The CyberWire Daily Podcast 10.26.21
Ep 1446 | 10.26.21

Ransomware and privateering, counteroffense and deterrence. The US State Department will reestablish its cyber office. And looking forward to Halloween.


Dave Bittner: Notes on ransomware and privateering. Conti's barking at its victims. Someone's exploiting billing software. And BlackMatter repeated some coding errors its DarkSide predecessor committed. GCHQ suggests that the U.K. will undertake a more assertive imposition of costs on cyber gangs. The U.S. State Department will reestablish its cyber bureau. Software supply chain cyber-espionage and what can be done about it. Ben Yelin on school laptop privacy concerns. Our guest is David White of Axio to discuss ransomware preparedness. And some more scare notes for Halloween.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 26, 2021. 

Dave Bittner: There's more out today on the ransomware front. The Conti gang, whose smugly self-righteous protestations that they are actually the good guys - that's it, that's right - practically freedom fighters or something like that - whose valediction forbidding law enforcement we heard about yesterday, may have changed its business model. 

Dave Bittner: KrebsOnSecurity has a discussion of the Conti ransomware gang's decision to sell either victims' data or access to victims' networks. It's not clear which exactly, but they want the victims to know that those who don't pay are in big trouble. The gang recently posted a note that reads in part, quote, "if you are a client who declined the deal and did not find your data on cartel's website or did not find valuable files, this does not mean that we forgot about you. It only means that data was sold, and only therefore it did not publish in free access," end quote. The hoods go on to say, quote, "we are looking for a buyer to access the network of this organization and sell data from their network," end quote. 

Dave Bittner: So the communique or threat Conti posted is ambiguous with respect to what precisely is being offered for sale. Are they selling data, or are they getting into the access broker business? But is this tactical ambiguity, or is it a why-not-do-both strategy? Or is it simply poor idiomatic control? Maybe all three. 

Dave Bittner: Whatever the case may be, Conti hopes to punish uncooperative victims. Publicly naming the companies whose access one hopes to sell would seem to be self-defeating. One possible explanation might be that the gang is itself feeling the hot breath of law enforcement on its neck. Emsisoft, for one, speculated to KrebsOnSecurity that Conti may be considering an exit. 

Dave Bittner: Conti's shift in strategy comes days after the gang issued a self-righteous and puerile valediction for REvil, taken down last week by a coordinated international law enforcement action. In Vice's account, Conti argues that ransomware is good somehow, but their argument amounts to little more than an implausible denial. The U.S., you see, is really pushing ransomware when it takes down criminal servers. We suppose that's one way of looking at it. 

Dave Bittner: Other ransomware operators are exploiting known vulnerabilities in BillQuick billing software to distribute ransomware, BleepingComputer reports. Huntress Labs has an account of the vulnerabilities. Reports indicate that some are fixed. Fixes are in progress for others. 

Dave Bittner: Security firm Emsisoft has been able to take advantage of slovenly coding by the BlackMatter ransomware gang to damage the gang's operations by enabling victims to recover files without paying ransom. 

Dave Bittner: BlackMatter represents a rebranding of the DarkSide gang. And Emsisoft found that the reorganized gang had repeated a coding error that its predecessor had committed. That error enabled Emsisoft to quietly help BlackMatter victims. 

Dave Bittner: While Emsisoft kept its discovery of the flaw quiet, others who came across it did not, and BlackMatter upped its game and fixed the problem. But Emsisoft says it continues to keep an eye out for other criminal missteps, and it encourages its colleagues and partners to do the same. 

Dave Bittner: The U.K., normally tighter-lipped about such matters than its trans-Atlantic cousins, has made public representations to the effect that Britain's relatively young National Cyber Force, established last year, would undertake offensive cyber operations to disrupt the infrastructure used by criminal gangs. GCHQ director Fleming, speaking virtually at yesterday's Cipher Brief conference, indicated that more needed to be done to impose costs on criminal actors and that the National Cyber Force could be expected to play a role in doing so. 

Dave Bittner: The U.S. State Department, The Wall Street Journal reports, will reestablish its cybersecurity bureau to enhance its ability to coordinate diplomatic measures in support of national cyber policy. The Wall Street Journal reports that Secretary of State Blinken is expected to announce the newly reconstituted office later this week. 

