The CyberWire Daily Podcast 10.18.21
Ep 1440 | 10.18.21

A US broadcaster sustains a ransomware attack. North Korean catphis expelled from Twitter. REvil’s Tor sites are hijacked. Hacking back. Prosecution and responsible disclosure?


Dave Bittner: The Sinclair Broadcast Group discloses that it sustained a ransomware attack over the weekend. Twitter kicks out two North Korean catphish deployed in a cyber-espionage campaign. REvil goes offline again, perhaps this time for good. Hacking back, at least insofar as you let the hoods know you can see them. Rick Howard previews the newest season of "CSO Perspectives." Johannes Ullrich from SANS on expired domain dumpster diving. And an update on the Missouri disclosure and proposed hacking prosecution.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 18, 2021. 

Dave Bittner: The Sinclair Broadcast Group, which operates 185 television stations with 620 channels in 86 U.S. media markets, has disclosed that it determined yesterday that it had been subjected to a ransomware attack. The media company detected what it regarded as a potential security incident on Saturday and is now in the process of recovery. 

Dave Bittner: An announcement issued publicly this morning and filed with the U.S. Securities and Exchange Commission read in part, quote, "as the company is in the early stages of its investigation and assessment of the security event, the company cannot determine at this time whether or not such event will have a material impact on its business operations or financial results," end quote. 

Dave Bittner: Much of Sinclair's network shares the same Active Directory, and The Record suggests that this may have been the route through which local stations were affected. Some viewers appear to have noticed that the NFL football games they were expecting to watch yesterday weren't available where or when they expected as Sinclair worked to resolve the ransomware-induced service issues. 

Dave Bittner: There's no word yet, CNN reported late this morning, which gang or strain of ransomware was implicated in the incident. The Hollywood Reporter says that some service disruptions have continued into today. NY1 reports that the attack involved, as is now routine in such criminal operations, a data breach of thus far unknown scope. That, too, remains under investigation. Sinclair is working with law enforcement and has brought in an outside cybersecurity firm to assist with recovery. 

Dave Bittner: Twitter has suspended two accounts established by North Korean operators with the apparent purpose of catphishing security researchers. The Record reports that the two accounts are part of an espionage campaign that began last year. A member of Google's Threat Analysis Group says the two accounts are part of a cluster, some of whose members were taken down in August. 

Dave Bittner: The REvil ransomware gang appears to have again withdrawn from active operations, this time, BleepingComputer reports, because unknown parties hijacked the Tor sites the gang used for receiving payments and leaking stolen data. The data dump site had been known as the Happy Blog. REvil appears to have detected the hijacking yesterday. 

Dave Bittner: Security firm Flashpoint posted a description of this latest occultation to its blog this morning. They note that the gang's former spokesman, a known unknown who went by the predictable hacker name Unknown, had private keys for access to the sites and that the unknown hijackers had used Unknown's private keys to take control of them. 

Dave Bittner: A different REvil representative - hacker name 0_neday, with a coy zero at the beginning of the word one - announced the hijacking on the Russophone forum XSS, made an ineffectual gesture in the direction of conciliating REvil's criminal affiliates, wished everyone good luck and signed off. 

Dave Bittner: Flashpoint see the incident as an unexpected turn in REvil's attempt to reconstitute their operations, as the group had just begun recruiting new affiliates on the RAMP forum and offering unusually high commissions of 90% to attract affiliates. 

Dave Bittner: XSS moderators reacted to the incident this morning by closing the thread in which REvil announced their troubles. The moderators also advised XSS users to block REvil accounts. 

Dave Bittner: There's some speculation - and we repeat this with caution because it may represent wishful thinking - that law enforcement authorities may, in fact, be the hijackers. And observers think that this time the gang may be down for the count, although, of course, it's possible members will resurface in other criminal or privateering organizations. 

Dave Bittner: It's interesting that some of the speculation about law enforcement involvement comes from REvil's criminal competitors. Users on XSS were generally incredulous at this new announcement, Flashpoint said, adding, quote, "the spokesperson of the LockBit ransomware gang claimed this new disappearance is proof that the REvil reemergence in September was part of an elaborate FBI plot to catch REvil affiliates. Several threat actors agreed with the LockBit representative and added that they believe that REvil will reemerge again under a totally new name, leaving behind recent scandals without having to pay out old affiliates. Another threat actor added, paraphrasing Shakespeare, something is rotten in the state of ransomware." Well, we hope so. 

