The CyberWire Daily Podcast 10.20.21
Ep 1442 | 10.20.21

Cyberespionage campaign looks a lot like SIGINT collection. Magnitude gets more capable. VPN exploits solicited. Ransomware trends. Seven years for UPMC hacker. Plenty of Candy Corn coming.


Dave Bittner: The LightBasin activity cluster has been active indeed against telecom infrastructure in what looks like an espionage campaign. The Magnitude exploit kit adds capabilities for hitting Chromium browsers. An exploit broker is interested in cloud-based VPNs. Victims continue to pay in ransomware attacks. A hacker gets seven years for conspiracy to defraud and identity theft. David Dufour from Webroot looks at the coming threat landscape. Our guest is Paul Shread from eSecurity Planet on backup tools for ransomware. And a Candy Corn shortage is averted.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Wednesday, October 20, 2021. 

Dave Bittner: Security firm CrowdStrike has published a description of LightBasin, also tracked as UNC1945, an activity cluster that's been targeting global telecommunications infrastructure since 2016. LightBasin has been collecting user information on a large scale, showing a particular interest in call metadata and subscriber information. The report says, quote, "Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control and utilizing scanning and packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata," end quote. 

Dave Bittner: LightBasin showed a solid working understanding of how telecommunications works. One of the activities in cluster, for example, proceeded by leveraging external DNS servers - which are part of the General Packet Radio Service network and play a role in roaming between different mobile operators - to connect directly to and from other compromised telecommunication companies' GPRS network via SSH and through previously established implants. 

Dave Bittner: The LightBasin actors are compromising the telecommunications firms’ Linux and Solaris boxes. Those systems are attractive for two reasons. First, a great deal of the telcos’ infrastructure runs on those operating systems, and, second, at the same time those boxes tend to receive scant attention from security teams. 

Dave Bittner: Active since at least 2016, CrowdStrike writes, LightBasin employs significant operational security measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, and only interacting with Windows systems as needed. 

Dave Bittner: The researchers think it unlikely the world has seen the last of LightBasin. Quote, "CrowdStrike Intelligence assesses that LightBasin is a targeted intrusion actor that will continue to target the telecommunications sector. This assessment is made with high confidence and is based on tactics, techniques and procedures, target scope and objectives exhibited by this activity cluster," end quote. 

Dave Bittner: Why LightBasin is collecting the data isn't entirely clear, but as the report goes on to observe, the nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations. And signals intelligence is typically something governments engage in. 

Dave Bittner: So while it appears to be an espionage operation, CrowdStrike says, there is currently not enough available evidence to link the cluster’s activity to a specific country-nexus. 

Dave Bittner: Circumstantial evidence includes strings in Pinyin, which suggests Chinese or at least Chinese-speaking operators, but this falls well short of what might be required for attribution. CyberScoop's discussion treats LightBasin as an espionage campaign probably linked to Beijing, but the Record, however, characterizes the operators simply as crims. What payoff a classic crim would realize from collecting sigint isn’t clear, unless they’re selling it to some government. But in this case, let crims stand in for simply threat actors, and leave the further attribution to further counterintelligence work. 

Dave Bittner: Avast reports that the Magnitude exploit kit has added capability against the Chromium family of browsers, exploiting the CVE-2021-21224 and CVE-2021-31956 vulnerabilities. The Record finds it noteworthy that a moribund exploit kit obtained a relatively advanced capability. On the bright side, the exploit works against a relatively small range of targets. 

Dave Bittner: The well-known exploit broker Zerodium is looking for exploitable flaws in ExpressVPN, NordVPN and Surfshark. They're interested specifically in information disclosure, IP address leak or remote code execution. And the company says that local privilege escalation is out of scope. Zerodium typically sells exploits to governments and law enforcement agencies. 

Dave Bittner: All three of the VPN vendors for whom exploits are being sought are among the market leaders in cloud-based virtual private network offerings. The Record says the three VPN vendors haven't yet replied to the outlet's request for comments on the solicitation, but it's unlikely they're particularly happy with it. 

Dave Bittner: More evidence suggesting that official admonitions against paying ransomware operators Danegeld may be falling on deaf ears. ThycoticCentrify's 2021 State of Ransomware study concludes that 83% of the victims paid their extortionists. 

