The CyberWire Daily Podcast 10.28.21
Ep 1448 | 10.28.21

Hacktivists or intelligence services in Iran? BOLO NIkolay K. Renouncing Conti, and all its empty promises. SEO poisoning. US cyber strategic intent.


Dave Bittner: Iran continues its recovery from a cyberattack that disrupted subsidized fuel distribution. Wanted in Stuttgart but living it up in Russia, ransomware kingpin Nikolay K. The Conti ransomware gang gets poor customer service notices. Food distribution is on the cybercriminals' target list. SolarMarker's use of SEO poisoning. The U.S. publishes a statement of strategic intent for its cybersecurity czar's office. David Dufour from Webroot wonders if there's any hope at slowing down malware. Our own Brandon Karpf describes the DOD's SkillBridge program. And decryptors are made available for three ransomware strains.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 28, 2021. 

Dave Bittner: Iran continues its efforts to recover from an apparent cyberattack that crippled subsidized distribution of gasoline throughout the country, SecurityWeek reports. As of yesterday, only 220 of the 4,300 filling stations normally connected to the discounted fuel network had been reconnected. About 3,000 stations are able to sell fuel offline at unsubsidized market prices. Representatives of Iranian government are quoted by the AP as saying that the goals of the attack were to create "disorder and disruption." Tehran has blamed an unspecified foreign government for the disruption. But according to the BBC, another, at least nominally, hacktivist opposition group calling itself Predatory Sparrow has claimed responsibility. People claiming to represent the same group also said they were involved with the destruction of Iran's passenger rail service earlier this year, but it's still too early to consider anything Predatory Sparrow claims as authoritative for attribution purposes. And, of course, it's worth recalling that hacktivist groups can be entangled with state intelligence services or can even be a front operation run by those services. 

Dave Bittner: German authorities tell BR24 that they've identified the criminal kingpin of the once-and-future REvil gang or at least a member of the gang's core group. His association with REvil goes back to the days of its GandCrab predecessor, which argues for some continuity of leadership across the protean rebranding such gangs periodically undergo. German police apparently tracked Nikolay K. by following bitcoin transactions. And that is his hacker name, Nikolay K. He represents himself online as a cryptocurrency trader. German federal investigators and prosecutors have obtained an arrest warrant, but Nikolay K. is at large in Russia and unlikely to ever face German justice. He has vacationed abroad, most recently in Turkey. But apparently, no extradition request was ready at that time. More recently, apparently, he's been content to live it up on a Black Sea yacht. No extradition treaty covers yachts in Russian territorial waters. 

Dave Bittner: Turning to another gang that's recently made itself prominent in the news, CSO reviews the Conti ransomware gang. For all of its preening Robin Hood shtick, Conti is even less likely than other criminal organizations to restore victims' files or keep promises not to release stolen data. And the other criminal organizations - remember - set a pretty low bar of good behavior. CSO quotes researchers from Palo Alto Networks. Quote, "Usually, more successful ransomware operators put a lot of effort into establishing and maintaining some semblance of integrity as a way of facilitating ransom payments from victims. They want to establish stellar reputations for customer service and for delivering on what they promise - that if you pay a ransom, your files will be decrypted, and they will not appear on a leak website. Yet in our experience helping clients remediate attacks, Conti has not demonstrated any signs that it cares about its reputation with would-be victims," end quote. Demonstrating signs shouldn't be confused with saying, of course. And Conti was busy passing out wolf tickets last week when our REvil disappeared as its infrastructure was taken down in an international law enforcement sweep. 

Dave Bittner: We noted yesterday the ransomware attack that affected Schreiber Foods, a major player in the dairy industry. CyberScoop has an update, which, while noting that the company has been tight-lipped about the exact nature of the incident did sustain, says that Schreiber Foods was still recovering its plant operations into this week. The Wisconsin State Farmer reports that the attackers demanded $2.5 million in ransom. Some, like Progressive Farmer, see the attack as part of a larger trend in which criminals attack food supply chains. It would be naive in the extreme for operators in the agriculture or food sectors to think that they enjoy any immunity from criminal attentions. Whatever posturing the gangs may engage in online, they really don't show much evidence of inhibition when it comes to selecting their victims. Any rationalization seems to do when it comes to hitting a target one might think ought to be exempt on the grounds that striking it would damage the common good. And in truth, most of the gangs probably can't even be bothered to engage in flimsy rationalization. They'll take what they can. 