Dave Bittner: According to The Wall Street Journal, some security firms see a middle ground in incident response between supine victimhood and aggressive hacking back. Hacking back is also probably illegal, at least under the U.S. Computer Fraud and Abuse Act of 1986. 

Dave Bittner: The alternative approach involves both information gathering and direct, legal menacing confrontation. The Journal writes, quote, "that often means persuading a hacker to give consent to access the computer or database being used in the suspected cyberattack, for instance, by posing as a customer for stolen data," end quote. 

Dave Bittner: The CEO of security firm Redacted, Max Kelly, told the reporters that cybercriminals often operate with an unreflective and unwarranted sense of immunity, the belief that they can't be identified or tracked. Confronting them with knowledge of the tools and infrastructure they used can sometimes be useful in spooking the criminals and scaring them off. Redacted's Kelly explained, quote, "as soon as you come and poke at them and they're able to connect that to the activity they're involved with, they disappear," end quote. 

Dave Bittner: Missouri Governor Parson still apparently wishes to hold the St. Louis Post-Dispatch and its reporter criminally or at least civilly liable for their discovery of teachers' Social Security numbers in the HTML of the state's Department of Elementary and Secondary Education teacher credential website. We haven't heard back from either the governor's office or the office of the Cole County prosecutor, but it seems that the governor's position is attracting few adherents. 

Dave Bittner: KWOS News Radio interviewed a representative of the conservative and libertarian think tank Americans for Progress, who points out that anyone could have looked up the site and that the information the state posted was publicly available. So again, a state agency published the private information, albeit in all probability, unwittingly. And the legal theory under which the journalist might be prosecuted or sued remains unclear. If a government organization wants to encourage responsible disclosure, threatening those who quietly tell you you've got a problem is probably not the way to do it. 

Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief analyst, also our chief security officer. Rick, welcome back. 

Rick Howard: Thank you, sir. 

Dave Bittner: So your podcast "CSO Perspectives," which is available on the Pro side of the CyberWire, has been on hiatus for a few weeks now. But today, our national nightmare is over. 

Rick Howard: (Laughter). 

Dave Bittner: And Season 7. Season 7. You start Season 7 of "CSO Perspectives." So first of all, congratulations on six complete seasons. Hard to believe you've - that that has happened, right? Six seasons? 

Rick Howard: It's amazing. It's amazing. 

Dave Bittner: Who would've thought? Yeah. 

Rick Howard: (Laughter). 

Dave Bittner: So bring us up to date here. What do you have in store for us this week as you launch this next season? 

Rick Howard: Well, that's right, Dave, and thanks for that. And it's amazing that we've done over 60 episodes so far, you know, just incredible. And for your daily listeners who still haven't ponied up for the subscription side - this is a subtle reminder, right? - they can get a taste of what the show is about by listening to "CSO Perspectives" Public. We've released the first two seasons over there. And you can find links to the shows on the CyberWire website and in whatever podcast app you like to use. The downside of that is that it has commercials. And if you're anything like me, I hate commercials. 

Dave Bittner: (Laughter). 

Rick Howard: So the subscription gets you not only my podcast commercial-free, but all of the great CyberWire content commercial-free. So that's a great deal. 

Dave Bittner: Yeah, kind of ironic that you just did a commercial for CyberWire Pro complaining about commercials. 

Rick Howard: (Laughter) I'd never thought - that's really meta, man. That's totally meta. 


Dave Bittner: Anyway. 

Rick Howard: All right. So back to the purpose of this, right? For this episode... 

Dave Bittner: Yeah. 

Rick Howard: ...OK? - the first one of Season 7, we're doing a deep dive on cybersecurity compliance. 

Dave Bittner: OK. So, you know, there's been a long-lasting debate about compliance in the cybersecurity community about whether or not compliance actually improves your cybersecurity posture. 

Rick Howard: Well, you're right about that. That debate's been going on for well over two decades, and most security people don't think that compliance laws improve their individual situations that much. They might concede that at least they prove a minimal baseline for the community. But that's not what we're going to talk about in this episode. 

Rick Howard: Instead, we're trying to understand if your organization's compliance strategy is a first-principle strategy, you know, on the same level of importance as the other key pillars we've been talking about in this podcast - zero trust, intrusion kill chain prevention, resilience and risk forecasting. In other words, what's the probability of material impact to your organization for failure to comply with one of the 50-plus international, U.S. federal and individual U.S. state laws on the books right now? 

Dave Bittner: Yeah, that's interesting. I mean, I remember just this past summer, Amazon got hit by a huge fine for failure to comply with GDPR. 