Dave Bittner: Security firm Mandiant, which has been tracking software supply chain attacks of the kind Microsoft announced at the beginning of the week, has offered advice on how organizations can remediate attacks and harden their systems against the threat. 

Dave Bittner: Whatever successes law enforcement, intelligence and military organizations have recently enjoyed against Russian ransomware privateers, there seems to have been no corresponding success against Russian intelligence agencies. 

Dave Bittner: The Hill sees the high optempo and relatively brazen Russian cyber-espionage directed toward the compromise of software supply chains as evidence that U.S. efforts at deterrence have so far not succeeded in restraining activity of the Russian government proper in cyberspace. Espionage is more difficult to deter than is kinetic warfare. 

Dave Bittner: Mandiant's vice president of intelligence analysis John Hultquist told The Hill, quote, "they have intelligence requirements that they are tasked with fulfilling, and they are unlikely to be deterred from doing that. That's their job. Until they think that they are not being spied on, Russia's not going to give up espionage," end quote. 

Dave Bittner: And finally... 


Dave Bittner: ...Yes, we're reminding you that Halloween is almost here. The scary season stats today come courtesy of DivvyCloud. The clouds they see are, of course, of the virtual cyberspace kind, but they can be dark, roiling and transitional. Organizations, DivvyCloud says, are running 40% of their workloads in the cloud. Eighty-nine percent of them are in various stages of cloud adoption or plan to adopt within the next year, but more than a third of them aren't sure which standards apply to the governance of their organization's cloud and container environments. And who goes into the cloud the way teenagers in a horror movie go into an empty house? 


Unidentified Actor #1: (As character) Hello? Hello? 

Dave Bittner: Developers and engineers do, and organizations embrace self-service cloud access for them to fuel innovation the way indulgent adults hope to allow the horror movie teenagers a couple of hours to have a good time. Potential security and compliance complications emerge the way silent, lumbering, menacing figures do from the horror movie fogs. 

Dave Bittner: And are the companies concerned? Yes. Yes, they are. Seventy-four percent of them say they're moderately or highly concerned about the security of the public cloud. Can you do something about it? Yes. Yes, you can. Following best practices in the cloud and sound digital hygiene are the cyber equivalent of, well, turning the lights on in that dark house, which is even better than carrying some garlic around with you. 


Unidentified Actor #2: (As character) Ooh, garlic - bleh (ph). 

Dave Bittner: Pretty scary, kids. So happy Halloween. And, again, let's stay safe out there. 


Dave Bittner: David White is president at cyber risk management firm Axio. I caught up with him for insights from their recently published 2021 State of Ransomware report. 

David White: I think that the top three findings are deficiencies in privileged access management. And the No. 2 is deficiencies in privileged access management, and the No. 3 - probably deficiencies in privileged access management. So I think that's the big finding. 

David White: You know, we saw in the data - and we believe the data - so we believe this data to be better than survey data because this is - these are assessments that people are completing out of their desire to improve their internal preparedness for a ransomware event, which is something we're all concerned about. And so we believe the data is very good. 

David White: On privileged access management, you know, 80% reported that they have not implemented a privileged access management solution, or a PAM solution, which is an emerging and important technology for managing privileged access. But I think, for me, even more concerning than that is that 63% reported that they have not implemented multifactor authentication for privileged access. So that sort of first step of implementing multifactor authentication is - seems to be something that a lot of folks are missing. 

Dave Bittner: Yeah, that's - I guess it's surprising, discouraging that we aren't further along with that. 

David White: Yeah, well, I think that - look; the job of any cybersecurity team is really challenging. And there's a big drive and has long been a big drive in the community to implement more and better technology. And I think what our study indicates is that people are missing some of the basics. And we suspect that they may be missing the basics by the drive to continue to implement new technologies. 

David White: Now, the privileged access management runs counter to that. That's part of how we're trying to make sense out of what we're seeing. You know, another big concern with privileged access is service accounts. And we found that 64% are not auditing the use of privileged service accounts. And we know that, you know, sometimes even cybersecurity tools - ironically, cybersecurity software and tools encourages teams to implement them using privileged service accounts. 

David White: But we also know that ransomware attackers have gotten really adept over the past 18 months at pivoting and escalating privileged to secure domain admin credentials. And once they have those domain admin credentials, they can leverage the extraordinary power of Active Directory to amplify their attack, amplify their access, amplify their injury to the organization. And so locking down privileged accounts and service accounts are key controls that a large number of folks seem to be lagging on at this point in time. 

