The CyberWire Daily Podcast 10.8.21
Ep 1435 | 10.8.21

Fancy Bear’s snuffling at Gmail credentials. FIN12’s threat to healthcare, and BlackMatter’s threat to agriculture. REvil tries to reestablish itself in the underworld. Twitch update. Sachkov is charged.


DAVE BITTNER: Google warns 14,000 Gmail users that Fancy Bear has probably been after their passwords. FIN12, a fast-running ransomware group, is after hospitals' and health care providers' money. BlackMatter remains active against the agriculture sector. REvil is back and talking on the RAMP forum, but so far, it's getting a chilly reception. Twitch traces its vulnerability to a server misconfiguration. David Dufour from Webroot wonders about cracking down on crypto. Our guest is Jeff Dileo from NCC on mastering container security. And Group-IB's CEO is charged with treason.

DAVE BITTNER: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 8, 2021. 

DAVE BITTNER: On Wednesday, Google's Threat Analysis Group distributed an unusually high number of warnings to about 14,000 Gmail users indicating that they may presently be targeted by a government cyber espionage organization. The attempts have been attributed, BleepingComputer and The Record report, to APT28 - that is, Fancy Bear, Russia's GRU. A TAG member, Shane Huntley, tweeted about the implications of such warnings. Google probably blocked the attempts, but you should take prudent steps to protect yourself now because you are a potential target for the next attack. 

DAVE BITTNER: The warning itself begins with the screamer headline, government-backed attackers may be trying to steal your password, and goes on to say, quote, "there's a chance this is a false alarm, but we believe we detected government-backed attackers trying to steal your password. This happens to less than 0.1% of all Gmail users. We can't reveal what tipped us off because the attackers will take note and change their tactics. But if they are successful at some point, they could access your data or take other actions using your account," end quote. 

DAVE BITTNER: The warning concludes with a few recommendations, like advising the recipients to keep their instance of Microsoft Word up to date or suggesting that they open Word documents with Google Docs. Google sends these warnings out in batches, and a warning indicates that Gmail blocked the attempt it detected. The reason for sending the warnings in batches, as opposed to in onesies and twosies (ph) as the malicious emails are detected, is to avoid giving the bad actors - in this case, Fancy Bear - unnecessarily granular and potentially useful insight into Mountain View's defensive tactics, techniques and procedures. 

DAVE BITTNER: Security firm Mandiant yesterday released a report on FIN12, an aggressively financially motivated ransomware gang noteworthy for its concentration on health care organizations. FIN12 concentrates on ransomware proper and hasn't followed the broader criminal trend toward double extortion. It's also a heavy user of initial access brokers hired in the criminal-to-criminal market. 

DAVE BITTNER: The group is also a user of the Ryuk strain of ransomware. It's quick in its operations - "rapid Ryuk," as Dark Reading called it - usually spending at most three days in its victims' networks before issuing its ransom demand. That speed, Mandiant thinks, distinguishes FIN12 from other Ryuk users. That speed is also conducive to volume. FIN12 is believed to have demanded between 1 and $25 million apiece from its victims. And, again, it's shown no compunction whatsoever about damaging health care organizations. If even a small fraction of victims pay, FIN12 has done well, financially speaking. 

DAVE BITTNER: FIN12 appears to be a Russophone group and probably based in Russia. Its victims have been concentrated in North America, but there are recent signs that the gang is branching out to Europe and Asia. It doesn't hit Russia or, usually, the former Soviet republics in the near abroad, a group of countries sometimes known by the name of the moribund association that connected them, the Commonwealth of Independent States. 

DAVE BITTNER: Mandiant thinks FIN12's position in the ransomware underworld reflects a trend toward specialization in gangland. As they put it, quote, "this specialization reflects the current ransomware ecosystem, which is comprised of various loosely affiliated actors partnering together but not exclusively with one another," end quote. 

DAVE BITTNER: NBC News reviews the current series of BlackMatter ransomware attacks against the U.S. agricultural sector. Two Iowa-based grain cooperatives, Farmers Cooperative Company and the New Cooperative, and Minnesota based co-op Crystal Valley are known to have been disrupted. The timing of the attacks is troubling, coming as they do around the time of the harvest. The affected organizations have been reticent about sharing information, in part due to concerns over potential litigation. And some speculate that there may be other publicly undisclosed farming-sector victims. 