Rick Howard: Yeah, that's right. The European Parliament fined Amazon in July $877 million. And that's the largest GDPR fine to date. The interesting question is whether or not that fine is material to the Amazon business, whose annual revenue is somewhere north of $113 billion. That's billion with a big capital B. 

Dave Bittner: (Laughter). 

Rick Howard: Or, you know, is the fine just the cost of doing business? But more importantly, what are the chances that small-, medium- and large-sized businesses that are not the size of Amazon will be hit with a compliance fine that will be material? 

Dave Bittner: Yeah, yeah. Well, it's interesting stuff for sure, and you can check that out over on CyberWire Pro. It is "CSO Perspectives." Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the "ISC StormCast" podcast. Johannes, it's always great to have you back. We want to touch today on a research paper that one of your SANS students had put out recently. And they were talking about expired domain dumpster diving. You've piqued my interest here. What's going on? 

Johannes Ullrich: Yeah, this was a pretty interesting paper. And the problem here is really that companies and entities are just registering domains and then sort of forgetting about. Not sure, Dave, how it's with you, but I know for myself, you have this great idea and say, hey, it's only $10. Let's register a domain (laughter). 

Dave Bittner: Yeah, sure. Yeah, yeah, a million-dollar idea, right (laughter)? 

Johannes Ullrich: Yeah, million-dollar idea. Register a $10 domain. And then, you know, every year, you sort of get the renewal. Kind of eventually, you start to say, it wasn't that great of an idea. Let's stop it. 

Johannes Ullrich: So the students of our graduate school - Christopher DeWeese - he took a closer look at, what are the security implications of this? And what he did is he looked at expired domain. And you can get sort of a daily feed of that. It's about 200,000 great ideas that expire every day. 

Dave Bittner: Wow. 


Johannes Ullrich: And there are really sort of two risks here or two kinds of risk. First of all, the entity releasing the domain. And we have seen this in the past. For example, there - big brand names just outright forgot to renew their domain and then someone else picks it up. That's probably the most obvious part of it. 

Johannes Ullrich: But what's actually a little bit more dangerous and more subtle is quite often, organizations end up with, like, these large numbers of domains as part of a merger, for example, and they never really figure out what these domains are really used for. And one way how a domain may be used is just as a nameserver for another domain. So as soon as you're releasing that domain and then someone else picks it up, they not only now own the domain that you released. They also own the nameserver record that may still be used by some of your other domains. So now they basically are able to advertise false information for some of the other domains. And this has been an ongoing issue. I believe even one African country-level domain essentially lost access of their country-level domain because someone forgot to renew a domain name that was used as a name server for that country-level domain. 

Dave Bittner: Wow. 

Johannes Ullrich: So that's the first part of our really, you - by not tracking what you're using domains for, you may release the wrong domain. And then, of course, you know, things like, hey, someone may have still an email address that they were using. Now you can do password reset if you owned the domain name, and they used an email address with that domain on some random website. So that's another risk of this. 

Dave Bittner: So what's the solution here? I mean, is it - I suppose some of the registrars have things in place to keep these domains from just falling into other folks' hands. 

Johannes Ullrich: Well, registers just want you to renew your domains indefinitely. And... 

Dave Bittner: Yeah. 

Johannes Ullrich: ...That's definitely one solution. Of course, that can be a little bit costly. What you really need to know is you need to figure out what of your domains are really used, what they're used for. Don't accumulate domains that you really are never going to use. That's certainly one way of doing that. But, like you all know, that's a little bit hard sometimes. 

Johannes Ullrich: The other side to this is, if you're now registering a domain that used to be owned by someone else, then you're also exposing yourself to risk because, well, now you are actually receiving traffic that you never really asked for. And actually, I believe we talked about this last year in a paper from one of our graduate students about the CyberBunker incident, where we actually got hold of some IP address and domains and such that were associated with a criminal organization. Of course, now we basically got a lot of their email and web traffic and such. You may now end up with someone else's traffic. 

Johannes Ullrich: And actually, just today I had someone send me an email that they're essentially under a denial-of-service attack because a domain that's no longer being used still resolves to one of their IP addresses, and they can't get rid of the traffic. So it happened to be a popular BitTorrent tracker. And so everybody who wants to download that video is now going to this particular university's IP address and - which amounted to pretty much a denial-of-service to them. 

Johannes Ullrich: So if you are registering a new domain, double check - and there are various tools, like and such - was this domain used in the past? What was it used for? Anything malicious here? Anything overly popular that you don't really want to be exposed to? 

Dave Bittner: Yeah, yeah. All right. Well, good advice as always. Johannes Ullrich, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.