Ransomware hits an electronics retailer and a new-school financial services company. Updates on international action against REvil.
Dave Bittner: Hive ransomware hits electronics retailer Media Markt. Robinhood Markets sustains a data breach it traces to social engineering. Ben Yelin looks at the law behind U.S. police demanding your phone passcode. I check in with Rick Howard for his thoughts on the Trojan Source vulnerability. And more notes on the international action against REvil.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 9, 2021.
Dave Bittner: Germany-based multinational electronics retailer Media Markt has seen operations disrupted by a ransomware attack, according to Bleeping Computer. The ransomware strain is said to be Hive. And the criminal operators' opening position was to demand $240 million. That's high and probably represents an opening gambit, a negotiating position. Hive is a relatively new ransomware operation, surfacing in June of this year. It's acquired a reputation for indiscriminate targeting, even by the ruthless and careless standards that prevail in the criminal underground, whatever pious argle-bargle they might woof from time to time in their communiques. Media Markt is one of Europe's biggest electronics retail chains, with 53,000 employees and a thousand stores in 13 countries. RetailDetail says that store employees in Belgium, Germany and the Netherlands have been told to take point-of-sale systems offline. Company headquarters in Ingolstadt has told its stores that it's working on the problem.
Dave Bittner: Stock trading platform Robinhood Markets yesterday disclosed that it sustained a data breach on November 3. A customer support employee was inveigled - or socially engineered - into granting an unauthorized outsider access to certain company data. The data exposed include email addresses for about 5 million Robinhood users, the full names of a different set of roughly 2 million users and more extensive personal information - like names, dates of birth and zip codes - for some 300 users. The data theft apparently represented an extortion attempt. The Wall Street Journal reports that Robinhood has brought in Mandiant to investigate the incident. Those who recall the meme-stock short squeezes earlier this year will recognize Robinhood as the trading firm mentioned in dispatches by the U.S. Securities and Exchange Commission. Speculators established accounts with Robinhood, attracted by its convenient mobile app, its zero-commission trading and its low balance requirements. Some of them used those accounts for wash trading, essentially trading with themselves to manipulate the share prices of meme stocks. There's no evident connection between those incidents and the present ransomware case.
Dave Bittner: Yesterday's announcement by Europol that a Romanian-led investigation leading to the arrest of suspected REvil ransomware operators has not only netted several difficult-to-apprehend criminals but also lends some credence to the impression that ransomware gangs in particular have grown a bit skittish about their vulnerability to arrest. The U.S. Justice Department also seized $6.1 million in cryptocurrency from a REvil operator who remains at large. The U.S. Treasury Department yesterday sanctioned Chatex, which describes itself as a fully fledged crypto bank, SecurityWeek reports, for its role in processing cryptocurrency transactions allegedly on behalf of the gangs.
Dave Bittner: Three other firms that supported Chatex were also sanctioned - IZIBITS OU, Chatextech SIA and Highgrade Financial Ltd (ph). The Treasury Department wants people to understand that there is nothing inherently nefarious about altcoin. As the department's announcement says, quote, "while most virtual currency activity is licit, virtual currency remains the primary mechanism for ransomware payments, and certain unscrupulous virtual currency exchanges are an important piece of the ransomware ecosystem. The United States urges the international community to effectively implement international standards on anti-money-laundering and countering the financing of terrorism in the virtual currency area, particularly regarding virtual currency exchanges," end quote.
Dave Bittner: Treasury has a lot of good things to say about its partners in Latvia and Estonia, who've moved to interrupt the company's operations. The implications of the designation are as follows. Quote, "as a result of today's designation, all property and interests in property of the designated targets that are subjected to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50% or more owned by one or more designated persons are also blocked. In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. Today's action does not implicate a sanctions nexus to any particular ransomware as a service or variant," end quote.
Dave Bittner: Treasury's action, taken together with the seizure of $6 million-plus from the cryptocurrency account of an alleged ransomware operator, shows an international determination to attack the economic model ransomware operators depend on. They may enjoy the protection or at least the indulgence of the government where they reside, but electronic finances are accessible in some ways across borders.
Dave Bittner: At yesterday's press conference, U.S. Attorney General Merrick Garland made a point of saying, quote, "most of the time, the actors themselves are trying to hide abroad. But as we've shown time and again, we'll still pursue them, disrupt them and hold them accountable. The long arm of the law reaches a lot farther than they think. And we've got ways of disrupting those sheltering in places like Russia, as Polyanin discovered when he woke up and found $6.1 million he'd extorted from his victims missing," end quote. Mr. Polyanin is one of the protected privateers who remain at large - still in the wind but noticeably poorer.
Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer, also our chief analyst. Rick, always great to have you back.
Rick Howard: Hey, Dave.
Dave Bittner: So right after Halloween, news came out of the University of Cambridge that two of their distinguished researchers, Nicholas Boucher...
Rick Howard: Is that how you say that? Yeah.
