Facebook’s back up, and the outage was due to an error, not an attack. A look at AvosLocker and Atom Silo ransomware. The case of the Kyiv ransomware gangsters. Thoughts on the Pandora Papers.
Dave Bittner: Facebook restores service after dealing with an accidental BGP configuration issue. There's now a data auction site for AvosLocker ransomware. Atom Silo ransomware is quiet, patient and stealthy. The state of investigation into those two guys collared in a ransomware beef in Kyiv last week. Ben Yelin is skeptical of data privacy poll results. Our guest is Microsoft's Ann Johnson, host of the newest show to join the CyberWire network, "Afternoon Cyber Tea." And what would they have thought of the Pandora Papers in Deadwood back in the day?
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 5, 2021.
Dave Bittner: We're able to update yesterday's story about widespread outages in Facebook, Instagram and WhatsApp. Facebook has restored services after yesterday's outages that also affected Instagram and WhatsApp, the Wall Street Journal reports.
Dave Bittner: So services have been restored, and any remaining minor issues are being cleaned up. The incident doesn't appear to have been the result of an attack, but rather, as initial speculation tended to regard it, as the consequence of an internal error. Facebook's engineering team explained the incident as follows. Quote, "our engineering teams have learned that configuration changes on the backbone routers that coordinate network traffic between our data centers caused issues that interrupted this communication. This disruption to network traffic had a cascading effect on the way our data centers communicate, bringing our services to a halt," end quote.
Dave Bittner: Facebook tweeted its apologies yesterday in the middle of the outage. Quote, "to the huge community of people and businesses around the world who depend on us, we're sorry. We've been working hard to restore access to our apps and services and are happy to report they are coming back online now. Thank you for bearing with us," end quote.
Dave Bittner: Observers at the DDoS-protection shop Cloudflare offered an account of the issues they saw in Facebook's BGP configuration that provide further explanation of the outage. BGP, by the way, stands for Border Gateway Protocol. KrebsOnSecurity notes that the facebook.com domain was yesterday briefly listed by several domain registries as being up for sale. That, of course, is wildly implausible, but it happens when automated searches find domains that appear vacated or abandoned, which was one of the effects of the BGP problems at Facebook. So if you are a potential buyer attracted by the prospect of owning Facebook's domain, sorry, Charlie (ph). The bots don't have a good ability sometimes to distinguish the real from the apparent.
Dave Bittner: MIT Technology Review explains the consequences of the outage for those portions of the world where Facebook is essentially the way people access the internet. In those regions, a Facebook outage is effectively an infrastructure crash and brings with it all the usual worries, concerns, and conspiratorial speculations such incidents bring in their train.
Dave Bittner: The criminal proprietors of AvosLocker ransomware are following the now-familiar path of the double-extortion gangs who threaten to auction the data of victims who refused to pay, the Record reports. AvosLocker's site, in addition to sporting a new dark look, has now set up a page where it can eventually offer stolen information for sale. All data is FOR SALE, says the page, with the words for and sale in the big capital letters of the act-now advertising screamer. Contact us with your offers, they go on to say, adding, we only sell data to third parties if the owner of said data refuses to pay.
Dave Bittner: Auctioning stolen information in a double-extortion move makes business sense in a criminal sort of way since the earlier widespread practice of vindictive doxing - just dumping information online without charging for it - simply gave other parasitic crooks an opportunity to scoop up the data and resell it, usually on Telegram. So why settle for a pure intimidation-and-revenge play when you can monetize the bycatch of your extortion? AvosLocker, The Record says, is a relatively young outfit, first coming to notice in July of this year. But they're, so far, a second-tier player. "The good news," The Record writes, "is that, despite the clever feature, the AvosLocker gang is not one of today's top or most active ransomware groups, with fewer than 10 attacks carried out per week, according to data provided by the ID Ransomware service," end quote.
Dave Bittner: Security firm Sophos describes Atom Silo, another recently discovered ransomware gang, and its use of DLL sideloading an exploitation of Confluence to accomplish relatively stealthy attacks. The vulnerability in Atlassian's Confluence Server and Data Center that Atom Silo is exploiting has been patched recently, but it's also been under active exploitation. Confluence is a widely used workspace that facilitates a team's collaboration on projects.
Dave Bittner: Atom Silo was both quiet and patient in obtaining access to vulnerable Confluence instances. The ransomware the gang uses is, according to Sophos researchers, "virtually identical to LockFile," and so the novelty and sophistication lie in the modes of intrusion. The first stage of the attack took place on September 13, which Sophos says was a full 11 days before the ransomware campaign proper was executed. Initial access was gained through an Object-Graph Navigation Language injection attack. And Sophos notes it's possible that this was done either by an Atom Silo affiliate or through the services of an initial access broker. Initial access brokers have become a familiar kind of player in the criminal-to-criminal market.
