The CyberWire Daily Podcast 10.13.21
Ep 1437 | 10.13.21

Cyber Espionage, again. Patched SolarWinds yet? Patch Tuesday. The international conference on ransomware has begun. Booter customers get a warning. A disgruntled insider alters aircraft records.


Dave Bittner: A Chinese-speaking APT is distributing the MysterySnail RAT in what appears to be cyberespionage campaigns. Some users still haven't patched vulnerable SolarWinds instances - notes on yesterday's Patch Tuesday. The U.S.-convened international ransomware conference kicked off today, and Russia wasn't invited. Former users of a criminal booter service get a stern warning letter from the Dutch police. Caleb Barlow reacts to a recent ransomware tragedy. Our guest is Rob Gurzeev of CyCognito on the security issues with subsidiaries. And a Florida woman is charged with altering aircraft records.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Wednesday, October 13, 2021. 

Dave Bittner: Security firm Kaspersky discusses an activity cluster they're calling MysterySnail and which they connect to the Chinese-speaking APT IronHusky, a group that's been active since 2012. MysterySnail exploits a Windows zero-day to install a remote-access trojan. It's a cyberespionage campaign, the company's researchers say, quote, "besides finding the zero-day in the wild, we analyzed the malware payload used along with the zero-day exploit and found that variants of the malware were detected in widespread espionage campaigns against IT companies, military and defense contractors, and diplomatic entities," end quote. 

Dave Bittner: With all the attention last year's SolarWinds exploitation received, one would think that users would have applied the appropriate patches and mitigations. But Randori's 2021 Attack Surface Report finds that 1 in 15 organizational users are still running a version that's either undergoing active exploitation or is at least, in their words, highly tempting to attackers. Randori’s CTO David Wolpoff said in the release announcing the study, quote, "I'd wager the remaining vulnerable SolarWinds instances are there because of ignorance, not negligence," end quote. He thinks that the complexity of the current workplace, whether remote, in the traditional office or in some hybrid of both, have made it difficult for organizations to accurately assess their risk and, in particular, to prioritize their patching. Attackers can take advantage of relatively low-rated risks. And Wolpoff’s general advice is to get deeper into the attacker's mindset, apply attacker's logic to their security program and get one step ahead. 

Dave Bittner: Yesterday was October's Patch Tuesday, and the Zero Day initiative summarizes six Adobe and 71 Microsoft security updates. Three of the problems that Microsoft patched - and Microsoft is a CyberWire sponsor - are rated critical by Redmond. One of these involves Microsoft Word. The other two are remote code execution issues in Windows Hyper-V. 

Dave Bittner: Adobe patched Reader, Acrobat, Commerce and Connect. 

Dave Bittner: Apple has new versions of iOS - that's version 15.0.2 - and iPadOS - also 15.0.2. They address a vulnerability, CVE-2021-30883, currently being exploited in the wild. If unpatched, BleepingComputer writes, the vulnerability could be used for either staging malware or stealing information from affected devices. A proof-of-concept exploit has been published that was developed by reverse-engineering Apple's fix. 

Dave Bittner: As usual, KrebsOnSecurity has a good, useful summary of the month's patches. One of his observations is worth noting, especially given what Randori said about the importance of not overlooking the less highly rated vulnerabilities. KrebsOnSecurity thinks that the highly rated but still less than critical fixes are among the most interesting of the Microsoft patches. The ones that lend themselves to exploitation for privilege exploitation are, according to Krebs, particularly worth attention. 

Dave Bittner: The Biden administration's promised high-level conference on ransomware kicked off today. Special sessions, the Washington Post reports, will address resilience, virtual currencies, law enforcement disruptions and diplomacy. The U.S. engaged some 30 countries who'll be attending the two days of meetings. The Hill and others note that Russia wasn't invited because the current ransomware surge is generally regarded as driven by Russian-inspired or the very least Russian-tolerated gangs - "privateers," as Cisco's Talos Group aptly called them back in May. 

