The CyberWire Daily Podcast 10.1.21
Ep 1430 | 10.1.21

Phishing for those who fear Pegasus. ChamelGang APT active against multiple countries. Problems with a ransomware decryptor. Controversial proofs-of-concept. And a death blamed on ransomware.


Dave Bittner: A malware campaign offers bogus protection against Pegasus surveillance. A new APT, ChamelGang, is found active against targets in at least 10 countries. A ransomware gang can't get its decryptor right. A proof of concept shows that charges can be made from a noncontact Visa card in an iPhone wallet. David Dufour from Webroot warns of potential perils in cyber insurance. Our guest is Shamla Naidoo from Netskope with advice for cyber innovators. And ransomware may be responsible for a child's death in an Alabama hospital.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 1, 2021. 

Dave Bittner: Concerns about NSO Group's Pegasus spyware intercept tool have prompted a foreseeable response by threat actors - pose as a Pegasus detection-and-removal tool. Cisco's Talos Group has found that the bad actors are posing as Amnesty International and phishing for concerned, well-informed but gullible users who are worried that they might be compromised with Pegasus. 

Dave Bittner: Downloading the proffered tool, however, actually installs Sarwent malware, which Talos describes as a little-known malicious kit that serves as a remote access tool. Unlike more commonplace information stealers, however, Sarwent doesn't simply grab and exfiltrate data but rather establishes persistence that enables it to upload other varieties of malware as well as pulling users' data at will. 

Dave Bittner: The campaigns observed are well executed. The bogus Amnesty sites and emails have a convincing look and amount to a persuasive imitation of the genuine article. And the Sarwent malware itself seems to have the general look and feel of an antivirus tool. Talos summarizes, quote, "the campaign targets people who might be concerned that they are targeted by the Pegasus spyware. This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access," end quote. 

Dave Bittner: So for now, there's no clear attribution, but be wary of offers to immunize you against Pegasus. 

Dave Bittner: Positive Technologies has identified a new threat actor, ChamelGang, an APT targeting the fuel, energy and aviation sectors. Quote, "in addition to two organizations in Russia - fuel and energy and aviation production companies - during further threat intelligence of the group activity, we identified 13 more compromised organizations in 10 countries of the world - the United States, Japan, Turkey, Taiwan, Vietnam, India, Afghanistan, Lithuania and Nepal. In particular, compromised government sectors were found in the last four. Microsoft Exchange Server was located on almost all compromised nodes. In all likelihood, the nodes were compromised using vulnerabilities such as ProxyLogon and ProxyShell. All the victims were notified by the national CERTS," end quote. 

Dave Bittner: Comparable organizations in the U.K. are also believed to be vulnerable. The APT operates by exploiting ProxyShell vulnerabilities in attacks to affect Microsoft Exchange. The attack also exploited trusted relationships. Positive Technologies explains, quote, "a trusted relationship attack is an attack in which criminals hack the infrastructure of a third-party company whose employees have legitimate access to the victim's resources. For example, subsidiaries may become the first link in the chain of attacks on the parent organization. In other cases, the attack may begin with hacking the company providing technical support. Such attacks are associated with the compromise of trusted channels - VPN, for example. However, they are often confused with supply chain attacks, which are carried out using software and hardware means. An implant is embedded in the tool itself or in one part of the update to provide direct access to the server or establish a connection with the C2," end quote. 

Dave Bittner: The researchers have not yet attributed ChamelGang to any particular nation-state, but an APT it definitely seems to be. Presumably, the intelligence services of the victims can be ruled out. 

Dave Bittner: RansomEXX - and that's E-X-X - a relatively new entrant into the ransomware-as-a-service criminal-to-criminal market, apparently has some quality control issues. Their decryptor, Profero reports, doesn't work reliably. It leaves many encrypted files damaged beyond immediate recovery. Many such files can be recovered with additional work, but the criminals' decryptor won't help the victims. 

Dave Bittner: Secureworks has reported a brute-force vulnerability in Azure Active Directory. Microsoft, after some initial resistance to accepting that the researchers' findings and proof of concept represented an actual security flaw, now intends to issue a mitigation for the vulnerability, GovInfoSecurity writes. Ars Technica summarizes the issue between SecureWorks and Microsoft. And a routine disclosure, Microsoft is a CyberWire sponsor. Microsoft thinks there are already precautions in place to keep users from succumbing to the sort of brute forcing SecureWorks describes. But Redmond appears to be working on some changes nonetheless. 

Dave Bittner: Researchers from the Universities of Birmingham and Surrey have demonstrated, the BBC reports, a contactless hack of a locked iPhone that enabled them to extract a Visa payment of 1,000 pounds from Visa cards set up in the iPhone's wallet Express Transit mode. Apple sees it as a Visa issue, not an iPhone issue, so apparently, people disagree. Do remember that the hack, clever as it may have been, was a researcher's proof of concept and not an issue encountered in the wild. 