Dave Bittner: One of the things that struck me as I was going through your publication was - you touched on user awareness training and how we still have some progress to be made there as well. 

David White: There's good and bad news there, right? We saw that 50% of people are training - implementing training and awareness programs around phishing and doing anti-phishing tests in their organization. But that means 50% aren't. So we're halfway where I think we should be. 

Dave Bittner: So based on the information that you have gathered here, what are your recommendations? What sort of things should people be putting in place here? 

David White: Well, we think that, clearly, folks need to take a very close look at how they're managing privileged credentials, everything from, you know, administrator access on user endpoints to those most precious privileged credentials, the domain admin accounts. And, you know, our No. 1 recommendation is more rigor is needed around privileged access management. 

David White: Supply chain risk, as we've talked about - key element. We also found a large number - a large percent of folks have not implemented a ransomware recovery playbook as part of their incident response. And given that, you know, I think it was Threatpost who just said that in the first six months of 2021, we've seen 150% increase in ransomware events compared to 2020. So ransomware continues to grow, and one of the keys to limiting organizational impact is recovering quickly. So being able to respond with a competent and prepared incident response team is critical. So it's really important that people develop that, you know, incident response muscle for ransomware so they know what to do if they have that unfortunate day. 

Dave Bittner: That's David White from Axio.  

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting story from the folks over at WIRED. This is written by Sidney Fussell, and it's titled "Borrowed a School Laptop? Mind Your Open Tabs." What's going on here, Ben? 

Ben Yelin: So starting in March of 2020, many school-age children in the United States had to switch to remote learning. Luckily, most schools are back in person. That's not true for every school. But at least at some point over the last year and a half, students ages 5 through 18 were required to have a device at home. Many students who are of greater socioeconomic status had their own laptops, their own private laptops their parents bought them. It wasn't a problem. It was a seamless transition. 

Dave Bittner: Right. 

Ben Yelin: This was not true for millions of students across the country. They did not have these devices. They would not be able to engage in virtual learning unless they were given a device. So schools were able to provide these devices to young children, which is great. That's the only way they can sustain virtual learning. 

Dave Bittner: Right. 

Ben Yelin: Unfortunately, what this article uncovered is that many of those devices came with student-monitoring software. This particular software is called Securly, and this software lets teachers see a student's screen in real time and allows the teacher to close tabs if they believe that the student is off task or is not paying attention. And so there was a limitation on how many tabs could be open when schools were employing the software, and they limited it at first to two tabs. 

Ben Yelin: So the hook in this article... 

Dave Bittner: (Laughter) Wait. Stop. Well, hold on. Two tabs? Two tabs? 

Ben Yelin: Two tabs. 

Dave Bittner: (Laughter). 

Ben Yelin: Yeah. I don't remember the last time I had a browser open with fewer than... 

Dave Bittner: I'm sitting here looking at my browser right now. So - two dozen, maybe (laughter)? 

Ben Yelin: Yeah. I mean, it's an insane restriction, and the hook in this article makes it clear. There was a student who was trying to do a social studies research project. They were looking at a bunch of different sources. So naturally, the student was opening up a bunch of different tabs. 

Dave Bittner: Right. 

Ben Yelin: And these tabs just kept closing mysteriously on him, so he wasn't able to complete his research. 

Dave Bittner: Yeah. 

Ben Yelin: The upshot of this is, as the Center for Democracy and Technology said, this is creating kind of a two-tiered system. For students whose parents are able to purchase laptops, who don't have to use school-issued devices, they have carte blanche as to the type of research they can do, as to, you know, what they can do during school hours if they're engaged in virtual learning. And students who are of a lower socioeconomic status are being monitored by school administrators or teachers. And, of course, lower-income households are going to be far more likely to use these school-issued computers. And they, you know, are subject to these surveillance tactics and these tracking tactics. 

Dave Bittner: Yeah. 

Ben Yelin: I think that is fundamentally unfair. I mean, I think there should be some level of equity between students who are issued school-provided devices and those who've had their devices purchased by their parents or at home. That's a good, reasonable, actionable goal. And I think school systems should think twice about whether it's really worth it to deploy this type of surveillance technology, whether that's really going to be something that improves the user experience of these students or if it's going to be something that's unduly restrictive. 

