The CyberWire Daily Podcast 10.19.21
Ep 1441 | 10.19.21

TA505’s recent activity. Advice on defending organizations from BlackMatter. CISA RFI seeks EDR information. REvil’s halting attempts to return. Sinclair’s incident response.


Dave Bittner: A look at TA505, familiar yet adaptable. A U.S. joint cybersecurity advisory outlines the BlackMatter threat to critical infrastructure. CISA asks industry for technical information on endpoint detection and response capabilities. Is REvil trying to run on reputation? The Sinclair Broadcasting ransomware incident seems to provide a case study in rapid disclosure. Carole Theriault considers the fight for online anonymity. Joe Carrigan shares steps to protect the C-Suite. And there's a decryptor out for BlackByte.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 19th, 2021. 

Dave Bittner: TA505 has since last month been showing signs of renewed activity, and this morning security firm Proofpoint released an assessment of the financially motivated group's operations and prospects. 

Dave Bittner: The more recent waves of attacks have selected German-speaking targets disproportionately, with, obviously, German and Austrian organizations receiving considerable attention. But that shouldn't lead others to assume that they're likely to enjoy immunity from attack. The researchers say, quote, "This threat actor does not limit its target set and is, in fact, an equal opportunist with the geographies and verticals it chooses to attack," end quote. 

Dave Bittner: There's been some continuity with TA505's activity since 2020, notably the deployment of the FlawedGrace remote access Trojan and its reliance on phishing to obtain a foothold in its victims' environments, but Proofpoint notes that the gang has also shown considerable adaptability, avoiding readily stereotyped tactics. As the researchers note, quote, "The group regularly changes their TTPs and are considered trendsetters in the world of cybercrime. This combined with TA505's ability to be flexible, focused on what is the most lucrative and shifting its TTPs as necessary, make the actor a continued threat," end quote. 

Dave Bittner: With its partners in the FBI and NSA, the U.S. Cybersecurity and Infrastructure Security Agency yesterday released a joint Cybersecurity Advisory that outlined the threat posed by BlackMatter, a criminal ransomware-as-a-service operation that may represent a rebranding of DarkSide. BlackMatter emerged in July of this year. DarkSide appeared in Russophone criminal circles in August or September of last year and was active through May of 2021. It's best known for the attack on Colonial Pipeline which disrupted fuel deliveries in much of the Eastern U.S. this past May. Like DarkSide, BlackMatter has hit critical infrastructure, notably at least two targets in the Food and Agriculture Sector. CISA and its partners recommend a series of protective measures against attack and advise organizations to prepare for response and recovery. They strongly discourage victims from paying ransom. 

Dave Bittner: CISA's caution against paying ransom may be familiar, but it isn't idle. A survey released this morning by CISOs Connect, Aimpoint Group, and W2 Research suggests 80% of CISOs would at least consider paying ransom should they be attacked. 

Dave Bittner: CISA itself is looking for some assistance from industry with respect to endpoint detection and response. The agency has published a request for information in which it solicits technical feedback from industry on tools and services that would provide sophisticated endpoint detection and response capabilities for U.S.-based government organizations. It's part of a general effort on CISA's part to get improved EDR capabilities into Federal civilian agencies generally. 

Dave Bittner: The outreach to industry complements a memo the Office of Management and Budget issued last week, in which it directed agencies to cooperate by providing CISA with information on their current EDR status. 

Dave Bittner: While CISA is clear that the RFI is neither a solicitation nor the promise of a solicitation - the information is being sought for, as the RFI puts it, market research purposes - nonetheless, industry might find it worthwhile to engage the agency as it works toward greater clarity with respect to endpoint detection and response capabilities. Replies are due by 2 p.m. Eastern time on November 8. 

Dave Bittner: Digital Shadows joins other security firms in commenting on the reappearance and subsequent disappearance, again, of REvil. They note that the gang's successive versions appear to have grown less profitable. Why, then, the reboots? Apparently, REvil thinks it retains some brand equity in the criminal-to-criminal markets. That's open to debate, especially given the stick the gang has received from its underworld colleagues during its recent attempts to reestablish itself, but it can be fatally easy to fall in love with your own brand. 

Dave Bittner: As far as the individual hoods are considered, whatever the ultimate fate of the gang, they're all too likely to find further criminal employment. 