Dave Bittner: We observe that, while all Five of the Eyes, several NATO members and other close U.S. allies are taking part, it's not just Russia that hasn't been allowed through the velvet rope. China, North Korea and Iran aren't on the list, either. Maybe next time - or not. Frank discussions of malefactors and their ways proceed more easily when the alleged malefactors themselves aren't parties to the conversation. Those are often better handled one-on-one. 

Dave Bittner: As much of the coverage surrounding the international ransomware conference has tended to focus on the role state sponsors or enablers of cybercrime play, the degree of commodification and the extent of division of labor now observed in the criminal-to-criminal market remains striking. A note this morning from Atlas VPN expresses the current state of the C2C market in monetary terms. Some of the more damaging services go for between about $60 and $500. The return on investment can clearly be very high indeed. 

Dave Bittner: One criminal service that's attracted recent attention is the booter - a service used to conduct distributed denial-of-service attacks. One of those booter services was, which Dutch police took down back in July. Authorities in the Netherlands, of course, noted who was registered with MineSearch, and they've placed the customers on notice. The Record quotes that notice, recently received in the official, physical mail by 29 Dutch nationals, quote, "We have registered you in our system and you will now receive a final warning. If similar incidents occur in the future, we will prosecute. In that case, take into account a conviction, criminal record and the loss of your computer and/or laptop," end quote. Read and heed, former MineSearch customers. 

Dave Bittner: And finally, a chilling story emerged this week from the U.S. state of Florida. Police have taken a Brevard County woman into custody on charges of accessing a flight training school's system to alter information on 12 aircrafts, local broadcast news outlet WESH reports. The most disturbing change was to alter the status of some planes that required maintenance to airworthy. The flight school, Melbourne Flight Training - and remember, that's Melbourne, Fla., not Melbourne, Victoria. They say that's an obvious flight safety problem. They detected and corrected the corrupted records before anyone was injured. 

Dave Bittner: It's not only a flight safety story, but an insider threat and off-boarding story as well. The woman who's facing charges, Lauren Lide, age 26 - and we note, of course, those accused of crimes are entitled to the presumption of innocence - had been flight operations manager at MFT until she resigned in November 2019, on the same day her father was fired from his own job as director of maintenance at the company. The apparent motive was the classic motive of the disgruntled insider - revenge for perceived ill-treatment. Ms. Lide is said by her father to have been miserable at MFT and eager to leave. 

Dave Bittner: Third-party risk - you've got it. You know you've got it. And the challenge is calibrating your response and investment to mitigating that risk. Part of that is considering your subsidiaries - organizations connected to yours, but with a certain degree of autonomy for themselves. Rob Gurzeev is CEO and co-founder of CyCognito, a company focused on attack surface management and protection. 

Rob Gurzeev: Maybe let's spend 30 seconds on this piece of history. So... 

Dave Bittner: Yeah. 

Rob Gurzeev: ...Security testing today is really based, in general, on vulnerability scanners and penetration testing services. And these technologies and services were designed in the '90s, 20+ years ago, when companies had just two servers connected to the internet, and the rest of the IT assets were connected only to the intranet and were not exposed to the internet. So back then, life was relatively easy, and these vulnerability scanners and pen testing services were actually very efficient and very effective when you had to deal with just a few machines that you need to really test. Problem is that over the last 10 years, companies moved to the cloud. And in general, now companies have thousands of networks and, in some cases, millions of assets connected to the internet. And the other problem is all of these legacy scanners and pen testing services and anything that is related to them requires either deployment or at least knowledge and input on what's going to be tested. 

Rob Gurzeev: Now, say you are the global CISO of this Fortune 100 or 500 company. You may not even know about the 50 or 100 subsidiaries that you have in your company. And you definitely don't have direct access to their assets. So, one, they might be using a completely different security stack than you. And you don't have access to their security stack for various reasons. Two, your scanning and pen testing services are irrelevant or cannot be applied there. So you want to protect them. Your company and your CFO knows that the conglomerate will be affected by them getting breached. In many cases, they have assets that have access to your network, to the enterprise network and the enterprise data. But that's a huge gap in both technology and process that cannot be solved, simply put, with the legacy technologies. So again, we wanted to highlight that. And, of course, when we talk to customers, we recommend what's the better way to deal with that. 

