The CyberWire Daily Podcast 9.29.21
Ep 1428 | 9.29.21

DDoS is on an upward trend, and it’s being used for extortion. A payroll provider recovers from an unspecified cyberattack. Russia charges Group-IB CEO with treason. NSA, CISA, advise on using VPNs.


Dave Bittner: Distributed denial-of-service attacks have been making a comeback, and many of them represent criminal extortion attempts. A major British payroll provider is recovering from a cyberattack. Russian authorities arrest the founder of Group-IB on treason charges. Johannes Ullrich from the SANS Technology Institute on out-of-band phishing using SMS messages. Our U.K. correspondent, Carole Theriault, wonders how online trolling is still a thing. And NSA and CISA release guidelines on secure use of VPNs.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 29, 2021. 

Dave Bittner: Distributed denial-of-service attacks appear to be returning as a significant, if episodic, nuisance. Atlas VPN puts the number of DDoS attacks in the first half of 2021 at a record 4.5 million. The attacks were highest in January, tapering off a bit by June, but not by that much. The regions most affected are in Europe, the Middle East and Africa, but the increase has been observed in most parts of the world. 

Dave Bittner: Ars Technica last week summarized a denial-of-service attack against Canadian telecom provider, based in Quebec, that's interfered with the company's ability to provide voice service to its customers. The DDoS incident appears to be criminal in nature since the affected company has been approached by hoods demanding a ransom that's fluctuated between $42,000 and $4.2 million, which suggests a certain amateurism with respect to the criminals' placement of decimal points. 

Dave Bittner: The criminals say they're from REvil, the well-known privateering ransomware gang, but that seems unlikely - a little like the neighborhood goon trying to scare people by claiming he's a wiseguy from the Masucci family. 

Dave Bittner: Earlier this month, the British company Voip Unlimited sustained a similar attack. The crooks in that case also identified themselves, with equal implausibility, as REvil. 

Dave Bittner: Another denial-of-service attack has hit North Carolina-based voiceover IP provider Bandwidth, which BleepingComputer reports began experiencing outages on Saturday. Some reports have said the carrier, which provides telecom services to businesses, reports that service has returned more or less to normal. But Bandwidth's website as of late this morning was still reporting partial outages in its inbound calling services. A company notice says, quote, "Bandwidth is currently investigating an incident impacting inbound calls from Verizon Wireless to the Bandwidth network. Inbound calls may experience intermittent failures," end quote. 

Dave Bittner: Giant Group, a large British umbrella payroll company, has, according to The Register, sustained a significant cyberattack that's delayed payment to many of the workers whose checks are routed through the firm. The incident began a week ago on September 22, and Giant appears not yet to have fully recovered. 

Dave Bittner: A notice on the company's site today indicates that they're almost there, but some problems remain. Quote, "we would like to sincerely apologize for the inconvenience and frustration you have experienced as a result of the cyberattack to our network on the 22nd, September, 2021. With instances related to a cyberattack, there are certain protocols that must be followed to ensure that the integrity of the investigation is not compromised. And therefore, we, unfortunately, were unable to communicate with you as quickly and openly as we wanted to. We can confirm that our databases are encrypted," end quote. 

Dave Bittner: The company has been unusually tight-lipped concerning details of the incident and has implied that the nature of the attack required them to hold information closely. What that nature might be isn't clear. After all, the company hasn't released enough information for anyone to render an informed opinion. 

Dave Bittner: Giant is working with various third parties to remediate whatever issues are afflicting it. The company did issue interim payments, processed outside its normal channels, to some 8,000 workers on Friday, but there apparently remain some unsatisfied and unpaid contractors. 

Dave Bittner: Russian authorities have detained Ilya Sachkov, founder and chief executive of cybersecurity firm Group-IB, on suspicion of state treason, Reuters reports. Authorities searched Group-IB's Moscow offices yesterday. 

Dave Bittner: TASS was authorized to quote presidential spokesman Dmitry Peskov as saying the Kremlin was aware of the arrest from media reports but that he had no further information to offer. 