DAVE BITTNER: Flashpoint researchers are tracking the resurgence of the well-known REvil ransomware gang in the Groove collective's criminal RAMP forum. Quote, "the REvil profile on RAMP was created on October 6. In a post underneath its profile, REvil advertised their affiliate program in detail and claimed that their practices are anonymous and secure. REvil followed up their post with a claim that it will wait until November to begin actively recruiting affiliates on RAMP. Cybersecurity analysts note that this post follows a report that our evil was scamming their affiliates through a backdoor in their ransomware code," end quote. 

DAVE BITTNER: Apparently, the other crooks and lowlifes who do sport themselves in RAMP aren't all ducky with REvils apparent appearance there. They don't trust them because of the way REvil went into temporary occultation earlier this summer. These others expressed caution and contempt for REvil's reappearance. There are accusations circulating in RAMP that REvil bugged out because it suffered some major security problem, and some have gone even farther, speculating that REvil has been taken over and is now being run by some law enforcement organization using the gang's name and account as a provocation and an investigatory tool. REvil denies this, of course, and says it's totally official, in a criminal kind of way. 

DAVE BITTNER: Twitch blogs that its attacker gained access via an error in one of its server configuration changes. Yesterday, the streaming service advised users that out of an abundance of caution, we have reset all stream keys. Depending on which broadcast software you use, you may need to manually update your software with this new key to start your next stream. Twitch had earlier explained, "we have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident. As the investigation is ongoing, we are still in the process of understanding the impact in detail. We understand that this situation raises concerns, and we want to address some of those here while our investigation continues," end quote. 

DAVE BITTNER: A Washington Post essay sees the attack on Twitch as part of a bigger trend - a resurgence of hacktivism, and the new hacktivists' interest in picking their targets from Big Tech. Twitch is an Amazon subsidiary. 

DAVE BITTNER: And finally, Russian authorities have now, according to Reuters, formally charged Group-IB founder and CEO Ilya Sachkov with treason. Meduza cites various official Russian media to the effect that Sachkov has specifically been charged with disclosure of information that contains state secrets. Further information won't be forthcoming, since the matter is regarded as classified. Treason charges come with a potential sentence of up to 20 years. 

DAVE BITTNER: Whether it's Docker, Linux or Kubernetes, containers continue their growth in popularity, but not without concerns about configuration and security. Jeff Dileo is a technical director at NCC Group. And I checked in with him for his take on container security. 

>>JEFF DILEO: I think that containers themselves are in a fairly good place at this point. There's always room for improvement. And things, I think, are getting better. I think where things are maybe falling short is in how people configure them or how people use them as part of larger systems that then configure them in ways that maybe aren't so great. 

DAVE BITTNER: Well, let's dig into those one at a time there. I mean, let's start with configuration. What are some of the pitfalls there? 

>>JEFF DILEO: Containers, assuming you're - we're referring to normal Linux containers, which are more of a concept, they are a construct of various Linux features around isolating programs. And not all of them are specifically designed around security specifically, and so you need to be careful when you combine them. Most of the container runtimes, as we call them, like Docker, have gotten this down pretty good by default. But you can still configure your containers to run with, like, full admin privileges on the host. You can configure them in ways that might be needed for enabling certain pieces of functionality but might themselves be essentially equivalent to admin on the host or could be used to break out and get admin on the hosts. So we kind of consider that equivalent. There are certain things. Like, if you were to, for example, mount your host file system as read-writable into the container, well, the container could probably mess with, like, all of your users' password hashes and then, you know, log into that system, possibly or mess with service configurations to automatically run code as root outside of the container on the host - things like that that. That's a bit of a stretch - like, someone doing that. But those kinds of things, even - there are smaller, innocuous things that can also be bad, but they get a bit technical. 

DAVE BITTNER: And to what degree are those kind of, you know, hidden traps? I mean, are we at the point where the systems people are using are pretty well-configured to kind of put proper guardrails on the users? 

>>JEFF DILEO: I'm not sure it's really something about the systems being configured. In some cases it is. But in general, something like Docker or containerd, which Docker uses under hood, Kubernetes uses under the hood these days, basically it is just fully privileged to do what it wants most of the time. And it ends up being on how it's told to create containers. And so if your - whatever system you're using to give access to developers or ops people to create those containers allows them to configure kind of whatever access they want, that can be bad. There are various systems for access controls. But certain things are at lower levels, where just access to them in the first place means you can tell them to do anything. So a lot of the security in locking these things down is more in placing abstraction layers between the user and those things that kind of mediates what they're allowed to tell it to do. 

DAVE BITTNER: So what are your recommendations then? I mean, how do organizations go about configuring these from the outset? But then also, I suppose there's a certain amount of auditing that has to go on as you go. 

