The CyberWire Daily Podcast 9.23.21
Ep 1424 | 9.23.21

Ransomware hits another US farm co-op, as Russan gangs seem to continue attacks without interference from Moscow. A new APT is described. REvil was cheating? CISA warns about Conti.


Dave Bittner: Ransomware hits a second U.S. Midwestern farm co-op. The U.S. House hears from the FBI that Russia seems not to have modified its toleration of privateering gangs - at least yet. A new APT, FamousSparrow, is described. REvil seems to have been - surprise - cheating its criminal affiliates. Josh Ray from Accenture with an update on the Hades threat group. Our guest is Tim Eades of vArmour on the urgent need to update cyber strategies in health care. CISA issues a new warning, this one on the Conti ransomware operation.

Dave Bittner: From the CyberWire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 23, 2021. 

Dave Bittner: Ransomware has hit a second U.S. Midwestern farm cooperative. The Crystal Valley cooperative disclosed the September 19 attack Tuesday. Since then, its website went offline. The company's Facebook page remains available. The incident has disrupted business operations, notably the co-op's ability to process credit card payments. Early reports don't indicate which strain of ransomware was involved. Iowa's NEW Cooperative was hit by BlackMatter last week. It's unknown, BleepingComputer says, which strain of ransomware hit Mankato-based Crystal Valley. 

Dave Bittner: Late this morning, Crystal Lake's site came back up with an update on the ransomware incident. Their brief statement read in part, quote, "this attack has infected the computer systems at Crystal Valley and severely interrupted the daily operations of the company. Crystal Valley and cybersecurity experts are working diligently to reestablish safe and secure operating systems, which will be back online when we are confident the issue has been resolved," end quote. It remains unable to process credit cards with the exception of local cards. 

Dave Bittner: The incident is being taken - by much of the early comment in the media - to be another instance of a trend. Ransomware gangs, particularly the Russian privateers in the criminal subsector, are determined to either impose their own definitions of critical infrastructure on policymakers and law enforcement or, more probably, simply to push the U.S. in particular to draw some bright lines. 

Dave Bittner: Considering the drawing of lines, U.S. officials this week testified before the House Homeland Security Committee on global threats to the United States. Among the topics under discussion was the extent to which U.S. objections and representations have succeeded in getting Russia to modify its support for the privateering gangs that have been so active in pushing ransomware against U.S. targets. C-SPAN recorded this exchange between Representative Andrew Garbarino, a Republican in New York's 2nd District and FBI Director Christopher Wray. 

Christopher Wray: ...The subject of quite a bit of discussion and planning and operational activity these days. There may be more that we could share in a more classified setting. But what I would tell you in this setting is that Russia - the reality is that Russia has a long history of being a safe haven for cybercriminals, where the implicit understanding has been that if they avoid going after Russian targets or victims, they can operate with near impunity. And the Russian government has long refused to extradite Russians for cybercrimes against American victims. And worse, their Ministry of Foreign Affairs has long been warning its citizens - publicly been warning its citizens which other countries - which third party countries to avoid because those countries, they say, will arrest or extradite those Russians back to the United States to face justice for cybercrimes. So it's too soon to tell whether any of the things that are underway are having an impact. But in my experience, there is a lot of room - a lot of room - for them to show some meaningful progress if they want to on this topic. 

Dave Bittner: So Moscow seems not to have been deflected from its longstanding co-optation and use of criminal organizations against its adversaries. That, at any rate, seems to be the received wisdom in Washington. You can listen to the entire hearing on C-SPAN. 

Dave Bittner: ESET this morning published its study of a hitherto unremarked cyber-espionage Advanced Persistent Threat probably working on behalf of a nation-state. Which nation-state is unknown, but ESET calls the group FamousSparrow and says it's been active since 2019. It's recently exploited the ProxyLogon vulnerability to collect data from hotels. FamousSparrow used some tools associated with the Chinese APT SparklingGoblin, but ESET considers them to be distinct groups. 

Dave Bittner: Why would spies - actual professional intelligence services, be interested in hotel records? No secrets there, right? Well, there are a few reasons. The first reason and the less serious but still pervasive one is that intelligence services are gluttons for information of all kinds. And their appetite grows with the eating. Why would they collect this data? Well, because they can. The more serious reason lies in the quality of the hotel information itself. It's valuable. It can tell the service quite a bit about the individuals who are, for whatever reason, persons of interest. It can be useful in building up what the services call a target dossier. Famous Sparrow will bear watching. REvil, whose alumni may be operating the BlackMatter ransomware, if indeed BlackMatter doesn't simply represent a rebranding of the older gang, appears, Threatpost reports, to have been cheating its own criminal affiliates. A back door and double chat functionality enabled REvil to communicate directly with victims, bypassing its affiliates. They could, in effect, cut out the middlemen lower in their multilevel marketing scheme, dealing directly with the victims when it seemed to their advantage to do so. 