Dave Bittner: Reacting to the alarming development, Group-IB confirmed that authorities had been through their Moscow office this week. The company is confident that Sachkov will be vindicated and that Dmitry Volkov will run the company during Sachkov's detention. 

Dave Bittner: The company says it's continuing operations and that customers' data are safe in its decentralized infrastructure. Group-IB has international headquarters in London, Singapore, Dubai and New York. Founded in Russia, the company now regards Singapore as its primary headquarters. 

Dave Bittner: NSA and CISA late yesterday released guidance on how to configure and use virtual private networks safely and securely. VPNs provide access to protected networks and are therefore especially attractive targets for cyberattacks. 

Dave Bittner: Rob Joyce, director of cybersecurity at NSA, said, quote, "exploiting remote-access VPNs can become a gateway to large-scale compromise. We created guidance to help organizations understand what to look for when choosing VPNs and how to configure them to reduce the risk of being exploited. Use these recommendations to verify any VPNs are securely configured," end quote. 

Dave Bittner: The particular classes of threats to organizations using VPNs include, the fact sheet says, credential harvesting, remote code execution of arbitrary code on the VPN device, cryptographic weakening of encrypted traffic sessions, hijacking of encrypted traffic sessions and arbitrary reads of sensitive data, such as configurations, credentials or keys, from the device. 

Dave Bittner: And these threats are often the entering wedge for more extensive and persistent attacks against networks. NSA and CISA advise avoiding dodgy VPN providers - they primly describe them as nonstandard - and to look for standard protocols and strong encryption when selecting a service, and look for services that permit you to fully inspect them. 

Dave Bittner: Once a VPN is selected, the fact sheet recommends active hardening. Require only strong approved cryptographic protocols, algorithms and authentication credentials. Reduce the remote-access VPN attack surface. Protect and monitor access to and from the VPN. And finally, secure the network entrance. 

Dave Bittner: The document has detailed suggestions under each heading and is worth reading in full. The agency's nine-page fact sheet concludes, quote, "remote-access VPNs are entryways into corporate networks and all the sensitive data and services they have. This direct access makes them a prized target for malicious actors. Keep malicious actors out by selecting a secure, standards-based VPN and hardening its attack surface. This is essential for ensuring a network's cybersecurity," end quote. 

Dave Bittner: And who's the threat to VPNs? Nation-states, mostly, NSA and CISA says. And those two agencies would be in a position to know. 

Dave Bittner: Our U.K. correspondent, Carole Theriault, has been pondering online trolling. She joins us with this commentary. 

Carole Theriault: So today I want to talk about cyber trolling. Why is it still a scourge out there? 

Carole Theriault: An article on trolling and the conversation suggests that online behavior is often characterized by a tendency to act in a less inhibited way than one might act in person. So they would maybe post abuse that they would never share if the person were standing in front of them. Research suggests that this lack of inhibition stems from our feeling of anonymity and invisibility online and the absence of any perceived authority to prevent us from misbehaving. 

Carole Theriault: Thom Langford, a security consultant at SentinelOne, had this to say. 

Thom Langford: Trolling has been a problem for humankind ever since we were able to communicate with each other without having to be face to face. Even more recently, last century, for instance, you know, poisonous pen letters being sent through people's letterboxes in small villages, et cetera. It's a phenomenon that's been with us for a long time. 

Thom Langford: So it's not surprising, really, that it hasn't changed much. It's probably on the increase now, though, 'cause people are more isolated from each other. They grow, therefore, a lot more opinionated. And so therefore, the trolling increases as people become more angry and more upset with the world around them. 

Carole Theriault: In other words, we've all suffered during this global pandemic - some more than others. And if you're an unhappy camper, you may want to share your misery. 

Carole Theriault: OK, so how to avoid trolling? There are two things that I would suggest. One - stay calm. Even if you're reading something that is so inflammatory and it makes your blood boil, do not respond. Do not engage because the main rule is do not feed the trolls. Cyber trolls thrive on attention, and if you don't give them any, they may get bored and go bug someone else. 

Carole Theriault: And also, be careful about sharing inflammatory posts and messages and articles. A lot of these are designed to get you to share because it's so crazy or outrageous or makes your blood boil. But effectively, you're becoming a pawn in the game by sharing this information with others. 

