The CyberWire Daily Podcast 10.25.21
Ep 1445 | 10.25.21

SolarMarket malware carried in some WordPress sites. Russian privateers don’t much like REvil’s takedown. The SVR in the supply chain. Malicious Squid Games app. Scary social media.

Transcript

Dave Bittner: Solar market infestations are up and circulating through WordPress sites. More indications that REvil was taken down by a U.S.-led by thoroughly international public-private partnership. Russia's SVR is getting busy in software supply chains. Criminals take advantage of the popularity of "Squid Games" (ph). Dinah Davis from Arctic Wolf on how even hackers have internal politics. Rick Howard checks in with the Hash Table on compliance. And Halloween is coming. Do you know what your apps are up to?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 25, 2021. 

Dave Bittner: Security firm eSentire reports a market upswing in SolarMarker infestations. Whereas the information stealer had hitherto relied upon Blogspot, Google sites and content delivery networks to host malicious files, the campaigns using SolarMarker have begun making increased use of compromised WordPress sites. The operators have also succeeded in making their attacks more evasive and more adept at bypassing defenses by using large payload sizes, obfuscated payload modules and stolen certificates, which present challenges to antivirus solutions. 

Dave Bittner: SolarMarker is proving, eSentire says, to be a cross-industry threat but with a focus on three sectors - manufacturing, legal and financial. They're also observing the same enhancements Cisco's Talos researchers took note of in July - an improved staging module and effective keylogger. 

Dave Bittner: More emerged over the weekend on the multinational public-private operation that seems to have put REvil down. SecurityWeek confirmed that a US international partner, unnamed, was responsible for the final shutdown. That REvil suffered significant reputational damage between its first occultation, shortly after its early July attack on Kaseya, and last week's takedown seems undeniable. 

Dave Bittner: Other competing ransomware gangs have commented on their rival's fortunes. The Conti gang, for example, put an insufferably smug and self-congratulatory post out on Friday. They wrote, quote, "as a team, we always look at the work of our colleagues in the art of pen-testing, corporate data security, information systems and network security. We rejoice at their successes and support them in their hardships. Therefore, we would like to comment on yesterday's important announcement by the U.S. law enforcement about the attack on the REvil group," end quote. 

Dave Bittner: They don't care much for the American government. Quote, "first, an attack against some servers, which the U.S. security attributes to REvil, is another reminder of what we all know - the unilateral extraterritorial and bandit-mugging behavior of the United States in world affairs," end quote. 

Dave Bittner: Essentially, Conti's opinion is that the multinational operation amounted to an extraterritorial attack against some infrastructure in some countries. "Is there a law," they ask rhetorically, "even an American one, even a local one in any county of any of the 50 states that legitimize such indiscriminate offensive action? Is server hacking suddenly legal in the United States or in any of the U.S. jurisdictions? If yes, please provide us with a link," end quote. 

Dave Bittner: OK. Well, sure. So how about these - section 1030(a)(2) or 1030(a)(4) of the Computer Fraud and Abuse Act would seem to cover it. And U.S. law, whatever Russian privateers may think, does have, at least in U.S. eyes, extraterritorial application in the case of cybercrimes in particular. A useful reference is "Prosecuting Computer Crimes," published by the Office of Legal Education, Executive Office for United States Attorneys Computer Crime and Intellectual Property Section, Criminal Division. Not a dull page in it, especially pages 113 and following. Put a copy in the gang washroom, Conti. It'll stimulate the bowels better than a buckthorn infusion or the black coffee and bran muffin favored stateside. Enjoy. 

Dave Bittner: The ransomware gang Groove was also barking after the REvil takedown, calling, in a Russian-language criminal forum post BleepingComputer found, for a general effort by all ransomware gangs against American interests. Since the big players in Russophone ransomware circles are effectively operating under letters of marque and reprisal and that they're already fully engaged against American interests, it's difficult to see how that would change much. 

Dave Bittner: Indeed, the Groove statement, a kind of criminal halftime speech, as much as acknowledges the connection to the Kremlin. Here's what they said, bowdlerized because we're a family show. Quote, "in our difficult and troubling time when the U.S. government is trying to fight us, I call on all partner programs to stop competing, unite and start effing up the U.S. public sector, show this old man who is the boss here, who is the boss and who will be on the internet. While our boys were dying in (ph) honeypots, the nets from rude aibi squeezed their own. But he was rewarded with higher and now he will go to jail for treason. So let's help our state fight against such ghouls as cybersecurity firms that are sold to amers, like U.S. government agencies. I urge not to attack Chinese companies because where do we pinch if our homeland suddenly turns away from us - only to our good neighbors, the Chinese. I believe that all zones in the USA will be opened, all nether orifices will come out and F this effing Biden in all the cracks. I myself will personally make efforts to do this," end quote. 