>>JEFF DILEO: So there are best practices. And there are auditing tools. And they often follow against best practices, like CIS Benchmark. And then there are kind of the nitty-gritty of access control review. There's kind of a whole series of things that can be looked at. I would kind of break it down into maybe two or three groups - maybe four, depending on how deep you want to go - where you have - there is the configuration and the access controls and who can do what and who can get in and what they're allowed to do, right? Then there is the actual things that are running and how they are - how privileged they are and what risk that poses if they were to get compromised. And then there is the code that actually gets run and how that's assembled and built and if you're handling your dependencies properly or running untrusted images or allow untrusted images to be run potentially. And then there is the lower, lower level of configuration of all the components of the system and what's accessible and whatnot. And so some of those things are fairly reasonable for organizations to do themselves, and some of them not so much. 

DAVE BITTNER: That's Jeff Dileo from NCC Group. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interviews Selects, where you get access to this and many more extended interviews. 

DAVE BITTNER: And I'm pleased to be joined once again by David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, always great to have you back. You know, we've seen some noises coming from inside the federal government that they might be doing some cracking down on how some of these cryptocurrency exchanges work, trying to go at things like money laundering and so forth. What is your take on the progress we're seeing here? 

DAVID DUFOUR: Well, I think it's interesting. I think you have to do something. You can't not do anything just because you don't know what to do. And I think it is a good first step. I think from a money laundering perspective, they definitely need to do something. Never mind should crypto be regulated or not. That's a whole SEC, you know, financial industry discussion. But from a purely cybersecurity perspective, you know, we've seen a huge shift away from a market for stolen credit cards. You know, back 10 years ago, David, when we were, you know, getting into this industry, stolen credit cards were a big deal. Stolen bank accounts were a big deal because that's the way cybercriminals got paid. They would pay to get credit cards or bank accounts. And then when they did some bad action, they would use that stolen credit card or stolen bank account to execute their transactions. And with the advent and just the sheer growth of crypto, we've seen, you know, the shift from that. So what's ironic is we've seen a shift away from people stealing accounts and credit cards to using crypto, which is good. But unfortunately, that empowered ransomware because nobody calls up and asks for a check for ransomware. They want bitcoin. 

DAVE BITTNER: Right. And I mean, I think it's fair to say that the cryptocurrencies are really major enablers when it comes to things like ransomware. So, you know, I can't help wondering, do we need some sort of increased oversight over this? I guess the devil's in the details, right? I mean, it's hard to imagine enabling something like that without hurting some of the things that make crypto crypto. 

DAVID DUFOUR: You're spot on. And this is where we need some really smart people to think about this so that we don't - and I'm not big anti-government or anything like that. You know, I'm all about things that make sense. And I do think there needs to be some understanding, some slight regulation on this. But how do you not go too far and, like you say, eliminate what the value of cryptocurrency is? And I know a lot of people in government would like to just shut all cryptocurrency down 'cause they can't control it. But there is a middle ground somewhere. It does help a lot of folks in, you know, Third World countries or countries where there is an instable or unstable currency. So there's a lot of good cryptocurrencies do. The trick will be how do we find that balance? because - and do we need to find a balance? - is a discussion we should have as well. Are we knee-jerk reacting to something where we should be fixing the ransomware problem, not fixing the problem of how people are paying the ransom? I mean, there's a discussion that should be had there because honestly - and David, just add to that as I'm thinking through this - I promise you, if they stop the ability to use crypto to pay for ransomware attacks, we'll go right back to having bank accounts stolen and credit card stolen, and they'll start using - there'll be an industry for that again. 

DAVE BITTNER: Yeah. Yeah - I guess, you know, looking to have it be more of a speed bump than anything. 

DAVID DUFOUR: Yeah. And, you know, there's a lot of unfortunately smart people on both sides of this. And I say unfortunately 'cause no matter what the smart people on the side trying to prevent this ransomware and crypto being used for nefarious reasons, there's smart people on the other side who are going to figure out other ways to do it and find some other barter system or something of that nature to actually transact these things. It won't go away. But I guess like, like we said at the beginning here, you've got to figure out - you've got to do something. You can't just let it keep happening. 

DAVE BITTNER: Yeah, absolutely. All right. Well, David Dufour, thanks for joining us. 

DAVID DUFOUR: Great being here, David. 

DAVE BITTNER: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this weekend's episode of Research Saturday and my conversation with Matt Stafford from Prevailion. We're going to be discussing his team's report, diving deep into UNC1151's infrastructure, Ghostwriter and beyond. That's Research Saturday. Check it out. 

DAVE BITTNER: The CyberWire podcast is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.