The CyberWire Daily Podcast 11.2.21
Ep 1451 | 11.2.21

Trojan Source--a threat to the software supply chain. Ransomware goes to influence operations school. Triple extortion? Criminal target selection.


Dave Bittner: Researchers describe Trojan Source, a hard-to-detect threat to the software supply chain. A ransomware gang takes a page from the information operator's book. From double extortion to triple extortion, as other ransomware gangs add distributed denial of service to encryption and doxing. Criminals are now hacking on material, nonpublic information, the FBI warns. Joe Carrigan looks at multifactor adoption at Twitter. Our guest is Steve Ragan from Akamai on API security. And criminals hit health care providers in Newfoundland.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Tuesday, November 2, 2021. 

Dave Bittner: Researchers from the University of Cambridge have described a new attack method they're calling Trojan Source. The method abuses Unicode. The researchers explain, quote, "rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities. These adversarial encodings produce no visual artifacts," end quote. Trojan Source places Bidi override characters into comments and strings from where they're moved into source code in ways that compilers accept and that will appear unproblematic to human reviewers. The method amounts to a software supply chain vulnerability. 

Dave Bittner: The researchers, both affiliated with Cambridge, write in their abstract, quote, "we present a new type of attack in which source code is maliciously encoded so that it appears different to a compiler and to the human eye. This attack exploits subtleties in text-encoding standards, such as Unicode, to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers. Trojan Source attacks, as we call them, pose an immediate threat both to first-party software and of supply-chain compromise across the industry. We present working examples of Trojan-Source attacks in C, C++, C#, JavaScript, Java, Rust, Go and Python," end quote. 

Dave Bittner: The ability Trojan Source has to affect software written in a broad range of languages is noteworthy. The researchers think compiler-level defenses will be important, and they also describe mitigations that can be used in editors, repositories and build pipelines until compilers are effectively upgraded to deal with the risk. 

Dave Bittner: KrebsOnSecurity summarizes a few experts' reactions. Some are surprised by how readily compilers will uncritically parse Unicode. The potentially malicious code also persists through copying and pasting, and that, of course, is a common developer's practice. Fixes to compilers will be required to foreclose the possibility of Trojan Source attacks. 

Dave Bittner: Among other things, the researchers' paper affords what Krebs calls a fascinating case study on the complexities of orchestrating vulnerability disclosure. When the researchers began notifying software firms whose products were affected, they offered a 99-day embargo on public disclosure to give the firms an opportunity to address the issue. They describe the reception they received, quote, "we met a variety of responses ranging from patching commitments and bug bounties to quick dismissal and references to legal policies. Of the 19 software suppliers with whom we engaged, seven used an outsourced platform for receiving vulnerability disclosures, six had dedicated web portals for vulnerability disclosures, four accepted disclosures via PGP-encrypted email, and two accepted disclosures only via non-PGP email. They all confirmed receipt of our disclosure. And ultimately, nine of them committed to releasing a patch," end quote. 

Dave Bittner: So the moral with respect to coordinated vulnerability disclosure is that it's complicated, as the kids say about their relationship status in social media. 

Dave Bittner: Ransomware gangs continue to evolve their tactics. The Daily Beast reports that the Grief Gang has sought to ratchet up the pressure on the National Rifle Association, recently one of the gang's victims, by amplifying the threat of leaks with an army of Twitter bots created in August and September. 

Dave Bittner: The bots have the usual hallmarks of inauthentic accounts. They appeared at about the same time. They neither follow anyone nor are they followed by anyone. And they're focused on retweeting news about compromised NRA accounts. And naturally, a large fraction of their posting is written in what the Beast calls stilted English, which we take to mean a dialect of Shadowbrokerese, that commonplace criminal lingua franca. 

Dave Bittner: It's a familiar information operator's technique, and in this case, it appears to be applied for criminal effect. Although, of course, an unstated political motive might be present as well. Some of the troll bots are also tweeting about gun violence and the alt-right, which suggests a possible interest in general disruption. Still, it appears an effort to make the victim's seat even warmer. 

Dave Bittner: An FBI alert issued Friday warned that the HelloKitty ransomware gang, also known as the Five Hands, had added a third threat, distributed denial-of-service attacks, to the now familiar double extortion threat of encryption followed by the threat of doxing. 