Dave Bittner: I'm going to - your guess is as good as mine, and apologize to Mr. Nicholas if I got it wrong. But also Ross Anderson - they published some really interesting work here on a new supply chain attack technique that they're calling Trojan Source.
Rick Howard: Yeah.
Dave Bittner: And they say that if it's done correctly, attackers can completely hide exploit code in plain sight within a program and that this would circumvent any human code review or automatic scan. Now, that sounds scary enough, but I have to say a lot of this is over my head on how they would do it. And I thought I would check in with you. Help me and the audience out here. How is this possible?
Rick Howard: Well, you're right, Dave. Just when you thought that the internet couldn't get any scarier - OK? - that's when you know you're due - right...
Dave Bittner: Right.
Rick Howard: ...For something like this to come along. And before I explain it, let me just vouch for the authors' credentials, especially Ross Anderson. He's a Cybersecurity Canon Hall of Fame winner for his book "Security Engineering: A Guide to Building Dependable Distributed Systems." And so for all of your engineers out there, if you're looking for a primer on security design, that's the book to read.
Dave Bittner: All right. Well, so these two gents publish a paper on this Trojan Source idea. How exactly does it work?
Rick Howard: So the technique takes advantage of a system that the international community has standardized on to represent numbers on computers, right? And so this is from the Unicode Consortium. It's a nonprofit standards body formed way back in 1991. And what they say is, before we had these Unicodes, we had hundreds of different coding systems for assigning these numbers to computers.
Rick Howard: And they all had limitations. For, like, a single language like English, let's say, no single encoding system was good enough for all the letters, punctuation and technical symbols we needed to get things done. And the different systems crashed into each other, with two encodings using the same number for two different characters or the other way, using different numbers for the same character. It was like, jiminy Christmas. In this precision world, that wasn't going to work.
Rick Howard: So the Unicode Standard changed all that. They provided a unique number for every character, no matter what platform, device, application or language. So that's the good news. The bad news is where Boucher - is that how we're saying it? - and Anderson...
Dave Bittner: We're going to go with that.
Rick Howard: So these two guys from their paper - OK? - they said, you know, computer programs require support for both left-to-right languages such as English and Russian and right-to-left languages such as Hebrew and Arabic. And if your program combines both kinds, there must be a way for the compiler to resolve which direction to go. And so the compiler, for everybody that doesn't know, is that program that turns your written code into something that the computer can run. And it turns out there's an algorithm for this. It's called the bidirectional or bidi algorithm.
Dave Bittner: OK. So I get all that, and I have a handle on that in terms of operating in the real world. So - but what exactly is the exploit trick that these researchers came up with?
Rick Howard: So it turns out that for some edge scenarios, the Bidi algorithm may not be sufficient - OK? - to - for all programmers. And so the algorithm gives them the ability to tell the compiler what to do manually. All right? So - and that's the seam - OK? - that the hackers take advantage of. What Boucher and Anderson describe in their paper is a way for a programmer to write code that looks like a comment statement or just a string of characters to the human eye. You know, you and I are reading this, say, oh, that's just a comment. If you read it, like, right to left. But because of the Bidi encoding system, the compiler reads the code left to right. And a clever hacker can turn that left-or-right compiler reading into some kind of dangerous exploit code. It's really ingenious.
Dave Bittner: Now, in their paper, the authors say that this represents a new kind of supply chain attack. How exactly does that work?
Rick Howard: Well, you know, in the supply chain attacks we've seen this year, like the SolarWinds attacks, the attackers broke into the SolarWinds networks, found the code for a SolarWinds product and inserted their Trojan horse code into the real code. And when customers downloaded the product to their own networks, the Trojan horse came with it. But once SolarWinds knew that's what was going on, it wasn't hard to find the offending code, remove it and then issue an update to their customers. What Boucher and Anderson came up with in their technique is hackers can insert their Trojan "sorse" code. See what they did there? A little play on Trojan horse, right? Right? They do this into, like, open source programming projects like Linux or Kubernetes. And so when other contributors look at the code, all they will see is this weird-looking comment and not know that it's actually an exploit code. This kind of stuff could sit inside code libraries for years without anybody noticing the problem.
Dave Bittner: Wow. Are there any fixes for this kind of thing?
Rick Howard: So there are several mitigation techniques that the authors talk about in the paper, but the real trick is to get the compiler makers to look for the technique in their own software. So according to the authors, the fact that the Trojan source vulnerability affects almost all computing languages - let me say that again - almost all computing languages, this sort of makes this a bit of an existential threat. So if you're a development shop, it would definitely be asking your vendor about the countermeasures that they're putting into their products for this problem.
Dave Bittner: Yeah, that's fascinating. I mean, I suppose this is the kind of thing where the packages that you use for your development could automatically flag when it sees one of these directions shifts, right?
Rick Howard: You definitely see when they're calling the Bidi algorithm. Right? So at least...
Dave Bittner: Right.
Rick Howard: ...That's a flag, right? And then there's probably things we can do to check if they're trying to do something malicious. So we'll see how that goes in the future.