Carole Theriault: Do your research before you share. That's why Twitter's recent stop-and-think algorithm is interesting. It's trying to stop people sharing things based on having been clickjacked by the title. 

Carole Theriault: And No. 2 - if you find yourself in the situation where you're a victim of cyber trolling, the two keywords are block and report. New tools to report abuse are improving all the time. Make sure you're familiar with them before you find yourself in this type of pickle. 

Carole Theriault: This was Carole Theriault for the CyberWire. 

Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC "StormCast" podcast. Johannes, it's always great to have you back. You know, over on the "Hacking Humans" podcast in particular, my co-host, Joe Carrigan, and I often talk about SMS messaging and the varying degrees of security that come with it, or perhaps do not, whether or not it's, you know, better than nothing. You wanted to talk to us today about some out-of-band phishing that you've been tracking using SMS messages. 

Johannes Ullrich: Yeah. So one thing that has been happening for a while is that you basically just got what amounts to a phishing message as an SMS message. The advantage for the phisher, of course, is that corporate mail filters and such usually can't look at SMS messages as they look at the email. 

Johannes Ullrich: An interesting sort of combination we have seen lately is the initial message arrives as an email, but then the message instructs you to send an SMS to a specific phone number, and then in return, you'll receive the actual phishing link that if you click on it on your phone will direct you to a fairly well-done website that then, of course, asks you in this case for your Outlook 365 credentials. 

Dave Bittner: I mean, that seems like a significant extra step here. What is the social engineering hook that they're using to convince you to do something like this? 

Johannes Ullrich: Well, there are a couple of ways how they sort of made it a little bit more enticing, I think, for people to follow it. First of all, the message that you're supposed to send to this phone number actually included the company name. So it's almost - you're almost feeling like you're authenticating to this phone number, hey, it's actually me; I work for this company. And I think it was about getting your email allowance increased or one of these messages. So that's part of it. 

Johannes Ullrich: I think the other part is that phone companies are getting a little bit better in filtering some of that spam. By not sending mass SMS messages to millions of users, but only sending them to people who actually responded to the initial email, they now have to send way less messages and may not trigger these filters. 

Johannes Ullrich: There is currently a big effort sort of among the phone companies to reduce some of the spam. Obviously, users complain about getting all these spam SMS messages, and they in general try to, more or less, eliminate any kind of automated messaging coming from a full 10-digit phone number without sort of paying extra for it. That's the other trick to this. 

Dave Bittner: Right, right. 

Johannes Ullrich: So probably, the spammers are trying to adapt to this a little bit by sending less messages using stolen credentials without sort of running up a bill that's large enough where they would actually get flagged as fraudulent. 

Dave Bittner: Yeah, it's fascinating, too, because if you are initiating the exchange, then when you get that message from the phishing folks, it's going to come back into one of your, you know, folders that it's from a known entity because you started it. You sent them the initial message. 

Johannes Ullrich: Correct. That's exactly what also some of these fraud algorithms are looking for. If you initiated the message, then the reply, of course, can't be spam because you asked for it. So... 

Dave Bittner: Right, right. 

Johannes Ullrich: ...That's, I think, how they bypass some of these algorithms. And by also splitting the entire process between email and SMS, it's very hard for any kind of corporate security tool or such to correlate everything that's happening here. 

Dave Bittner: So is the primary solution here - I mean, are we talking about, you know, security awareness training, or are there technical measures as well? 

Johannes Ullrich: Security awareness training is part of it. And then, of course, yes, your credentials will get phished eventually, so better do something like multifactor authentication. 

Johannes Ullrich: In recent months - and so I looked at a couple of phishing sort of back ends, where basically, attackers are collecting the passwords. And the good news here is I see very few people falling for it. So maybe the education is sort of paying off for it. But it usually only takes, like, a day or less for a phishing site to get blocked and, you know, get the red warning screen. And before that, it's often only, like, a dozen or so users that actually fall for your average, not-very-sophisticated phish. 

Dave Bittner: All right, well, still something to be aware of. Johannes Ullrich, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.