Dave Bittner: As the proverb has it, bad news doesn't improve with age, and the Sinclair Broadcast Group's response to a ransomware attack seems to have been organized with that in mind. The media company discovered a possible incident Saturday, identified it as a cyberattack Sunday and issued a public statement Monday, which the Wall Street Journal calls relatively quick disclosure. Sinclair says it worked to contain the attack as soon as it was detected. 

Dave Bittner: Sinclair continues to respond to and remediate the incident. There's no word yet on which gang or which strain of ransomware may be involved. 

Dave Bittner: And, finally, bravo, Trustwave. The security firm's SpiderLabs has released a free decryptor for BlackByte ransomware. They also note that while BlackByte is a dangerous and damaging strain of ransomware, at least one of the threats its operators make - that of having stolen victims' data in a double-extortion move - may be largely empty. Trustwave hasn't found exfiltration capability in the BlackByte code it's analyzed. 

Dave Bittner: As long as there have been online message boards, there have been anonymous users, people using handles or other ways to hide their real identity. There have been movements over the years to do away with online anonymity, but it's an idea with loads of potential unintended consequences, as our U.K. correspondent Carole Theriault considers in this report. 

Carole Theriault: Some people say to me, why would you want to be anonymous online? Unless you want to go and troll someone or stalk someone or do something vaguely or completely illegal, why would you need to hide your identity? 

Carole Theriault: Well, let me give you a few reasons why. Maybe, perhaps, you find yourself newly single and you want to vet a new dating service. You may not want to put in all your details. Or say you're looking for a new insurance provider for a car or a home, whatever. Many of these sites aggregate all the information you put in. You may not want to put in all your actual information and provide it to a third party without knowing what they're going to do with it. You should be able to do research online privately. 

Carole Theriault: Here's another example. Say it is your anniversary and you want to buy your better half something fantastic. You don't necessarily want them to see all the sites you visited as you troll around looking for the perfect thing. 

Carole Theriault: Basically, I see a lot of online activities almost as diary entries, and you want to vet who you give access to what information. I think that gives you agency over your privacy or your anonymity, which is a good thing. The more we use an anonymous cloak to do not-so-good things, like troll someone, bully someone, make someone feel bad publicly and effectively shame them, we chip away at our right for anonymity. 

Carole Theriault: In Deloitte's Attitudes to Data Privacy, a digital consumer trends report from 2020, they said of the U.K. consumer that they appear relaxed, in general, about data privacy and seem content to share online data with a growing range of companies. And one of the reason they cite is that perhaps this declining concern about data privacy come from a lack of understanding of the mechanisms via which the data is uploaded, processed and shared online. The whole thing may be unfathomable to most users. I mean, gosh, I've been studying this industry for 20 years, and I don't get how it all works. How does someone who specializes in a completely different industry get their head around it? It's impossible. I don't know. Maybe I am a complete dinosaur for caring about online privacy and anonymity, and I wish there were better regulations to protect it for those that don't contravene the rules of engagement. But hey, I am open to arguments pro or against, so let us know. This is Carole Theriault for the CyberWire. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, over on "Hacking Humans," a topic that comes up pretty regularly is BEC - business email compromise. 

Joe Carrigan: It is, indeed. 

Dave Bittner: And this article over from CSO caught my eye. This is written by Rosalyn Page. And it's titled "4 Steps To Protect the C-suite From Business Email Compromise Attacks." I think those of us who have an interest in cybersecurity would say that certainly the C-suite have some priority here. Right, Joe? 

Joe Carrigan: Right, absolutely 'cause they're usually the targets for business email compromise attacks. 

Dave Bittner: Yeah. So what does this article outline here? 

Joe Carrigan: So it's talking about some of the things you can do to protect the C-suite from business email compromise attacks. So first thing is training them to recognize what a business email compromise attack looks like. The very first step in business email compromise is to compromise someone's email address, right? And that usually starts with a phishing or spear phishing email to try to get the person's credentials because if I can get access to the CEO's email account, his actual account, there's all kinds of havoc I can cause. So the first step is training them to recognize when, when a business email compromise, what it looks like - what the email looks like, the idea that you're going to have to log in again through a credential-harvesting page. That should set off a red flag. But they're very subtle. And a lot of times, these are spear phishing emails that are very well crafted and highly effective. They have really high rate of effect. The second thing they say is put technical controls in place. 