Dave Bittner: Yeah. You know, I noticed in the paper that there is a reference to research that was first published in 1984 by Ken Thompson, and he's the co-founder of the original Unix system...
Rick Howard: Yes, he is, yeah.
Dave Bittner: ...Along with Dennis Ritchie back in the '60s. So I mean, is that an indication that these Trojan source techniques are not actually all that new?
Rick Howard: Well, you can say that Ken Thompson invented the idea of a rootkit. He's the first guy that came up with the idea back - so in that 1984 paper, the paper was called "Reflections on Trusting Trust." And he just did it as a thought experiment, right? He devised a way to alter the C compiler shipped with every Unix system at the time. So when the compiler noticed an administrator re-compiling the login program - this is the program that, you know, people used to log into systems - the compiler would insert additional functionality to not only accept the password of the user trying to get in, but also a second password that only the hacker knew about. But when reviewers analyzed the code for the login program, that code wasn't in the login program. It was in the compiler, right? So they would see no signs of this additional functionality. So I would say it's the same technique as the Trojan source thing that these guys came up with. It's not exactly the same, but it's definitely in the same ballpark.
Dave Bittner: All right. Interesting times, huh, Rick?
Rick Howard: Yes, it is. That's why we get paid the big bucks, Dave. That's why we get paid the big bucks.
Dave Bittner: There you go.
Dave Bittner: All right. Well, Rick Howard, the CyberWire's chief security officer and chief analyst, as always, it is a pleasure to have you here. Thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland's Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Good to be with you, Dave.
Dave Bittner: Interesting publication here from the folks over at the EFF, the Electronic Frontier Foundation. This is an article written by Andrew Crocker, and it's titled "Police Can't Demand You Reveal Your Phone Passcode and then Tell a Jury You Refused." What's going on here, Ben?
Ben Yelin: So we've talked a lot on this podcast, on the "Caveat" podcast about this right against self-incrimination and law enforcement compelling you to enter your passcode. So your passcode is the content of your own mind, meaning it is generally protected under the Fifth Amendment's self-incrimination clause. You can't be compelled to testify against yourself. So generally, law enforcement cannot force you to open your device, especially in the absence of a judicial warrant.
Ben Yelin: So there's this case in Utah. It's State v. Valdez, where a defendant was charged with kidnapping his ex-girlfriend after arranging a meeting under false pretenses. The defendants in these cases are rarely the type of people that you want to be going to bat for, but, you know, that's what EFF does and the ACLU does and crucial part of our legal system.
Dave Bittner: Right.
Ben Yelin: So the police find a cellphone in his pocket. They want to search it for evidence. Valdez, the defendant in this case, refused to tell them the passcode. So he goes to trial. The police, you know, had given up. They weren't seeking a court order to get access to his device. But at trial, law enforcement testified that Mr. Valdez refused to enter in his passcode to open up the device. And that allows the jury, or the finder of fact in the case, to infer that the defendant was trying to hide something.
Dave Bittner: Right.
Ben Yelin: And this goes against the fundamental notion of the Fifth Amendment right against self-incrimination. In all other circumstances, law enforcement is not allowed to bring up at trial that a person invoked their Fifth Amendment right because that is going to, you know, prejudice a potential jury that the individual's trying to hide something. For this right to be meaningful, you know, the - this has to be something where a jury shouldn't be able to simply infer that somebody's trying to hide something because the person invoked that right against self-incrimination. This is a fundamental right. It doesn't have to do with, you know, digital devices necessarily. It has to do with the Fifth Amendment as it's existed throughout our country's history.
Dave Bittner: Right. So there should be no penalty for invoking that right.
Ben Yelin: Absolutely.
Dave Bittner: Yeah.
Ben Yelin: So the Utah Court of Appeals - so the court just below the Utah Supreme Court - agreed with that viewpoint. They said that it was not proper to introduce at trial evidence that this person refused to unlock their device. And now the case is in front of the Supreme Court, and you have EFF and other groups writing friends-of-the-court briefs. And...
Dave Bittner: This is Utah's Supreme Court.
Ben Yelin: The Utah Supreme Court. That's right.
Dave Bittner: OK. Yup.
Ben Yelin: So they're writing friends-of-the-court briefs, saying in order to maintain this fundamental Fifth Amendment privilege against self-incrimination, whether it's in the modern technological context or any other context, an accused person's ability to exercise their right without having that person's silence used against them has to be continued and maintained in our judicial system.
Dave Bittner: And in the digital realm.
Ben Yelin: Absolutely. And that's certainly something I agree with. I mean, I think the right against self-incrimination wouldn't have much meaning if at every future legal proceeding, law enforcement could come in and say, we asked Dave to unlock his phone. He didn't do it, must be hiding something.
Dave Bittner: Right.
Ben Yelin: You know, I think it would lose its luster. So a really interesting decision and something we're certainly going to follow as the Utah Supreme Court takes it up.
Dave Bittner: Yeah. All right. Interesting stuff, as always. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.