Dave Bittner: So there. We observe the poor taste involved in saying our boys were dying in honeypots. Nobody actually dies in a honeypot. It's the kind of overheated metaphor you'd find in a campus newspaper. Phooey. What's happened to crime? 

Dave Bittner: iTWire thinks that this and other whistling-in-the-dark, blustering gasconade from elsewhere in gangland are aimed far less at frightening law enforcement than it is intended to reassure criminal stooges in the C2C markets that Conti and those like them are still in the game and still a reliable partner in the sleazy ransomware enterprise. 

Dave Bittner: In any case, FBI, Cyber Command, Interpol, Europol and your colleagues, good hunting. 

Dave Bittner: Russian intelligence services, like the privateers, are showing small disposition to trim their activities in response to diplomacy, sanctions or deterrence. Microsoft has identified extensive new activities by Russia's SVR Foreign Intelligence Service, which Microsoft tracks as Nobelium and which will be familiar as the Cozy Bear behind the early 2016 election season compromise of the U.S. Democratic National Committee and last year's SolarWinds compromise. The current operations, which Microsoft describes as very large and ongoing, show no signs of abating. 

Dave Bittner: Microsoft said, quote, "this recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain,” end quote. Redmond has warned 140 resellers and technology service providers that they were being targeted by Nobelium. The company believes that 14 of them may have already been compromised. 

Dave Bittner: The SVR's recent approach doesn't involve any exotic zero-days or clever exploitation of software vulnerabilities. Instead, they've used, quote, "well-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access," end quote. 

Dave Bittner: While Microsoft says it's under no illusions that nation-states, including Russia, are going to suddenly revert to good behavior in cyberspace, it does think prospective targets aren't as helpless as they once may have been. Quote, "we have learned enough about these new attacks, which began as early as May this year, that we can now provide actionable information which can be used to defend against this new approach. We've also been coordinating with others in the security community to improve our knowledge of and protections against Nobelium's activity, and we've been working closely with government agencies in the U.S. and Europe. We believe steps like the cybersecurity executive order in the U.S. and the greater coordination and information sharing we've seen between industry and government in the past two years have put us all in a much better position to defend against them," end quote. 

Dave Bittner: Microsoft, we note in disclosure, is a CyberWire sponsor. 

Dave Bittner: Crime continues to find its targets of opportunity in popular culture. An unauthorized app for Netflix's big, big hit "Squid Games" (ph), formerly available in Google Play, has been yanked by Mountain View with a warning that Android users should uninstall it. Researchers at security firm ESET, the Independent reports, found that Squid Game Wallpaper 4K HD was in fact serving up Joker malware. 

Dave Bittner: And finally, now this. 

(SOUNDBITE OF WOLVES HOWLING) 

Dave Bittner: Halloween is this Sunday, kids, and we'll observe the run-up to the spooky holiday this week with some scary stats contributed by industry researchers. 

Dave Bittner: Are you on social media? Sure you are. And so, be scared. That's the import of the true campfire story Arkose Labs sent our way for Halloween. 

Dave Bittner: Arkose's Q3 Fraud and Abuse Report found that 53% of the logins - that's more than half of all logins - on social media sites are fraudulent. And fully one-quarter of applications for new accounts are also fraudulent right from the get-go.  

(SOUNDBITE OF MANIACAL LAUGHTER) 

Dave Bittner: But wait. There are scary robots, too. Over 75% of social media attacks are, say Arkose, now automated by - by bots. 

(SOUNDBITE OF SPOOKY SOUND EFFECT) 

Dave Bittner: And a lot of those are account takeover attacks. They're after your login data. 

(SOUNDBITE OF FILM, "THE DAY THE EARTH STOOD STILL") 

Patricia Neal: (As Helen Benson) Gort, Klaatu barada nikto. 

Dave Bittner: Well, that's probably not going to do it - different kind of bot, you know? 

Dave Bittner: Pretty scary, kids. So happy Halloween. Stay safe out there. 

(SOUNDBITE OF WOLVES HOWLING) 

Dave Bittner: And it is always great to welcome back on the show our own Rick Howard, the CyberWire's chief security officer and chief analyst. Rick, you know, last week on the "CSO Perspectives" podcast, you did a deep dive on the current state of cybersecurity compliance law. 