Dave Bittner: Earlier this year, on May 20, one Justin Sean Johnson, resident of Michigan and formerly employed by the U.S. Federal Emergency Management Agency, better known by its acronym FEMA, as an IT specialist, took a guilty plea to counts one and 39 of a 43-count indictment. The now 30-year-old Mr. Johnson, who used hacker names TheDearthStar, Dearthy Star, TDS and DS, admitted improperly accessing the University of Pittsburgh's medical center's human resources database server in 2013 and 2014. He sold the data he pilfered in various criminal-to-criminal Infosecurity Magazine reports, and Mr. Johnson's customers used the data to file hundreds of fraudulent Form 1040 income tax returns. The U.S. attorney for the Western District of Pennsylvania said, quote, "These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into Amazon gift cards, which were then used to purchase Amazon merchandise, which was shipped to Venezuela." And the Internal Revenue Service was out nearly $2 million in lost tax revenue. 

Dave Bittner: The two counts Mr. Johnson copped were enough for Chief United States District Judge Mark Hornak to throw the book at him. Judge Hornak gave Mr. Johnson the 60-month maximum for conspiracy to defraud the United States and also the statutory 24-month max for aggravated identity theft. The sentences will run consecutively, which means TheDearthStar will spend the next seven years in Club Fed. 

Dave Bittner: And finally, as Americans prepare for Halloween, the Chicago-based Ferrara Candy Company - makers of such trick-or-treat staples as Candy Corn, Nerds and Lafffy Taffy - discovered on October 8 that it had been hit with a ransomware attack that temporarily disrupted manufacturing at some of its facilities. But no fears, Candy Corn connoisseurs. Ferrara told the Chicago Tribune that they've largely restored production, and in any case, Halloween orders had all, for the most part, shipped before the ransomware hit. So you'll be picking Candy Corn out of your bags until - well, we don't know - next April, if our parenting desk has it right. Thank goodness for season creep. At last, we see a good reason for the Halloween displays that began showing up in stores as early as the last week of August. Happy early Halloween, friends. 

Dave Bittner: Ransomware has highlighted the need for backups - good, multiple, reliable, off-site, encrypted, hermetically sealed, buried under Funk & Wagnalls' porch backups. All right, I exaggerate. But you get the point. Paul Shread is editor-in-chief at eSecurity magazine, where backups have been top-of-mind. 

Paul Shread: There has been a lot of talk about air-gapped backups. And that's a very good thing to do, but it's not the only thing that you need to do. Basically, people aren't doing nearly enough as they should. But due to all the attention that's been focused on the major attacks this year, I think people are looking at it much more than they used to. So I guess that's the one positive here, is people are actually finally starting to pay attention to this stuff. 

Paul Shread: You need multiple copies. You need it to be immutable, which means, you know, can't be changed, can't be accessed. I've actually seen the old three-two-one backup recommendation change lately, and I've seen four-three-two-one. You want, you know, four copies of your data. You want - you know, you want it in different formats, different locations. You want something that's air-gapped. Actually, you want multiple things that are air-gapped. Because the ransomware developers are starting to show that they can access offline data, too. I think it was LockFile, Sophos found, that is a little nastier than other strains. It's - it does a partial encryption, and it can do some offline encryption, also. This stuff is definitely getting stealthier and more dangerous. 

Paul Shread: And it's, you know - it's the same thing that it's always been. It's a security arms race. And, you know, we just need to do the best we can to stay on top of it. And that means - I think in the case of backup, you really need outside help. You know, I don't think it's - I think it's something very few companies can do by themselves. So it's - you almost always need some manner of help. I would even say that there are some cloud companies that can do it, you know, but you know, you need to just check them out carefully. There were some big names that have been doing backup for a long time, and they seem to be well-prepared to do this, you know, without mentioning names. 

Dave Bittner: I suppose it comes down to a risk-management approach here of balancing the effort and resources you put into backups versus the odds of having some event happen where you're going to need them. 

Paul Shread: Well, I don't think that any of this is new. I mean, people have always needed to back up their data. It's just that many of them haven't been doing it properly. You know, there's always been a need for protection from disasters. You know, everyone should have always been doing this. You know, they should have always had offsite backups. You know, there's, you know, so much that needs to be done because your business really depends on getting that data back up and running. You know, I don't think it needs to be pricey. I think, you know, there are some cloud and service providers that could probably do this, you know, stuff without costing a fortune. I think the added cost is probably in the need to keep, you know, multiple copies that can't be changed. And - you know, so that's going to run up the data storage costs more, but you could set policies that you save them for only so long. But I do think you need multiple copies because it's just a matter of time till they figure out how to encrypt those, too. So I think we just need to treat these people as the, you know, very smart actors that they are with, you know, backing from nation-states. There's some really, you know, wild stuff going on here. Data is the lifeblood of companies now, so you really want to be able to get that back up and running as quickly as possible 'cause your business depends on it. 