Dave Bittner: The Bureau warns, quote, "The FBI first observed Hello Kitty/FiveHands ransomware in January 2021. Hello Kitty/FiveHands actors aggressively apply pressure to victims, typically using the double extortion technique. In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial-of-Service attack on the victim company's public-facing website. Hello Kitty/FiveHands actors demand varying ransom payments in Bitcoin that appear tailored to each victim, commensurate with their assessed ability to pay it. If no ransom is paid, the threat actor will post victim data to the Babuk site or sell it to a third-party data broker," end quote. 

Dave Bittner: So distributed denial-of-service continues to enjoy its continuing mild comeback. And double extortion, encryption plus data theft and the threat of exposure, may be evolving in the direction of triple extortion - encryption plus doxing plus DDoS. 

Dave Bittner: The FBI also warned, yesterday, of a ransomware attack that's familiar but remains prominent - gangs time their attacks to coincide with significant events. We're accustomed to seeing attacks timed to hit over holiday weekends, for example, when victims' guards are thought likely to be lower. But in this case, the noteworthy events are financial ones. 

Dave Bittner: Quote, "The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections. Prior to an attack, ransomware actors research publicly available information, such as a victim's stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash," end quote. 

Dave Bittner: The Bureau's description of the way these operations work is interesting, and it tells a story that makes sense with respect to the increased complexity of the criminal-to-criminal market. It begins with reconnaissance, probably conducted by an initial access broker who will select the right targets to offer the right criminals. The inspiration for the financial-event approach seems to have been provided by a ransomware actor who, in 2020, encouraged participants in the Russophone hacking forum Exploit to use information from the Nasdaq to lend vigor and urgency to their scams. Soon thereafter, quote, "unidentified ransomware actors negotiating a payment with a victim during a March 2020 ransomware event stated, we have also noticed that you have stocks. If you will not engage us for negotiation, we will leak your data to the Nasdaq and we will see what's going to happen with your stocks," end quote. 

Dave Bittner: Among the gangs that have adopted the approach of extortion based on material, non-public information was DarkSide. Others can be expected to follow suit. From the criminals' point of view, there's very little downside. 

Dave Bittner: And finally, lest anyone be inclined to take the high-minded assurances the gangs often tender in their communiques - the Robin Hood schtick they cop when they claim to respect the public good and avoid hitting targets whose disruption would actually hurt people, like, oh, say, hospitals or healthcare providers - there's this news from Canada. Reuters reports that an apparent ransomware attack, detected Sunday, has disrupted healthcare management services in the province of Newfoundland. The incident has forced cancellation of some appointments, and the Niagara Falls Review says that healthcare providers in the province have temporarily reverted to paper records. The effects seem more inconvenient than deadly, but still, it's worth bearing in mind the next time a gang talks about how they carefully distinguish legitimate from illegitimate targets. Phooey - these aren't targeteers interested in following the rules of war. 

Dave Bittner: Security firm Akamai recently released the latest version of their State of the Internet report, with this round focusing on the security of APIs. Steve Ragan is a security researcher at Akamai, and he joins us with highlights from the report. 

Steve Ragan: Over the last 10 to 15 years, we've gotten really good at strengthening application development, SDLCs and things like this. But when you look at modern web applications and compare them to, like, API-focused applications, you see that the API stuff is sort of - not regressing, but they're experiencing the same growing pains that web applications did years ago. It's like history repeating itself. 

Steve Ragan: And that became very clear when you looked at, like, the Spring Boot applications that we examined in the report. We're talking hardcoded credentials, SQL injection vulnerabilities, cross-site scripting, configuration problems. You know, just all the stuff we saw with web apps years ago, you're seeing it now in API development. It's growing pains. Like, it's nothing that can't be fixed. And so we explored that. That was one of the big highlights for me personally as I was writing the report. 

Steve Ragan: The other thing that stood out was watching the criminals target APIs and the way they were going about it. So I highlighted one instance in the report, and it's - Willow is the name of the application, really popular service for developers. Well, what the criminals are doing is they're scanning the web and looking for the configuration files. And in a lot of these files, you'll find the necessary API key credentials. The criminal gets a hold of that. They take your access and use it for their gain, which is very, very bad if you consider that, you know, it's used for text messaging and email communications, things like that. So that was another standout for me. 

Dave Bittner: And what are the take-homes here in terms of recommendations based on the information that you all have gathered? 

Steve Ragan: So one of the big, big take-homes for me - and we highlighted this when it came in - is organizations need to not only know what their APIs are - like, what they're using and how they're using them. They need to make sure that they can find all of them in their organization. So track them. Find them down and, you know, figure out where they are and how they're being used because a lot of organizations have had incidents involving APIs, and they weren't even aware the API existed. So that's a problem. 