Dave Bittner: Menlo Security has published research into the SolarMarker criminal campaign currently in progress. They see SolarMarker as one of an increasing number of threat actors who use search engine optimization poisoning - that's SEO poisoning - as an evasive approach that can bypass many traditional network defenses. It's enjoyed a high rate of success recently. Menlo says, quote, "Attackers commonly use this technique to artificially increase the rankings of their malicious pages. They do this by injecting the malicious website with keywords that users search for. Across our customer base, we have seen a wide variety of search terms that lead to malicious pages. We have observed over 2,000 unique search terms that lead to malicious websites," end quote. The attack typically unfolds like this. You search for something in whatever search engine you prefer. The search engine results return websites that host malicious files, typically PDFs. If you click on the poisoned link, you're taken to a compromised site that invites you to download the document that appears to be what you're looking for. Should you click, you'll be taken through a series of HTTP redirections, at the end of which a malicious file is downloaded onto the endpoint. One interesting side note - the payloads were typically large, ranging in size from 70 to 120 megabytes. Their large size paradoxically enabled them to avoid detection since they exceeded the size limits content inspection engines normally define. Menlo offers a couple of safeguards organizations and individuals might employ. First, you can block downloading Windows executable file downloads from unwanted categories. And second, you might consider blocking sites whose top level domains are either .site or .tk. 

Dave Bittner: The White House has published a Strategic Intent Statement for the Office of the National Cyber Director. The stated goal is a world in which Americans are free to be enriched, empowered and enlivened by digital connectivity instead of burdened by it. The document is striking in its recognition that cybersecurity is a complex set of many small problems and not something addressable by a single moonshot. 

Dave Bittner: Some good news on the ransomware front. Security firm Avast is making decryptors available for ransomware strains including AtomSilo, Babuk and LockFile. And we say, bravo, Avast. 

Dave Bittner: And finally, we remind you again that Halloween is almost upon us. 


Dave Bittner: But, of course, if you're here in North America, society at large is so heavily pumpkin-ized this week that you hardly need us to tell you that. Still, we continue our series of sharing scary stats and stuff that have come over the transom from industry. Did you know, for example, that as Bitglass says, only 12% of enterprises are consistently able to detect insider threats stemming from personal mobile devices, including those that are off-premises or lack agents? Well, you do now. And how about this from Valimail, whose look at the landscape of fraud, concludes that almost 3 1/2 billion bogus emails go out every day? And who knows? Odds are some of them are going to land in your inbox. ForgeRock says that in 2018, data breaches exposed 2.8 billion consumer records, and that cost the U.S. organizations involved more than $654 billion. No wonder Jumio says that 1 in 5 adults in the U.S. get a case of the unsafe willies up their spine when they think about using online sharing services. Scary stuff. Huh, kids? 


Dave Bittner: Careful listeners to our daily podcast may have noticed the addition of a few new names in our end credits. Among them, Brandon Karpf. Brandon is a cryptologic warfare officer in the United States Navy, having served at NSA and U.S. Cyber Command. And he comes to us through the military's SkillBridge program, which is designed to help service members transitioning into the private sector. 

Brandon Karpf: I was at the point where I knew the industry I wanted to go into. Because of my career in the military, I had fallen in love with cybersecurity. I knew that that is the domain I wanted to work in. I didn't know the work role. I didn't know where or what company, but I knew I wanted to work in the cybersecurity community. 

Dave Bittner: Well, for our listeners, describe how the program works because your you're working with us right now, but you're still a bit under the wing of the Navy, right? 

Brandon Karpf: Yeah, it's exactly right. And SkillBridge is an incredible Department of Defense program. And in fact, it is partly built for people like me, but it's even more built for the enlisted sailors, soldiers, Marines, airmen who have less experience out in the private sector. And the whole idea of SkillBridge is with your commanding officer's approval - you know, that's your senior boss. With their approval, you can spend up to the final six months on active duty working for a private company. And so basically, what that means is your commanding officer approves you to go work and basically be an intern or a fellow at a private company for your last anywhere from three to six months of active duty and work as a member of that company, not really report back to the military. I have to go back at the end for one day only just to kind of say goodbye. And that was the deal with my commanding officer. But she - and to her credit, she knew that it was going to cause a gap in her manning because the Navy was not going to send her another person to fill my role. But she saw the value of the program and approved me to go participate. And it's an incredible program, and I really do hope that more people use it across the entire joint force. Just in the last couple weeks of me being at the CyberWire, I've learned more than I anticipated. Just being part of a team in a private company, seeing the daily communications and the daily work and how things get done, there are some similarities with the military, but there's a lot of differences. And it's a very different environment. I can't imagine just jumping into a company, needing a paycheck day one and getting out of the military and being stressed about all that on top of learning the job. 

Dave Bittner: You're on your - I guess you're on your final approach - right? - or your... 

Brandon Karpf: Yeah. 

Dave Bittner: I guess a sailor's metaphor would be you're heading towards the dock, right? 


Brandon Karpf: Exactly. Pulling into port. I'm pulling into port. 

Dave Bittner: Yeah, pulling into port. There you go. I guess I could have said final approach if you were a naval aviator. But... 


Dave Bittner: So what happens next? I mean, as this transition is looming, what are your thoughts there? How are you feeling about that? 