Rick Howard: Don't fall asleep when you say that, Dave. Don't fall asleep - compliance law. 

(LAUGHTER) 

Dave Bittner: I know. There are people who are standing by their podcast apps, and they're saying, oh, I hope they talk - I hope they talk compliance law today. 

Rick Howard: I can hardly wait (laughter). 

Dave Bittner: Yeah, yeah. So one thing that caught my eye that I really wasn't expecting was that organizational compliance strategy was so important, and it was so important that you included it as one of your first principle strategies. Now, as I recall, you were still on the fence about that. Have you come to any resolution since we aired that episode? 

Rick Howard: Well, I think so. But my answer is not what I thought it was going to be when we started down this path. I mean, the potential fines that may result from the 50-plus compliance laws on the books right now - it could be material to your business. 

Rick Howard: You know, for example, in 2018, Anthem paid $16 million - that's small M - to the U.S. Office for Civil Rights as a settlement for HIPAA noncompliance. Now, I have no idea if Anthem considered $16 million material to their business. After all, their annual revenue, it's north of $33 billion - the big B there. 

Dave Bittner: Wow. 

Rick Howard: So when I finished last week's episode, I was unsure if compliance should be a bedrock first principle. So this week, I invited Tom Quinn, the T. Rowe Price CISO, to the CyberWire Hash Table to see if he could help me decide. 

Dave Bittner: Oh, Tom's a great guest. I've had him on our show several times - super smart. And, of course, he's been doing cyber in the financial industry for decades now, right? 

Rick Howard: Yeah, he's worked at State Street, BYN (ph) Mellon, JPMorgan Chase, and now he's going on six years at T. Rowe Price. And he said that the way he thinks about compliance is that it's an essential component to his resilience first principle strategy. 

Rick Howard: But here's the interesting thing. He says that if you think about the four first principles - zero trust, intrusion kill chain prevention, resilience and risk forecasting - they all have equal weight. But immediately following those principles is DevOps as a layer that cuts across all four. And immediately following the DevOps layer is a compliance layer because you can't do compliance without automation, and all of the compliance data will come from the DevOps infrastructure. And that, by the way, is why Tom is one of the smartest CISOs in our community. 

Dave Bittner: (Laughter) OK, well, there's plenty more where that came from - right? - on this week's episode of "CSO Perspectives." You can find that as part of CyberWire Pro, which is on our website, thecyberwire.com. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Dinah Davis. She's the VP of R&D operations at Arctic Wolf. Dinah, it is always great to have you back. Some of these bad actors out there, some of these hacking groups that are up to no good - it's funny. Every now and then something bubbles to the surface where perhaps they're not all getting along with each other. 

Dinah Davis: Yeah. 

Dave Bittner: And I know that's something that you've had your eye on. What can you share with us today? 

Dinah Davis: Yeah. So a lot of these ransomware groups, these hacker groups are actually, like, quite large organizations, right? They've got the people who are doing the hacking. They've got, you know, the customer support people. Like, there's customer support lines. And a lot of them have what you call affiliates, which is like - you know, there's McDonald's, and then there's, like, the franchisee. And the franchisee is then running the place, and they get paid a certain percentage of everything that comes in, right? 

Dave Bittner: Right, right. 

Dinah Davis: And so that's how a lot of these ransomware teams work. Well, apparently they also have internal politics, just like every other company. And recently, there was a disgruntled hacker at the ransomware gang Conti. And they were apparently very unhappy about how much they were getting paid to, you know, do Conti's bidding. And so they decided to leak the technical guides that Conti gang uses to train its affiliate members. So it was things like how to access and move laterally and escalate across a hacked company. And they just, like, published the whole thing to GitHub and, you know, actually threw it out there (ph) for them, right? 

Dave Bittner: Yeah. No honor among thieves, right? 

Dinah Davis: No, no. And really, though, did that person do that much damage? If you take a look at what the guide said, it's, like, a lot of pretty basic offensive tactics and techniques, and they're used by other ransomware gangs. The only interesting real stuff that came out of there was a number of IP addresses that you can now block because you know that they use them. 

Dave Bittner: Right. 

Dinah Davis: But I just found it interesting that, you know, even hackers have internal politics. 

Dave Bittner: (Laughter) Well, but isn't it interesting that - I would say overall, it's fair to say that there is a good amount of discipline among these groups, that the fact that this doesn't happen more often is interesting in itself. 

Dinah Davis: Yup, yup. Absolutely. It absolutely is. 

Dave Bittner: Yeah. All right. Well, Dinah Davis, thanks for joining us. 

Dinah Davis: You're welcome. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.