Dave Bittner: Yeah. And, I mean, maybe you give the teachers more leeway in what happens. You know, like if I'm a teacher and I see that a kid has a bunch of tabs open but I can also see that those tabs support the homework that the kid's doing, well, no problem, right? 

Ben Yelin: Right. 

Dave Bittner: But if I see the kid off task during class, you know, watching YouTube or something, well, then that's different. And, you know, teachers have their hands full, but I guess don't set the absolutes in the software here. Give the teachers the ability to dial in what works best for them in their classroom and their teaching style. 

Ben Yelin: I think that's absolutely right. And, you know, I think after this technology was first deployed and they realized that the two-tab limitation was somewhat ridiculous, they did make a change to make it a five-tab limitation, I think which is still too low. 

Dave Bittner: (Laughter) Yeah. 

Ben Yelin: I think the changes should be broader than that. 

Ben Yelin: You know, one of the concerns that's a little bit more significant and goes beyond the technology is we know that there have been inequities in school discipline. We know that students of color, for example, students of lower socioeconomic status are more likely to face suspensions, expulsions. That helps to contribute to what's called the school-to-prison pipeline. We don't want to create a scenario in which, you know, one student who has a private device, somebody of means who can afford their own device... 

Dave Bittner: Yeah. 

Ben Yelin: ...Is goofing off during class and doesn't face any disciplinary action, whereas the student of lower socioeconomic status who's doing the exact same thing, you know, checking his fantasy football team... 

Dave Bittner: Right. 

Ben Yelin: ...Is subject to suspension or expulsion. 

Dave Bittner: Yeah. 

Ben Yelin: I think that's an end result that we certainly want to avoid. 

Dave Bittner: Yeah. You know, interesting just personal anecdote here. My kid is - just started high school. And we live in a county that has, you know, good resources, good amount of resources, a well-funded community in terms of our school system. And so they provided laptops to kids who needed them. And my son was all set. You know, he already had his own machine, didn't need one. But we had friends in the school system who said, no, please, even if you don't need it, go get that laptop because I guess there's some sort of, you know, use-it-or-lose-it kind of thing when it comes to this sort of thing. 

Ben Yelin: Right. If they're offering you a free laptop, you take it, right? 

Dave Bittner: Well, but I think also, it lets them report back that we've used these many laptops, and so we get funding to support this many laptops... 

Ben Yelin: Right. 

Dave Bittner: ...And that sort of thing. So (sighing, laughter), you know, on the one hand, I get it. And, you know, we got the laptop. And he does use the laptop from time to time. But on the other hand, it's like, I didn't really need the laptop. 

Ben Yelin: Yeah, Now if it's going to be used for monitoring... 

Dave Bittner: Yeah. 

Ben Yelin: ...You know, and this type of surveillance - some parents are going to be more concerned about that than others. And, you know, I don't want to suggest that there's no interest in trying to keep students on task. 

Dave Bittner: Yeah. 

Ben Yelin: I think certainly, especially with younger children, there is a governmental interest in having proper teacher supervision. 

Dave Bittner: Right. 

Ben Yelin: My ultimate hope is that this can become relatively moot as we get back into in-person learning. 

Dave Bittner: Yeah, absolutely. 

Ben Yelin: But, you know, if we are going to be in a world of virtual learning, it probably will happen again. I think this is certainly an issue worth monitoring. And I think it's kind of just a cost-benefit analysis. 

Dave Bittner: Yeah. And, you know, I have friends who are teachers, and they made the point that when we were completely virtual, teachers were not allowed to insist that students turned on their cameras because it's a privacy issue. You were - teachers were not entitled to look into that kid's home. 

Ben Yelin: I think that's perfectly reasonable. 

Dave Bittner: Yeah, yeah, absolutely. 

Ben Yelin: I mean, I was instructed the same teaching law classes - that, you know, it can't affect your class participation grade if you decided to turn off your camera because this is - you are potentially viewing something personal when you're looking into somebody's home. 

Dave Bittner: Right. 

Ben Yelin: And you don't know what's going on there. 

Dave Bittner: Right. 

Ben Yelin: So... 

Dave Bittner: Yeah. Interesting times. Right, Ben (laughter)? 

Ben Yelin: It sure is. We live in very interesting times. As the kids say, this might be the worst timeline. 

Dave Bittner: (Laughter) OK. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.