Dave Bittner: The back door and chats have been cleaned out, perhaps as part of a rebranded REvil's attempt to restore its reputation in the criminal-to-criminal marketplace. No one wants to deal with an untrustworthy service provider. Unfortunately, criminals tend to be trustworthy only on shaky, self-interested and instrumental grounds. But we all knew that. Still, it's worth bearing this in mind when deciding how to credit such criminal claims as we won't act against the common good or we won't harm individuals, or even we won't damage critical infrastructure. With respect to the last example, we've seen at least three times this year that gangland doesn't consider food supply and distribution to be critical infrastructure. Maybe they all grow their own food on a private plot of land, but we doubt it. If REvil was indeed stealing its affiliates blind, that would suggest an additional possible explanation for the gang's decision this summer to go into occultation and rebrand itself. Sure, the Americans are sore at them. But there may be outraged affiliates a lot closer to home who are also pretty angry and possibly less inhibited than the FBI. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency - that's CISA - has issued a new warning with the FBI and NSA against Conti Ransomware. Conti will exploit common vulnerabilities to gain access to its targets. But most of its infestations can be traced to some variety of social engineering. CISA and its partners in the FBI and NSA recommends certain mitigations. They are familiar best practices but worth a quick review in any case. Use multifactor authentication. Implement network segmentation and filter traffic. Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Scan for vulnerabilities and keep software updated. Upgrade software and operating systems, applications and firmware on network assets in a timely manner. Consider using a centralized patch management system. Remove unnecessary applications and apply controls. Investigate any unauthorized software, particularly remote desktop or remote monitoring and management software. Implement application allowlisting. Implement endpoint and detection response tools. Limit access to resources over the network, especially by restricting RDP. Secure user accounts. Regularly audit administrative user accounts. And configure access controls under the principles of least privilege and separation of duties. Regularly audit logs to ensure new accounts are legitimate users. And use the ransomware response checklist in case of infection. This advice is given with reference to Conti. But it's equally applicable to other threats as well. 

Dave Bittner: Health care systems around the world continue to be strained by the burden of COVID-19, making their resources all the more precious for protection against cyberattacks. Tim Eades is CEO of enterprise security firm vArmour. And I spoke with him on the security challenges facing the health care community. 

Tim Eades: So health care systems today have been underinvested, I think, from a security perspective over the last decade or so. The level of security investment, if you compare it to a bank, for example, the spending differential is quite large. And so they just didn't have the funds. I mean, the banks have been a target for money for decades. And health care now with ransomware, the guns over the last two or three years have been pointed really hard at health care. I mean, they're still pointed at banks, obviously. But my, oh, my, the vulnerability of the health care systems, because of the lack of investment and a lack of funding, has really left them exposed, I think. 

Dave Bittner: And so does that leave them in a situation of really having to play catch-up here? 

Tim Eades: Yes. They are having to play catch-up. For sure, they're having to play catch-up, for sure. They know how to do it. There's enough expertise out there that can help them. And now it's a prioritization of funding for them to do that. But obviously, you're struck here, right? You've got the health care systems are incredibly spread very thin from a resources perspective. We're in the middle of a pandemic. They're trying to look after patient care first. And then at the same time, they're being attacked from ransomware. So they are between a rock and a hard place. And it's a difficult position for them to be in. And I think it's something that I think security companies need to really do a better job of stepping up and helping out and getting flexible, whether it's on payment terms or capabilities or services or whatever it is to - you know, as they're dealing with, you know, this pandemic on one side and the ransomware attacks on the other hand. 

Dave Bittner: You know, I think it's fair to think of health care systems, you know, hospitals and so forth, as critical infrastructure. I mean, should there be a federal response here? Should funding be coming from those folks? 

Tim Eades: That's a very good question. Should they be doing more? Should there be a fundamental, federal response to helping out the hospitals on this side? Yeah. I think that would be a very interesting topic. I mean, you've heard Biden talk about zero trust and everything else. And, you know, with the Colonial Pipeline ransomware attack, which is, I thought, made everybody more aware, particularly on the East Coast - like, oh, my God. Ransomware is real? And it's really affecting me as the taxi driver or as a person that works in the supermarket, whatever else? As that turns, you know, go towards health care systems, yeah, I think it would be appropriate that the current administration looks at this as a - as critical infrastructure and does more. 

Dave Bittner: Is there a difference between the haves and the have-nots here? Are there health care systems who are on top of this and are doing a good job, you know, contrasted to other systems that may be in more financial dire straits? 