Dave Bittner: So what are your recommendations, then? How can organizations do a better job of addressing this? 

Rob Gurzeev: Yeah. So in general, when it comes to attack surface protection, protecting your thousands or millions of assets that are exposed to the internet, our approach is actually very simple, very logical. And my co-founder Dima, who - when I told him the first time about what I want to do this company, he said, Rob, there's no way that it hasn't been done already because it's so basic and logical in a sense - very complex on the tech side, but so logical and simple. 

Rob Gurzeev: So we say, instead of running this vulnerability scanning internally that have to be based on known IP ranges and known domains - and so do pen testing services - we say, let's do what attackers do. Let's build a technology that doesn't require anything from the enterprise - not deployment, not input, not configuration and not even inclusion listing within some firewalls. And let's automate the reconnaissance process that we drove, by the way, in our previous lives, to map the whole organization with respect to the subsidiary risk topic. Map the hundreds of subsidiaries, departments and acquisitions of this company, then map the millions of assets they have exposed, and then run an automated risk assessment on all of those things to find what are the top 10 security gaps that are super-attractive and are related to important assets the way attackers can understand them, externally, that generate 90% of the risk. 

Rob Gurzeev: We believe that logically, that's the only way to solve this problem. The industry hasn't done it so far. And when you look at the data that these researchers gathered in research, it's clear that they're looking for such a solution. For example, they're saying that it can take weeks and months to remediate something and that what's missing for them is actionable data with low false positives. And the reason they're saying this is because the only current solution for the subsidiary - or third-party risk, by the way - is based on super-basic analysis of IP ranges registered on this other company's name and de facto basic port scanning. So the current offerings meets 50 or 70% of the actual risk and then, based on what we hear from customers, have 70% of false positives, meaning they are wrong most of the time. And if you're familiar with the domain and why port scanning cannot forecast what's vulnerable, then that's very clear. And yeah - and that's why we thought it's worthwhile to portray this and help CISOs and CIOs and today, by the way, even CFOs and some board members think about the problem of subsidiary risk in more specific terms. And I think that the data tells a very clear story about it. 

Dave Bittner: That's Rob Gurzeev from CyCognito. 

Dave Bittner: And I'm pleased to welcome back to the show, our CyberWire contributor, Caleb Barlow. Caleb, it's always great to have you back. You know, we had this recent tragic story about a ransomware incident affecting a health care organization and a loss of life - a youngster, a child, who did not get treatment they needed and died as a result of that. I know, you know, health care is an area you have a lot of experience in, and I wanted to check in with you to get your insights on this incident. 

Caleb Barlow: Well, Dave, let me first say how my heart goes out to the families involved in this horrible incident. And to quickly summarize what happened - an expectant mother heads to the hospital as it's time to deliver her baby. She is unaware at the time that the hospital has been impacted by a ransomware incident and, for the last eight days, may have been unable to access most hospital systems, including medical records and many of the systems that monitor patient status. Now, for anyone out there listening that may be unfamiliar with labor and delivery department, expectant mothers - well, they naturally arrive any time, day or night. And after an initial assessment, they're moved into a delivery room, where you may wait for a few minutes or hours for the baby to come. And these rooms are comfortable, but they're also really sophisticated, with equipment at the ready, state-of-the-art monitoring systems not only for the vital signs of, let's say, Mom but also for the unborn baby and, in this case, particularly a fetal heartbeat. 

Caleb Barlow: So at the nurse's station - you know, you always see the nurse's station in a hospital. The nurses can kind of quickly glance up, look at a monitor, see all the patients, all the fetal heartbeats, and one of the things they're looking for is - any degradation in the fetal heartbeat could be a rapid indicator of a fetus in distress due to any number of potential problems during delivery. So this system wasn't working, Dave. And in this alleged incident, the umbilical cord became wrapped around the baby's neck. The fetal heartbeat clearly indicated in advance that the baby was in distress. And the doctors were even texting each other that had they realized this, they would have immediately moved the mother into a C-section and, you know, potentially saved the child. 

Dave Bittner: Right. 