Dave Bittner: That access was followed by an unsigned DLL sideload attack, which in turn served as a backdoor that enabled the attackers to download malware that permitted remote execution of Windows shell commands through the Windows Management Interface. At this point, lateral movement began, and eventually, on September 24, they began file discovery and exfiltration. Once the data they wanted were stolen, they dropped their all-in-one attack executable, and that's all she wrote, as they say in the old movies.
Dave Bittner: Sophos discovered this complex activity when they were called in to provide incident response support to an unnamed organization. One recurrent lesson - once vulnerabilities are announced and patches are released, there's a criminal rush to exploit them before everyone gets around to patching. That seems to have been the case here. So if you're a Confluence user, do patch.
Dave Bittner: And finally, we'll pass over all the derriere-covering and under-the-rug sweeping and pious platudinizing about equity and transparency that the Pandora Papers have prompted among the rich and famous and also the good people of South Dakota. To read more about it, see the selected reading in our Daily News Briefing or the accounts in Pro Privacy and Pro Policy.
Dave Bittner: Instead, we return to the question of the criminal affiliation of the two gentlemen arrested in Ukraine on a ransomware beef last week. That affiliation remains unknown. They're said to be members of a Russian-speaking gang, but beyond that, authorities - including those whom The Register colorfully but indelicately refers to as Ukrainian fuzz - are keeping what they know or suspect to themselves.
Dave Bittner: But one lesson for criminals everywhere - if you're counting on your letter of marque from the FSB to keep you out of the clutches of the fuzz, work from Russia. We know, we know - Ukraine is tempting, and a lot of people in Kyiv speak Russian. But as Ukraine itself will remind you, Ukraine's not Russia, and a get-out-of-jail-free card from the FSB isn't likely to be honored by the Kharkiv fuzz.
Dave Bittner: There was a lot of online woofing and hallooing about the possibility that they were members of REvil, but this appears, in The Register's plausible explanation, to be based on a simple misunderstanding. Europol tut-tutted that the crooks had been responsible for extortionate demands as high as 70 million euros. The REvil connection is that the gang had been known to demand $70 million. But evidently, the Twitterverse (ph) has some difficulty distinguishing euros from dollars. They're not the same, and the current exchange rate is - let's see - $1.16 to the euro.
Dave Bittner: The investigation is proceeding, and, no doubt, we'll eventually find out who the two alleged gentlemen of crime were working with or for or under. In the meantime, the Ukrainian fuzz are on the case, with the assistance of French fuzz and American fuzz and general European fuzz, all of whom are serious about putting their resource euros and dollars where their enforcement mouths are. Good hunting to the fuzz in all civilized countries.
Dave Bittner: And to return to South Dakota for a minute - because we can't help ourselves - we'd like to ask everyone out there in the Mount Rushmore State if Wild Bill Hickok or Calamity Jane or Poker Alice or even Potato Creek Johnny would have spent their time setting up shell corporations back in the Deadwood of its outlaw heyday. We didn't think so, either. It's like finding Wild Bill holding an online MBA instead of eights and aces - sad.
Dave Bittner: Ann Johnson is corporate vice president of security, compliance and identity at Microsoft. She's also the host of the podcast "Afternoon Cyber Tea," which we are pleased to say is the newest addition to the CyberWire network.
Dave Bittner: Well, Ann Johnson, welcome to the CyberWire.
Ann Johnson: Thank you so much. It's great to join you today.
Dave Bittner: So today, we are talking about your podcast. This is ACT, the "Afternoon Cyber Tea," which is joining the CyberWire network here. And of course, excited to have you join us. Can you give us a little bit of the background here? What is the origin story of the "Afternoon Cyber Tea" podcast?
Ann Johnson: I love talking about "Afternoon Cyber Tea." So we are going into Season 5, and we really wanted to improve the distribution and the audience. And CyberWire was such a wonderful opportunity. But how we started is I wanted to do a podcast a couple of years ago to really bring industry thought leaders together and to have, you know, conversations that weren't necessarily product-specific or company-specific, but really talked about solving some of the hardest problems in the industry and thinking about, you know, how we can actually provide better solutions or better insight to other folks.
Ann Johnson: And so we've had a great run of bringing just people on that are really fascinating; topics like - you know, the Internet of Bodies was one of the episodes we did that was incredibly fascinating. We did an episode related to how, you know, cybersecurity is actually related to some ancient writings. We've had a lot of fun with it, and I hope it's been incredibly informational for the audience.
