps. ForAllSecure, which offers application testing intended to make developers' lives easier. Ermetic, whose solution offers multi-cloud, continuous protection for users of AWS, Azure and Google Cloud. Cequence Security, who offers a complete API inventory and data leak protection solution. Baffle, a cloud data protection shop that offers data tokenization, de-identification and database encryption to protect data from source to destination. Axis Security, a zero-trust, secure access service edge provider whose agentless solution enables secure employee access. AppOmni, whose SaaS security management platform delivers visibility into security configurations, user permissions and third-party apps. 

Dave Bittner: This year, SINET singled out three companies to watch, early-stage startups it regards as already adding value. Scythe, an adversary emulation platform. DeepFactor, which offers continuous AppSec observability. And Corsha, multifactor authentication for machine-to-machine communications. Congratulations to all of them, winners and honorable mentions alike. The SINET16 companies have over the years assembled an enviable record of success and a reputation for successful innovation. And the class of 2021 are likely to continue that tradition. 

Dave Bittner: And finally, tomorrow is the 20th anniversary of 9/11, al Qaeda’s terror attacks against the World Trade Center and the Pentagon, attacks that took the lives of thousands in New York and Arlington, and hundreds aboard the four airliners the terrorists hijacked and drove into the ground. Our CSO and senior fellow Rick Howard was in the Pentagon that day. And he's posted an essay on what he saw and how he remembers it. All of us old enough to remember the attacks have our own recollections of that day. Tomorrow, we'll be sparing a thought for those who died both immediately and in the aftermath, and for the heroism of those who responded both immediately and during the global war on terror that followed. Jeff Williams is CTO and co-founder at application security platform provider Contrast Security. They recently released the latest version of their application security observability report. Jeff Williams joins me to share what they found. 

Jeff Williams: Observability essentially means, can we see what's going on inside an application? And we focus on security observability. So what we want to do is try to reveal what's going on inside applications from a security perspective. And, you know, it's kind of invisible to most people. You know, when you use your app on your phone or something to, like, you know, send a check or something or check your balance or something, there's a ton of software. It's not just what's on your phone, it's on the back end, APIs and web applications that are out, you know, running the cloud somewhere. They connect to back-end systems inside the bank. And that whole software ecosystem is really complicated. There's a ton of security defenses and, unfortunately, a lot of vulnerabilities in that whole environment. 

Dave Bittner: So take us through some of the key findings here. I mean, what are some of the things that you discovered here? 

Jeff Williams: Yeah. So we discovered 34% this year - last year, it was 26%. This year, 34% of applications have serious vulnerabilities. And that is just a jump-off-the-page, like, holy crap kind of statistic. 

Dave Bittner: (Laughter) Right. 

Jeff Williams: It's - I mean, it's shocking that, you know, almost - a little over a third of applications have serious vulnerabilities. And, you know, 30 - and the number is, you know, on average, like, you know, around 30 vulnerabilities. That's a terrifying number. I mean, if we were building airplanes and every time you did a safety check on the airplane, you discovered 30 vulnerabilities and, you know, 34% of airplanes had these problems, you wouldn't fly (laughter). 

Dave Bittner: And so what are your recommendations here? I mean, how do people come at this issue? 

Jeff Williams: Well, from the big picture, I think it's important to understand that there's a risk, you know? The first step to solving any problem is recognizing that there is one. So we need really good data, like the data in this report, that drills into exactly what the problems are and where they live and, you know, starts us on, you know, detailed metrics that we can understand. So I think the first step is, like, let's get a program in place that allows us to measure our code in our particular organization and understand what we got and then start improving that over time. 

Jeff Williams: And there's kind of three areas that I think are really important to focus on. The first is your custom code, making sure that the code you're writing doesn't introduce new vulnerabilities, like, you know, the traditional kinds of application vulnerabilities. SQL injection, cross-site scripting, XXE, SSRF - there's a whole, you know, litany of these things. You have to put a program in place to make sure you identify those things and prevent them. The second thing is manage your open source supply chain. You're bringing in all this code. And it's allowing you to very rapidly produce awesome applications. But along with that code comes a responsibility. You've got to make sure that you're keeping it up to date and understanding where those libraries might have known vulnerabilities in them and updating your applications so that they're using safe versions of those libraries. 

Jeff Williams: And then, the last piece is runtime protection. So, you know, what we talked about so far was kind of in the development process and getting applications into production. But in production, you have to be able to see who's attacking you, what kind of attacks they're sending and have some defense against those attacks in production. And, you know, the average application that we saw - and, you know, there's details on this in the study, of course. But the average application has, you know, over 13,000 attacks every single month. And, you know, while 99% of those are what we call probes - they don't really reach the vulnerability they were targeting - it's still a huge number. And you have to be aware of that. One percent is still a lot of attacks. 