Caleb Barlow: So, you know - so what we have here is a ransomware incident that is allegedly causal. And I think there's a lot of things we can learn from this, Dave. 

Dave Bittner: Well, I mean, let's dig into it. What could have been done in this situation? 

Caleb Barlow: So, you know, nurses, physicians, pilots, ship captains - they're all trained to work in less-than-ideal conditions. Like, you know, a pilot knows their job is to get the plane on the ground, no matter what. In a similar way, a doctor knows how to treat a patient the best they can. When resources are not always available, you know, if the power goes out, they're going to still keep treating patients. But the difference here is the hospital allegedly knew that they had a ransomware incident. So they knew they were in a degraded state of care. What that means is maybe Mom had a choice on which hospital she went to if she knew. 

Caleb Barlow: So there's a - you know, and I'm not a lawyer. We're not providing legal advice here. But there is an elevated level of potential caution of - should you still be delivering services if you're in a degraded state? Or should you at least be communicating that? And I think that plays not only to health care but anybody that's got a life safety system that may be involved. This might have been a manufacturing environment where, when that manufacturing environment, you know, is hit with a ransomware incident, maybe they can keep making parts, but maybe not all the safety systems work in the same way, right? So, you know - or a building is impacted. You know, do the fire alarms potentially work in all the same way? We've got to think as security professionals now about with - based on what's happened, has a life safety system potentially been degraded? And that's not something that's in most runbooks today. 

Dave Bittner: Yeah. I mean, it strikes me that if, you know, my wife and I were headed to labor and delivery and we got notice that the hospital had no electricity, chances are we would reroute somewhere else. And now you got me thinking, is ransomware similar to having no power? 

Caleb Barlow: I think it is when we have expectations of what the standard of care is going to be when we go to the hospital. And the reality here is, allegedly, that standard of care was degraded because the monitoring systems weren't working. Now, think of this from a security professional perspective. Do you even have an inventory of what you need to worry about? Now, let me throw one other thing out there of - you know, kind of pivot this upside down and backwards. I ran a immersive exercise with a hospital fairly recently. And, you know, I presented with them with a ransomware incident, but with a twist. What I did in the ransomware incident was that rather than locking up the systems, the adversary had changed five medical records. And I demonstrated - you know, the adversary demonstrated the hospital two of the records that had changed, and there were things like allergies and, you know, medications, critical things that would have affected patient care. And basically, the ransom was, hey, pay me a million dollars if you want to know what the other three records are that I've changed. 

Caleb Barlow: This caused an amazing set of dialogues to occur in this exercise. And, you know, I just dove in. I had no idea how they were going to deal with this. They got into a debate of, hey, on one hand, we can't trust our electronic health care records, so do we shut down? Because the last thing we want to do is treat somebody improperly. But that was weighed with the same issue. If we shut the hospital down, then we know we're delaying care for patients that rely on us in the area we live in, and therefore we may hurt people there as well because we're no longer available. And it created quite the discussion of what are we going to do? These types of decisions, these types of discussions, these types of trade-offs - they've got to happen in advance before the incident occurs. 

Dave Bittner: Yeah, and I think back to the mother in labor and delivery, and I can imagine a hospital knowing it's in a degraded state and perhaps bringing in more nurses so that they're in the room with a - instead of relying on the nurses' station, that you have folks in each labor and delivery room, right? So a possible mitigation there. 

Caleb Barlow: But also communicate, communicate, communicate, right? Today, people are hit with ransomware incidents. Of course, bad guys don't wait to communicate often because they don't want law enforcement involved. It's embarrassing, but it's also a life safety issue. And I would argue it's a life safety issue in this case not only for who you're treating, but also your employees. If they don't understand the breadth of what's going on. They can't make those trade-off decisions to say, hey, because this monitor's not working, I'm going to change nurses' rounds and they're going to come around every five minutes and check the fetal heartbeat. Like, there were probably ways to mitigate this, which of course, would have required more staff, or maybe you take on less patients. But again, that kind of failure mode effect analysis - that's got to be done ahead of time. You're not going to figure that out when you're in the middle of an incident. 

Dave Bittner: Yeah. All right. Well, Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.