Tim Eades: Yeah. There's certainly the have and the have-nots, like all the things, you know? There's a spectrum here where, you know, the top hospitals and the top clinics have exceptional security programs. But there's a very long tail - arguably, a longer and longer tail than there is in banking. So I just feel very sorry for them. Where they - you know, some of these hospitals that get hit, as I said, they're spread extremely thin on the pandemic. Their budgets have to be poured towards patient care. And at the same time, they've been underinvested in from a security perspective for the last decade or so, maybe more than that. 

Dave Bittner: For that person out there who is in charge of security for a health care organization, do you have any advice, any words of wisdom? I mean, how do they come at this problem? 

Tim Eades: You know, I think the wisdom of the crowd is the most important thing. You know, the national Health-ISAC organization is a fantastic organization. Errol Weiss runs that. And so, you know, I would lean into the ISAC organization and information sharing organizations, work with their colleagues in other industries - in other - you know, other hospitals, other health care providers and start to look at best practices across it. Start to see whether the H-ISAC can actually help. And then I think, from there, you will start to steer to the better wisdom. And then, I think they need to negotiate really well and say, look; we need this help. We need the services to help us get this up and running. We need to make sure that we get creative on terms. What's the wisdom would be? I would - No. 1, I would go work with the wisdom of the crowd. Go to the national Health-ISAC. Go talk to Errol Weiss, who runs that. It'll be a great source of income - of knowledge. And then from there, you can turn around and say, what are the right things to do? How is Mayo - how is the top of the spear organized to secure their assets and their information? And then get the best practices from them. Negotiate with the security providers. And demand a better approach to solving the problem? 

Dave Bittner: That's Tim Eades from vArmour. 

Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He is managing director and global cyber defense lead at Accenture Security. Josh, it is always great to have you back. I wanted to check in with you on the Hades threat group. I know it's something you and your colleagues have had some focus on here. You got some new findings to share. What can you share with us today? 

Josh Ray: Yeah. Thanks, Dave. I just want to provide a quick update to the community on that research that you mentioned from our CTI and IR teams. The profiles of the known victims continue to be consistent of this big-game hunting. And the target selection and deployment methods is really aimed towards high-value payouts. So that's important to remember. Our team has seen firsthand since the discovery of Hades at least seven new victims across consumer goods and services, insurance and your manufacturing industries. And this is likely, you know, directly a result of their unique approach to kind of victim communication. And they've taken this notion of lone wolf approach. And for those that aren't familiar with that, this lone wolf approach is consistent with - what we would normally look at as these ransomware-as-a-service, Hades has taken the exact opposite approach, right? They don't appear to be participating in these RaaS operations. And our - actually, our CTI team was able to really confirm this because we haven't found any forums or marketplaces that is supporting that Hades is operating outside of this affiliate-based model. Now, this does not mean that they are not well-resourced and a very credible threat. 

Dave Bittner: What are your recommendations for folks to best protect themselves against this group? 

Josh Ray: Yeah. I mean, so there's a few things that have kind of changed. And then I'll kind of provide some recommendations here. So you know, one of the things that we've seen is that, you know, there is some consistency as far as overlap in intrusion sets across the known victims. However, you know, there are some unique, destructive actions that we've observed, right? So we've seen that targeted - an organizations have been targeted in their cloud environments and the destruction of that cloud-based, native backups and snapshots. So that's kind of troubling. 

Josh Ray: And we also see that there's a been a new variant that the Hades group is using. So where before, you know, they were pretty consistent with the malware variants that they were using, they've now introduced into their arsenal this notion of Phoenix CryptoLocker. And we think this is, you know, possibly to deter attribution claims or even some additional campaign links when you talk about mitigations. Obviously, there's the hygiene pieces that, you know, you need to kind of keep in mind. 

Josh Ray: But I think, more so than ever, organizations absolutely need to have this robust crisis management and instant response plan. They need to make sure they have continuity of operations planned to account for wiper attacks that can spread across the business. Obviously, you know, best practices around patching and updating antivirus and things like that. But, you know, we really stress to make sure that our clients have, you know, EDR deployed at least across 90% of their workforce, and ensuring things like securing RDP connections, you know, with VPNs and NLA if you absolutely have to use RDP. And then, you know, finally - you know, while this is not an exhaustive list - again, moving past that notion of just doing the baseline and moving towards a more proactive security approach. Actually start to hunt for attacker TTPs really to detect and respond more effectively to these types of ransomware attacks before they can impact the business. 

Dave Bittner: All right. Well, Josh Ray, thanks for joining us. 

Josh Ray: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.