Dave Bittner: Yeah. It really is a broad spectrum of topics that you cover there. And I have to say, you know, one of the highlights of you being in the position that you are at Microsoft is that you get to attract some really top-tier guests.
Ann Johnson: We do, and this season is the same. You're going to be really, I think, impressed with some of the folks that we've been able to pull together onto the podcast for the season. As we're recording some of the episodes and some of the content, it's been just fascinating. I learn a lot doing it. You know, selfishly, I learn a lot doing it because I just get to cover this broad range of topics.
Dave Bittner: Yeah. I have to admit, that's my favorite part of this job as well is just it never gets old getting to chat with smart people about interesting things, right?
Ann Johnson: Exactly.
Dave Bittner: Can you give us a little preview, some of the things that we might expect to hear this season?
Ann Johnson: I can. I just wrapped up an episode with Dr. Fiona Hill to talk about the intersection of cybersecurity and disinformation. We've had episodes with Amy Hogan-Burney, who leads Microsoft Digital Crimes Unit, to talk about the fascinating work that they do with public and private sector partnerships, so I think that will be a great episode. Wendy Nather, who's very well known in the industry as a Cisco advisor, joined us to give some insights. So you're going to see a wide range, again, of conversation this season, but I'm just thrilled about our guests.
Dave Bittner: Who are you targeting here in terms of the audience? Who is the ideal listener for ACT?
Ann Johnson: I think it's any cybersecurity professional, right? We try to keep it at a - we do get some very technical conversations. I had Ian Coldwater on a couple seasons ago, where we were talking about Kubernetes security, as an example. So we do get some deeply technical contact, but it's probably more at the strategy executive level to really talk about the trends and things that are happening in the industry. Though, like I said, we've had some technical episodes. Even this season, Bryson Bort joined us and - talking about just some of the work he's been doing and things he's seeing in the industry. That lent itself to a little more technical of a conversation, which I love to have also.
Dave Bittner: What do you get out of this? I mean, what do you take away, some of the things that you learn yourself?
Ann Johnson: I think that some of the topics are things that I am not, you know, as deep on, so there's that, but just meeting exciting and interesting and fascinating people that I may have never had the opportunity to meet. We have academics that come on and just talk about the research and work that they're doing. And then finally, appealing to the audience. I get tremendous feedback on "Afternoon Cyber Tea" from the listeners, so appealing to a wide audience and letting them, you know, listen in on these just fascinating conversations. It's not a gotcha podcast. It's not a hard podcast. It's just two people talking and having a really good time. And most of the episodes are pretty fun, actually.
Dave Bittner: Well, I can certainly vouch for that. And as I said, we're happy to have you joining the CyberWire network here. Ann Johnson is corporate vice president of business development, security, compliance and identity at Microsoft, and the name of the show is ACT - "Afternoon Cyber Tea." Ann Johnson, thanks so much for joining us.
Ann Johnson: Thank you.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Hi, Dave. How are you doing?
Dave Bittner: Pretty good. Pretty good. Interesting story from The Washington Post - this is written by Jay Greene and Drew Harwell. And it's titled "When The FBI Seizes Your Messages From Big Tech, You May Not Know It for Years." What's going on here, Ben?
Ben Yelin: So this concerns gag orders that come with government requests to obtain data from these third parties, these big tech companies like Microsoft, Google and Facebook.
Dave Bittner: Yeah.
Ben Yelin: So let's just start with Facebook as an example. In the last six months of 2020, Facebook received 61,000-plus requests for user data in the United States, and about 70% of those requests came with secrecy orders or gag orders. What those gag orders mean is that Facebook is legally barred from disclosing the fact that they received a request, not only to the public but to the individual whom has had their communications collected. Whether, you know, these are chats, text messages, social media posts, the person who actually made those posts isn't aware that their information has been collected as part of an ongoing federal investigation.
Ben Yelin: This has become a pattern, particularly over the past 20 years. So according to the 1986 Electronic Communications Privacy Act, federal prosecutors can't go directly - or, really, it wouldn't be useful for them to go directly to users to get digital information - so the content of anything that exists in the online world. So they go to these tech companies. But for a number of reasons, they are distrustful of these tech companies. For one, the tech companies hold a lot of information. Law enforcement is going to want to maintain good relationships with them, lest they release something that sheds the government in a negative light. Law enforcement is very wary of customers becoming aware of the fact that they're under investigation so that they would go out and destroy additional evidence.