Steve Ragan: And then you look at - you know, now that you know where they are, test them. Understand, you know - are there any vulnerabilities with the API connector itself? Are there any vulnerabilities within the application that's leveraging the API? Test that stuff. You know, there's plenty of tools in the market and education available for developers. Take advantage of it. 

Steve Ragan: And, of course, when it comes to the overall picture, leverage your existing WAF infrastructure and identity management stuff alongside any of your API security offerings. And what I mean by that is tie it all together. You know, if you're using single sign-on or, you know, really locked-down access management at your organization or for your customers, make sure you tie that into all of your mobile apps or your web-based apps leveraging APIs because what criminals will do is they look for those gaps, and they look for those weaknesses. And they start to, you know, focus on that for exploitation. 

Dave Bittner: You know, you mentioned at the outset that this report was the result of a collaboration. And it strikes me that I'm seeing more and more of that in the security world, that people are reaching out to, you know, colleagues and sometimes even competitors to try to come up with better insights than they'd be able to get on their own. 

Steve Ragan: Absolutely. And that's the way it should be, and it should have been like that from all along. So obviously, Akamai is a security company. We're never going to, you know, back away from that. But our overall reaching goal - and this is the same for a lot of companies in the space and a lot of security professionals. We just want to make the world safer. We want to make the world better, more secure. We want to see people learn. We want to educate. And if that means, you know, collaboration between competitors or collaboration between, you know, companies operating in the same space or, in some cases, different areas of the security industry, then that's what needs to happen. 

Steve Ragan: You know, we are not shy with making sure that, you know, we work with the best. And that was, you know, one of my boss' goals when we started developing the SotI for this year - was to try and get collaboration. We worked - earlier this year, we worked with another company, WMC Global, to produce a financial services report that - literally, you know, we used our phishing data and credit stuffing data, and we used their phishing data and credit stuffing data. And we created a really comprehensive report on it. It's something I think needs to happen more. I'm quite happy we're able to do these type of team-ups. 

Dave Bittner: That's Steve Ragan from Akamai. And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting blog post came from the folks over at Twitter. This is written by Nick Fohs and Nupur Gholap. They are both senior-level folks at Twitter. And this is right up our alley for the stuff we cover over on "Hacking Humans." It's titled "How We Rolled Out Security Keys at Twitter" - really interesting insights behind the scenes of what they did here. Joe, can you share some of the details with us? 

Joe Carrigan: Yeah, a couple of things. No. 1, they're letting users use security keys, multiple security keys now... 

Dave Bittner: Right. 

Joe Carrigan: ...Which is good because when I tell people to adopt a security key like a Yubico or YubiKey or a Google Titan or whatever else - they all use the same algorithm. It's an open algorithm from - or architecture, actually, from the FIDO Network... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Or FIDO Alliance, rather. And I tell people, buy two of these things in case you lose or damage one of them - right? - because that way you'd be locked out of your Twitter account. And getting support from Twitter for this, I imagine, would be like screaming into the void. You'd never hear back. 

Dave Bittner: (Laughter). 

Joe Carrigan: So use two. And they're letting you do that now at Twitter. But interesting about this blog post - they talk more about the rollout of these keys internally because last year - you remember the Twitter hack that happened last year? 

Dave Bittner: Yeah. 

Joe Carrigan: The reason that was possible was because the attacker socially engineered one of their internal people to give up a multi-factor authentication code that was sent via SMS. 

Dave Bittner: Right. 

Joe Carrigan: Right? And even if you were using a different kind of code, like the time-based codes - you know, these numbers on the apps that we have... 

Dave Bittner: Right. 

Joe Carrigan: ...Like Google Authenticator or Microsoft Authenticator or whatever - that's still susceptible to being asked for. 

Dave Bittner: Right. 

Joe Carrigan: Somebody can call you and ask for it, and people could give it up. So we say SMS is the least secure. And if it's the only one you have, the only option you have, you should still use it. 

Dave Bittner: Yeah. 

Joe Carrigan: Don't disregard it because it's not as secure as anything else. 

Dave Bittner: Way better than nothing. 

Joe Carrigan: It's way better than nothing. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: But it's a lot worse than using a security key. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? And Twitter has this great blog post about their process of rolling these things out internally so this doesn't happen. 

Dave Bittner: Yeah. 