Brandon Karpf: I'm feeling good. I did not feel good in the beginning. It's a real hit to your confidence. I, like anyone, suffer from the imposter syndrome. So, you know, the question in my head this whole time and now and probably into the future is, am I actually cut out to work in the private sector? It might sound funny to someone who didn't serve in the military, but military service - that life, in some ways, is a lot easier than working in the private sector. It's easy to do that work because you know what's expected of you every single day. There's a baseline. There's a bar. As long as you don't fall below that bar, you're fine. And that bar is pretty much set at 80%. That bar is not set at 100% There's some people that go above and beyond and like to operate above that bar, but you don't have to. It's pretty comfortable. Yeah, with military service comes the moving every two to three years. And yeah, getting deployed and being away from family and that stuff sucks. But at the same time, it is very easy to get into that rhythm and do that for your entire life. And unfortunately, a lot of people fall into that trap. And I have, too. It's anxiety-inducing going off of that highway. It is a highway. It is straight and narrow. And I knew for the next 20 years exactly what jobs I would have to do to get promoted, exactly where I would have to go to get promoted and get to retirement. And that would be my professional career. I have taken the off ramp. And here there be dragons. 

Dave Bittner: That's United States naval officer Brandon Karpf, currently working with us here at the CyberWire courtesy of the U.S. military's SkillBridge program. 

Dave Bittner: And I'm pleased to be joined once again by David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, great to have you back. You know, the past couple segments you and I have done together, we've been talking about how things seem to be headed in the same direction that they have been. You know, ransomware just keeps on going. I'm curious for your insight on, are there things to be optimistic about? Or are there efforts underway to to sort of stem the tide of malware that seems to be getting worse and worse year after year? 

David Dufour: No. We should just give up, probably all go home... 

Dave Bittner: (Laughter). 

David Dufour: ...And call it a day 'cause it's over. We've lost. 

Dave Bittner: It's what I get for asking. Yeah. 

David Dufour: Right (laughter). 

Dave Bittner: All right. Well, David Dufour, thanks for joining us. 

David Dufour: Great being here, David (laughter). 

Dave Bittner: Sunny as always. Yeah. 

David Dufour: Honestly... 

Dave Bittner: But seriously (laughter)... 

David Dufour: Right. On a serious note, you know, it seems like when we're in the midst of a of a big boom, like ransomware is right now, and it's causing lots of trouble, that we never get ahead of stuff. But for those of us like myself - I won't lump you in there, David - you're a spring chicken. You know, I'm in my 50s. That, you know, 10, 15 years ago, the big, big, big problems were your computer getting infected and locked up, and you had to rebuild it, reimage it. Or then we saw botnets, worms, you know, spreading malware, spreading and stealing data. And I don't want to say we solved those problems, but we did a lot to make those things difficult enough that the bad actors had to go on to something new. And unfortunately, that something new is ransomware. And where I'm going with this is it's, you know - it's a game, chicken and egg, where we're going to see what they come out with. We're going to come up with some solutions that make it so hard that folks don't use that. It's going to - there's going to be a lull. And then we'll go through the cycle again with whatever's coming new. It's not like people are going to magically stop attacking, you know, computer networks. It's that it just takes us a little time. We've come up with some good solutions, and then we go to what's next. It's how it is. 

Dave Bittner: What is on your radar in terms of things that are that are coming or efforts that you see that could really move the needle? 

David Dufour: Yeah. So from a ransomware perspective, it's all about backups first. They've gotten - what's super interesting, by the way, is they've gotten really good at infecting backups and laying dormant until the infected backups are the primary backups. So you don't have actually good backup data. So. So being on top of that and being able to remediate in real time, you know, when something is infected that basically eliminates the issue. I think we're going to see some of that over the next few years, where it's basically recovering in real time to mitigate the ransomware exposure. And then eventually, we'll crack the nut on on how to identify ransomware strains quickly through email or behavioral heuristic analysis. And once we can start doing that, we'll start to see a real slowdown in ransomware simply because we can shut it down right away. We'll be able to hit the panic button and stop it and then recover. And then people will look back and say, man, remember the 2020s when ransomware was so bad? That's - I really think those things where we can get ahead of it - it's going to trigger, and we can prevent it from causing damage - is what's really going to allow us to get ahead of ransomware. 

Dave Bittner: Yeah, it's interesting. I mean, I think back to, you know, the decades that we all dealt with spam in our inboxes, you know, and that's pretty much a solved problem these days. I mean, you know, it's - we pretty much got that under control. 

David Dufour: Yes. 

Dave Bittner: Looking forward to the days when some of these other biggies are in the same category. 

David Dufour: Well, what's interesting, David, I mean, we're starting to see an uptick in worms and things that deploy ransomware inside networks. So it's the old adage that what's old is new. So the minute we think ransomware is on the decline, somebody will come out with some new spam technology, and that's what will be getting us. So... 

Dave Bittner: Right, right. 

David Dufour: ...It's always fun to see it. 

Dave Bittner: Fun is one word for it. Sure. 


David Dufour: Interesting. Let's call it that. 

Dave Bittner: (Laughter) OK. All right. Well, always a pleasure. David Defour, thanks for joining us. 

David Dufour: Great being here, David. Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.