Dave Bittner: OK.
Ben Yelin: So you see this proliferation of gag orders. This is particularly acute in the national security context with something called national security letters, where companies will get a subpoena saying, you need to hand over these records. You can't tell anybody about it. This is for national security purposes. We've seen an explosion of these types of cases.
Dave Bittner: Right.
Ben Yelin: Over the past 20 years, we've had a lot of litigation. Sometimes, there is a good justified reason to have these gag orders. It really could interrupt an investigation. There might be national security implications. You know, there might be implications in terms of bringing down, like, an organized crime ring. If one member of that ring is notified that their communications are under surveillance, then the Justice Department or any other federal agency might lose progress in their fight against one of those organized crime communities.
Ben Yelin: But there are lots of cases where that type of secrecy is not justified. And the fact that these gag orders came with 70% of these requests, I think it would be hard to say that everything contained in that 70% was necessary in terms of having a gag order.
Dave Bittner: Right.
Ben Yelin: The Justice Department and members of Congress are both looking into ways to try to ameliorate this problem, come up with some sort of standard where gag orders are only employed when absolutely necessary. Sometimes, that's going to require a layer of judicial review. So law enforcement might have to get a court order to make one of these requests with a gag order. And this contravenes what happens now, where generally, at least in the national security context, you receive the gag order, and then you can challenge it in court. But that's often a very cumbersome and costly process.
Dave Bittner: Right. Right. It seems like there's bipartisan support for reform here.
Ben Yelin: Absolutely. I mean, this is definitely not a partisan issue. Anytime we talk about, you know, the excesses of Big Tech and government surveillance, you're going to get critics from both the left and the right, and I think that's absolutely true in this context. There's been a long-running effort to do away with both national security letters generally and also gag orders and all different types of contacts from members of both parties. So I do think this is something where you'd have bipartisan space to make some type of policy decision, whether that's through Congress or through the executive branch. But the fact that the Justice Department for the first time really is actually reviewing the pattern and practice of issuing these gag orders I think is a positive sign that, you know, we might get some programmatic changes here.
Dave Bittner: Yeah, just a little interesting little side nugget in this article here that I hadn't really considered is they make the point that when it comes to, for example, physical evidence, you know, if law enforcement wanted a bunch of your papers, there's no gag order necessary. It wouldn't - it's nonsensical because they...
Ben Yelin: Yeah, you know if they come take your papers.
Dave Bittner: Right.
Ben Yelin: Yeah.
Dave Bittner: (Laughter) Exactly. When it's something physical, you know that they've come and taken it. But in the digital realm, they can take it, they can view it, they can analyze it without you knowing. And that's a big difference here. And that's, I think, where some of the - some folks are calling foul constitutionally.
Ben Yelin: Yeah, I mean, that is absolutely what's programmatic. I mean, the reason we have the Fourth Amendment is we don't want the government snooping through our stuff.
Dave Bittner: Right.
Ben Yelin: And if they are snooping through our stuff, they have to have a good reason and they have to go through our judicial system. And, you know, with physical searches, it's very obvious when we've been searched. We can use all of the constitutional tools at our disposal to challenge that search. They find evidence that we've committed a crime and we - and, you know, we go on trial. We can seek to suppress that evidence, saying, hey, you busted into my house at 3 in the morning for no reason.
Dave Bittner: Right.
Ben Yelin: That's a violation of the Fourth Amendment. In this area, we don't have that. Not only are the consumers not aware that tech companies are receiving these subpoenas, but the tech companies don't really know what to do when they receive one of these requests with a gag order. They know that some of them, the gag order probably has merit. Some of them, they're not sure. Often they were - these requests are extremely vague. And so they don't know - the tech companies don't know which ones are worth challenging. As a result, they only end up challenging a small fraction of them, and that ends up being a major detriment to the consumer because to make their lives a little bit easier, Microsoft and Google, in most circumstances, are just going to hand over the conversation and not make a big fuss about it.
Dave Bittner: Right. And why should the big tech companies have the burden of trying to make that decision?
Ben Yelin: Right. I mean, there's nothing inherently - there's nothing positive about the fact that we give this responsibility to the tech companies...
Dave Bittner: Right.
Ben Yelin: ...Especially when they - we know that they're receiving 60,000 requests in a six-month period. You can have a giant legal department. You're still going to have a resource problem where you're not going to be able to challenge every single one of these gag orders.
Dave Bittner: Yeah. All right. Well, interesting for sure. Again, that article is from The Washington Post. It's titled "When the FBI seizes your messages from Big Tech, you may not know it for years." Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.