Dave Bittner: Yeah, makes sense. 

Joe Carrigan: Education is good. But if you don't have multifactor authentication on CEO's email, you probably should... 

Dave Bittner: (Laughter) Yeah. 

Joe Carrigan: ...Something that can absolutely just stop this in its tracks. 

Dave Bittner: Right. 

Joe Carrigan: Next they say, emphasize that the C-suite needs to be an example to the rest of the organization. 

Dave Bittner: Yeah. 

Joe Carrigan: Which is true - they do. They really do. 

Dave Bittner: Yeah. And you know, it's funny. Carole Theriault recently had a story here. She brought us a story about how C-suite executives, the bosses can often be trouble... 

Joe Carrigan: Right. 

Dave Bittner: ...Because they're - and understandably, they're so busy with lots of things that they don't want to slow down to do a lot of these security things. But they do so at their own peril. 

Joe Carrigan: Right, absolutely. Finally, they say - this article says communicate business email compromise risk to the CEO or the rest of the C-suite in business language. You know, a lot of times you'll have a chief information officer who actually isn't from a technical background. They're from a management background. 

Dave Bittner: Right. 

Joe Carrigan: Right? So to explain this, you can't go, hey, we're seeing hundreds of phishing emails coming in every day with these credential-harvesting pages out there, trying to get credentials, they're - you know, somebody is going to fall victim to this at some point in time. 

Dave Bittner: Right. 

Joe Carrigan: And that's going to be bad. And we're... 

Dave Bittner: Port scans. Web traffic. 

Joe Carrigan: Port - yeah, port scans and web traffic are going... 

Dave Bittner: (Laughter). 

Joe Carrigan: What you need to say is, there's a risk that somebody is going to gain unauthorized access to your email account, impersonate you and cause the loss of millions of dollars to this company fraudulently. 

Dave Bittner: So put it in terms they understand... 

Joe Carrigan: Right. 

Dave Bittner: ...Which is the terms of business risk. 

Joe Carrigan: Right. 

Dave Bittner: That's where they live, right (laughter)? 

Joe Carrigan: And then they'll say, well, how do we mitigate that? What do we do with this risk? Because there are three things you can do with a risk. You can accept it, you can mitigate it or you can transfer it. But this is actually something that's pretty easy to mitigate very well with multifactor authentication. And you tell somebody that there's a risk to lose millions of dollars, and you can mitigate it by spending $45 on a YubiKey or by using - spending no money on something like Microsoft or Google Authenticator... 

Dave Bittner: Right. 

Joe Carrigan: ...Right? - setting up a multifactor authentication system that uses one-time passwords. 

Dave Bittner: Right. Yeah. I mean, I think this is a really important point, that it's up to you to be the translation layer. 

Joe Carrigan: Right. 

Dave Bittner: As the person who has the technical knowledge, you need to come and speak to these folks in their language and not expect them to speak yours. 

Joe Carrigan: You know, very early in my career when I was - first started doing software development - I think I've talked about this before - I was terrible at this. I would start telling people how we were going to go about something or what we were going to do for them, and they would glaze over. 

Dave Bittner: (Laughter). 

Joe Carrigan: Right? And their eyes - you'd see it in - you'd see their faces just kind of - just go slack, and their eyes would glaze over. And the guy who was my boss at the time, who's still a very good friend of mine - he would say, what Joe is saying is... 


Dave Bittner: Ah, yes. He was your Rosetta Stone. 

Joe Carrigan: Right. Exactly. And he was my supervisor at the time. One of the things that we talked about in my reviews was the progress I was making towards not doing that, to communicating better with non-technical people. 

Dave Bittner: Yeah. 

Joe Carrigan: And I've gotten better at it over the years. Of course you can - you know, I used to know a guy who said the biggest room in the world has room for improvement, so there's always room to get better. 

Dave Bittner: (Laughter). That's good. That's good. Yeah. I just think you can't underestimate these communication skills. Even as a technical, you know, professional, you have all this vast realm of knowledge for all this technical stuff, but it does you little good if you're not able to explain it in terms that other folks can understand. You're going to get the tools you need. You're going to get what you want. You're going to have greater success if you can provide that translation for the folks who you're working for. 

Joe Carrigan: Agreed 100%. 

Dave Bittner: All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.