Dave Bittner: And finally, a lawsuit alleges that an Alabama hospital that delivered a baby while systems were degraded by a ransomware attack missed a condition that ultimately resulted in the baby's death, the Wall Street Journal reports. The Spring Hill Medical Center in the U.S. state of Alabama was the facility affected. The ransomware had rendered a number of the clinical information systems doctors and nurses normally relied upon unavailable. The hospital had reverted to backup systems, and the plaintiffs allege that the unavailability of the additional layers of scrutiny and clear presentation that would normally have been used amounted to an unacceptable risk. The medical center denies wrongdoing, and whoever was or wasn't at fault, the child's death was a tragedy. 

Dave Bittner: This is the second case in which ransomware has been directly implicated in a death. The first, as the Washington Post reminds us, was a case in Cologne, Germany, where a ransomware attack a year ago, in September of 2020, forced an ambulance to divert an emergency case to a more distant hospital. The patient died en route but might well have survived had the affected emergency room not been too disrupted by ransomware to handle cases. Both cases should be borne in mind when reading the tiresome claims of restraint and discriminating targeting that the ransomware gangs are wont to make. And of course, our condolences to the families of both victims. 

Dave Bittner: Shamla Naidoo is head of cloud strategy and innovation at Netskope and judge of the upcoming DataTribe challenge, which ends its submission phase tonight. A unique annual competition that brings together the best entrepreneurs in the world looking to disrupt cybersecurity and data science, DataTribe selects three finalists that split $20,000 in prize money and one winner that could receive up to $2 million in seed capital. Full disclosure, DataTribe is a CyberWire investor. I checked in with Shamla Naidoo for her advice to innovative startups looking to gather attention. 

Shamla Naidoo: I would say that, you know, there's a lot of innovation out there. We are not short on innovation. And the innovation is very readily available to all - sometimes free, sometimes low-cost, sometimes high-cost. But it is available. And what I would say is, you know, we have to look at how businesses are consuming the innovation that exists, and what are the risks that are being created in this new environment? Those are the problems we need to be solving. 

Shamla Naidoo: So you know, if I had to pick a couple, I would say the cloud is forming the backbone of our telecommunications and our communications environments. And not because the cloud is just an innovation that we should consume. What we really want is to speed up our businesses. We don't want to spend our precious resources and talent building out infrastructure and, you know, capability that we could commoditization and buy from someone else. So the idea is, we want to preserve our resources to do things that are special and unique to our business. Everything that's commoditized we can outsource, we can delegate, we can buy it, we can lease it, we can borrow it from others. And so I think the cloud forms that backbone, where others are writing applications. Others are creating all of the solutions. We just want to go consume those and add our unique perspective. 

Shamla Naidoo: So for me, I'd say to an entrepreneur is make sure that anything you create follows the cloud. Because almost every business is out there either already on a cloud journey, or they are on a cloud journey and they don't even know it. And so, you know, we have many, many organizations where cloud is being consumed - cloud services, cloud applications are being consumed. They may not even know it. So we need that visibility. 

Shamla Naidoo: So make sure that your solutions support businesses where they have cloud workloads. Make sure that the cloud workloads give the consumer visibility and gives you a place to control that may be outside of your immediate area of either ownership or control. And then, you know, remember that we live in a data world. 

Shamla Naidoo: So I would say looking at cloud as a backbone, look at data and data protection. Because almost every organization right now has become a data-driven decision-making organization. Everything we do generates data. Someone is collecting it. Someone is aggregating it, collating it and making decisions about what we should be doing and then looking to influence our behavior and influence our actions. So you know, we know that businesses are driven by data. 

Shamla Naidoo: So data protection is the other really big, key piece to remaining relevant to where businesses are going. And then on the other hand, you know, I'll think about things like artificial intelligence. We've got so much data that none of us can humanly consume. Artificial intelligence actually helps us to do that to, again, give us that benefit of speed and scale so we can use and consume large amounts of data. We can create conclusions and action lists very, very quickly from our analysis. 

Shamla Naidoo: And so those are two areas I would really focus on, is data protection and, you know, artificial intelligence. How do you actually consume that data? How do you extract business insights from the data that you have collected? But then, you know, on the security side is recognizing that we have to continue to secure and protect that cloud infrastructure that we don't own, that we don't control, so we're going to have to find unique and different ways to solve for that. So a (unintelligible) should help us to do that. 