Joe Carrigan: They selected YubiKey 5s, the NFC and the 5C NFC, which are both USB and near field communication. So you can use them on your computer, or you can use them on your phones... 

Dave Bittner: Right. 

Joe Carrigan: ...If you have NFC on your phones, which most phones have. 

Dave Bittner: Yeah. 

Joe Carrigan: So the majority of this blog post talks about how they did this, what their process was for doing this. First, they selected a model. And they went with the Yubico... 

Dave Bittner: Right. 

Joe Carrigan: ...The YubiKeys. Then they actually had to go and buy these devices. And they had to buy 5,500 of them. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: Right? And... 

Dave Bittner: Some sales agent at Yubico had a good day that day (laughter). 

Joe Carrigan: Right. Actually, I'm sorry. They didn't have to buy - they had to buy them for 5,500 users, and they bought two of them for each user. 

Dave Bittner: OK. Right. OK. 

Joe Carrigan: So they sold 11,000 of these things. 

Dave Bittner: Wow. 

Joe Carrigan: And then Yubico helped them with shipping. 

Dave Bittner: Yeah. 

Joe Carrigan: Then they added the security key to the internal support systems so that people could register their keys. And then they let people register their keys. And then eventually, they flip the switch so that you would no longer be able to use the old SMS means of authenticating. 

Dave Bittner: Right. And I think it's also worth emphasizing here that they switched to these keys and only these keys... 

Joe Carrigan: Right. 

Dave Bittner: ...For internal use. You could no longer use the legacy... 

Joe Carrigan: Right. 

Dave Bittner: ...Types of multifactor. 

Joe Carrigan: If you're a Twitter employee now, you have to use YubiKey. 

Dave Bittner: Right. Right. 

Joe Carrigan: Right? Which is great, I think. 

Dave Bittner: Yeah. 

Joe Carrigan: They will never have an attack that happened the same way it did last time again. That will never happen to them because there is no way to call somebody and ask for a code out of this thing. It just doesn't work that way. 

Dave Bittner: Right. 

Joe Carrigan: The next attack is going to have to be different of some kind if it's going to be successful. 

Dave Bittner: Yeah. 

Joe Carrigan: They did have some great lessons learned here. Anticipate global shipping challenges was one of the things. 

Dave Bittner: Yeah. 

Joe Carrigan: So make sure that you have that in your plan. Leveraging built-in keys, which are - there are things on your phones. Like, usually your - like, Apple's Touch ID and Face ID and Android's built-in security key that will actually let you do a workaround. 

Joe Carrigan: I've actually disabled password authentication on my Microsoft account. I use the Microsoft Authenticator app now on my phone to authenticate into my Microsoft account. However, I think that is also susceptible to social engineering attacks as well. Somebody could just call me up and say, hey, Joe, go ahead and push that button. I'm about to log in. I mean, it would obviously require a whole lot of subterfuge, but it still works. 

Joe Carrigan: Another thing they say is track enrollment, right? The last thing you want to do is flip that switch and lock out maybe half your employees. 

Dave Bittner: Right. Right. 

Joe Carrigan: Right? So track enrollment, encourage enrollment and anticipate support needs, of course. And this is interesting. I found this - this is the last thing they talk about under lessons learned - encourage wider use. They actually made it clear to the employees that these YubiKeys were theirs to keep. So essentially, they're giving people two YubiKeys. And they're saying, use these and use them everywhere. And this is fine because once these people leave, Twitter can invalidate the keys and secure the login. There's not a security risk here, as long as they properly maintain the login credentials, right? 

Dave Bittner: Right. 

Joe Carrigan: Which is part of any exit process for employees. 

Dave Bittner: Yeah. 

Joe Carrigan: That exists regardless. But it's great that they're just giving them to people and saying, use these everywhere. And you're going to have to become accustomed to using it at your job. And once you're accustomed to using it at your job, you understand the workflow. 

Dave Bittner: Yeah. 

Joe Carrigan: You're off to the races. 

Dave Bittner: Right. And if somebody has it in hand as they're signing up for new things, I think it's more likely for them to check and say, oh, can I use this hardware key instead of - or instead of nothing at all or whatever. 

Joe Carrigan: Right. 

Dave Bittner: So just having that convenience of putting those out into the world seems like a good thing. 

Joe Carrigan: Agreed. 

Dave Bittner: Yeah. Yeah. All right, well, as you mention, really interesting article, and hats off to these folks at Twitter for sharing this with the rest of the world. I think there's some valuable lessons here. All right. Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.