Dave Bittner: That's Jeff Williams from Contrast Security. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And I'm pleased to be joined once again by David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, always great to welcome you back. You know, I think we go back and forth between the general advice that you should not pay the ransom, that paying the ransom is supporting a bad ecosystem, but then the flip side of that is that sometimes, you got to get business back in business. And paying the ransom could be the quickest pathway to that. What's your take on this? 

David Dufour: Well, hey, Dave. It's great to be back. And here's what I think. I think you shouldn't pay the ransom because you've done all of your homework upfront on how you're going to recover from a ransomware attack. So you're just going to execute that recovery plan - no need to pay the ransom. Problem solved, right? 

Dave Bittner: (Laughter) So - well, all right. Well, thanks for joining us, Dave. 

David Dufour: Exactly. 

Dave Bittner: Meanwhile, back in the real world... 

(LAUGHTER) 

Dave Bittner: ...Go on. 

David Dufour: Right? So honestly, I think you have to evaluate, can you recover or at least get back to an operational state that gets you to close to normal? Or do you need to pay a ransom? It is literally - that's why they call it a ransom. And you have to make that choice as the leadership of that organization. And I don't think anyone has a right to tell you one way or the other to not pay it. If you're - again, if your business is going to shut down, you've got to pay this ransom, right? 

Dave Bittner: Yeah, yeah. But are you coming at it from the point of view that you should do everything in your power planning wise, preparation wise so that paying the ransom is the last resort? 

David Dufour: I am absolutely advocating that. I mean, the most recent attack on the pipeline, they paid, you know, a considerable amount - and in the millions. And if they'd had just spent, you know, a tenth of that upfront annually, they would have protected themselves and their infrastructure, which was critical infrastructure to the U.S. So yeah, I think that we pay lip service to it, but we just don't spend the money to protect ourself. 

Dave Bittner: But what are your recommendations there in terms of those preparations? What are some of the things that organizations should be doing so that they don't have to pay the ransom? 

David Dufour: You know, it's the same old back up and restore. Don't just back up your data and think it's good. You've got to have a recovery process. You also have to make sure you're patching your critical systems. You can't leave operational infrastructure that has Windows 95 computers that haven't been patched in the last 20 years sitting out there and not expect you're going to get hacked. You've got to be able to understand what you've got, what your exposure is, and back it up. And then also - you know, Dave, I'm going to go down a little bit of a tangent here - if you are attacked, do you have a team that can communicate with these people? Do you have a plan in place - not just, how would you recover, but how are you going to handle this? Are you just going to get your CISO on the phone - he's going to call up the people that have hacked you? But what's your plan there? There's a lot that needs to be taken into account outside of just your internal planning on how to address it. 

Dave Bittner: Well, and also, we've got the whole thing with data exfiltration. I mean, it's not just about the files being locked up. You have to establish, what exactly did they take? 

David Dufour: That's exactly right - and understanding that from a bigger picture. And that goes to, you know, understanding, you know, where they attack, how long the file lived there and that kind of thing. So, you know, we're seeing a lot more of this in our threat report. We saw a massive uptick in these type of attacks, which was good 'cause we saw a downtick in other types of attacks. But that means this is where the money is. But David, one thing - I'm really going to go off on a tangent here. I think people need to be careful when they're patting themselves on the back 'cause, you know, one of these attacks, the government got the money back, and, you know, the organization that attacked the pipeline, they all but apologized for doing that because they don't want you to know they're out there. They don't want to attack infrastructure. So I personally would not have shouted it from the mountaintops that we were able to get the - some of the ransom back. Because I promise you, these folks are one, annoyed, two, very capable and three, going to make sure that never happens again. 

Dave Bittner: (Laughter). 

David Dufour: So we need to be careful. And I'm not saying we shouldn't protect ourselves. I'm not saying we shouldn't get things back. But we need to take a very humble approach to this, make sure we're doing the work properly and try to protect ourselves 'cause you can't go after these people. They disappear like the wind. So I think people should calm down a little bit and not - if you're a government official, don't be all proud that you got some money back 'cause I'm afraid it's going to come back to bite us on the next one. 

Dave Bittner: Yeah. 

David Dufour: That's my opinion, by the way. 

Dave Bittner: (Laughter). 

David Dufour: No one said that. No one - I got to say that right now. I believe that. 

Dave Bittner: Yeah. No... 

David Dufour: So... 

Dave Bittner: ...Fair enough, fair enough. All right. Well, David Dufour, thanks for joining us. 

David Dufour: Great being here, David. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Be sure to check out this weekend's "Research Saturday" and my conversation with Jon Hencinski from Expel. We're going to be discussing their research on stopping ransomware attacks aimed at WordPress CMS installations via drive-by downloads disguised as Google Chrome updates. That's "Research Saturday." Do check it out. 

Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.