Shamla Naidoo: And then, you know, lastly, I would say just recognizing that because speed is so important, removing the friction from how we work should be a key component in creating any solution. So making sure that - you know, that you're creating smooth workflows that are going to give you an outcome vs., you know, too many handoffs and too many steps and creating either inconvenience or creating obstacles for the end-user. 

Shamla Naidoo: So all of us want to create a very productive workforce. We're all looking to extract as much value as we can from the precious talent and resources that we have. Removing the friction helps us to make better business decisions and make better business outcomes. 

Dave Bittner: That's Shamla Naidoo. She's head of cloud strategy and innovation at Netskope and judge of the upcoming DataTribe challenge. 

Dave Bittner: Entrepreneurs and founders, it's not too late to get your application in. It's quick and easy. Go to 

Dave Bittner: There is a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, always great to have you back. I know that you have had your eye lately on cyber insurance and some of the good and bad that comes with that. What can you share with us today? 

David Dufour: Yes. Hey, David. Always good to be back. Love the show. Love being on it. You and I have been talking about cyber insurance off and on for a couple of years now - for probably more like five. 

Dave Bittner: Yeah. 

David Dufour: And it's really starting to become a well-defined product that insurance agencies are figuring out how to sell. Obviously, their goal is to make money while protecting you. So as we've seen the growth of cybersecurity as an industry, the insurance companies have done a pretty good job of figuring out how to offer the services to folks. 

Dave Bittner: You know, one of the things I've noticed is, obviously, the prices are heading up, as it seems - as more ransomware cases are coming up. So it seems like the cyber insurance companies are doing a better job of calibrating their own risk. 

David Dufour: Yeah. And that's the key thing to consider with any type of cyber insurance. You know, initially it was the Wild West. You would get a policy. The insurance underwriters wouldn't exactly know how much to charge or how much to insure for because originally a lot of the insurance covered things like brand protection or physical downtime because you couldn't sell because your website was down. 

David Dufour: But what's happening is, with the growth of ransomware and the ability of organizations to be attacked in that manner, they've really done a good job of applying, like, missed standards, making sure that you're following proper cyber hygiene and then offering insurance around that, the trick there being is if you're not following what you signed up for in the policy, they're not going to pay out. So, again, they've gotten really good at the underwriting and identifying what you need to do to stay compliant. 

Dave Bittner: What are you telling the folks that you're working with in terms of, you know, shopping around and finding the best fit for them? 

David Dufour: Yes. Well, so the good news - as it becomes more of a of a something that can be well-defined, we're seeing not-fringe insurance providers. So you're able to go to your really strong insurance companies and get coverage. But what you've got to do is decide what you're trying to insure against. You know, a lot of folks - there still is a brand awareness that's important, so you've got to be aware of that. And then, you know, are you trying to insure against ransomware? If you're hacked or attacked in some way that involves a ransom, do you want to make sure you have that coverage? 

David Dufour: And, you know, maybe that's more important to you because, you know, we always like to talk about the welder in Oklahoma who just wants to send out invoices. If you have cyber insurance, you're not really caring about paying for brand cleanup or brand protection. You're more concerned about having the coverage for ransomware to get you back on your feet. So basically, you need to know what you're getting. And then the bigger part is know what you're paying for but what you've got to do to stay compliant in terms of the policy itself. 

Dave Bittner: Yeah. I can't help wondering if, as things go forward and we see more and more payouts - if cyber insurance may go the way of flood insurance, where it's really hard for private companies to underwrite these sorts of things and we end up with some sort of government backstop. 

David Dufour: That and, you know, with the way crypto's going and the government involvement there - we may end up with some type of government backstop. And what's interesting, Dave - and there's news articles about this. We're seeing it, so I by no means am, you know - have the market cornered on this. But the industry is seeing where nefarious actors are going into an environment, into somebody's systems, looking for insurance coverage, figuring out what their policy is and then setting the ransom to what the policy is. So... 

Dave Bittner: Yeah. 

David Dufour: I mean, there's at some point going to be some rule in a policy that says you can't keep your policy on your network. But... 

Dave Bittner: Right. Right. 

David Dufour: We've seen that happen in many cases here recently. 

Dave Bittner: Yeah. I can imagine companies having - you know, placing decoy policies in their honey pots, right? 

David Dufour: Exactly - for low amounts. 

Dave Bittner: Right. 

David Dufour: That's exactly right. 

Dave Bittner: Right, right, exactly. All right - interesting stuff as always. David Dufour, thanks for joining us. 

David Dufour: Hey; great being here, David. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Wondering what to do with all that free time this weekend? Well, check out "Research Saturday" and my conversation with Dan Petro and Allan Cecil from Bishop Fox on their research, "You're Doing IoT RNG." That's "Research Saturday." Do check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.