Dave Bittner: Yeah. And I suppose, you know, we hear these stories all the time about companies who put this off. And - 'cause I suspect for a lot of folks, it's an easy thing to put off. But then the worst happens, and they find themselves in a jam. 

Paul Shread: Well, that's the problem. You know, people think that it's not going to happen to them. They think they can put it off. But I got to tell you, it's got to be the scariest thing that I've seen in security. So if you're not taking it seriously, you're really asking for trouble. But you know, that said, if you do get hit, there are options out there. There are data recovery services. There are tools that can help you decrypt the data. So there are options you're - you aren't totally lost if you get hit. But if you want to be on top of this and back up and running quickly, you really need to take those preemptive steps. 

Dave Bittner: That's Paul Shread. He's editor-in-chief at eSecurity magazine. 

Dave Bittner: And joining me once again is David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, always a treat to have you join us here. I don't know about you, but I am having a hard time reconciling how quickly this year has gone by (laughter). We are - like, 2022 is right on the horizon here. I was curious, you know, can you be the first person that I ask about what sort of things you're expecting to see as we careen towards 2022? 

David Dufour: Yeah, you're right, David. This year has just - I don't know what's happened. You know, it's been a pretty good year, actually, so I'm glad of that. But David, there's this brand-new threat out there that not many people have heard of, and we're going to really break it open on the podcast today. It's called ransomware. I bet most people haven't heard of it, but that's what's coming in 2022. 

Dave Bittner: Ransomware, really? 

David Dufour: Yes. 

Dave Bittner: Go on. Go on with that, David. What exactly goes into this ransomware thing you mentioned? 

David Dufour: Well, the cybercriminals put some piece of malware on your computer, and it encrypts all your files, and you have to pay a ransom through crypto. 

Dave Bittner: (Laughter) Wow. Interesting. 

David Dufour: Yep. 

Dave Bittner: So basically, the bold prediction that you're making for 2022 is more of the same. Is that what I'm hearing? 

David Dufour: That's exactly right. Look; last year, we saw, you know, an average of around - each attack costing about $200,000. That's on average. Believe it or not, this year, with all the high-profile ones, you'd think the average was up. But the average is actually down to about $150,000 per attack we're seeing this year. But that's just 'cause of the sheer volume of attacks that's occurring. 

Dave Bittner: Oh, interesting. 

David Dufour: I'm on a pretty thick limb here. I'm not really going out too far when I say ransomware is going to continue to be the problem next year. 

Dave Bittner: Yeah, it's fascinating to me, also, because I think - you know, when you look back a couple years, probably back to 2018 or so, I think a lot of us thought that we were going to see cryptomining really take off. You know, that was the thing with a lot of us had our eye on. But then it seems like that sort of fizzled out or didn't take off the way that ransomware did. 

David Dufour: Yeah. I'm going to pat myself on the back on that one 'cause I literally said, there's probably not a lot to worry about there. The bad actors have got to see a good business model, and I know they were trying to insert things in browsers to mine when you were on websites and things like that, but it kind of petered out. It's just easier, David, to do attacks with ransomware, infect a computer and then charge a ton of money for it. And you know, I want to segue into something else that we need to think about, which, you know, kind of leads to that ransomware infection. Another thing we're going to continue to see - we saw a lot of last year, it's growing this year. There's a lot of really good tools that we all use in cybersecurity for remote protection. You know, our NDM software that helps us manage, you know, with all the remote - us all working from home due to COVID, things like that. Those tools are getting attacked so that they, the purveyors of ransomware, can deploy it in a broader area. So that's another thing. This one, I am going out a little bit on a limb saying, we're going to see a lot more of the good software turned bad. 

Dave Bittner: More of those insider threats or supply chain threats, I suppose. 

David Dufour: Well, exactly. And if you're - you know, I don't want to name any names, but if you're using something inside your organization to manage your infrastructure, even to manage your business, like an ERP or something, you could see, you know, a lot of attacks start and get deployed through that kind of software. So everyone really has to start paying attention to this. 

Dave Bittner: Is it really a matter of, these days, you have to have something that's keeping an eye on the behavioral aspects of your network that's, you know, not just looking for indicators but looking for what's going on? 

David Dufour: That is absolutely right. And a lot of it is behavior now, which, unfortunately, typically takes a lot of resources. There's not many resources in the security industry, so good for you if you're in this industry. You're going to have a job for a while. But it is about looking, not just locking down. You can't - you do need to lock down the basics of backup, antivirus, patch. But the real focus after you've gotten past those three is to look at what's going on so you can catch it before it happens. 

Dave Bittner: All right. Good insights, as always. David Dufour, thanks for joining us. 

David Dufour: Great being here, David. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.