The CyberWire Daily Podcast 11.16.21
Ep 1460 | 11.16.21

Threats and vulnerabilities, old and new, include Emotet and Mirai. CISA advises of DDS vulnerabilities. Arrest in a revenge porn case.


Dave Bittner: Older threats are out and about, and an old vulnerability gets a fresh proof of concept. A new banking Trojan threatens Europe. Intel works on vulnerabilities. CISA advises awareness of recently reported DDS vulnerabilities. Joe Carrigan explains how spear-phishers are using customer complaints as bait. Rick Howard speaks with Carlos Vega from Devo on supply chain issues, and an arrest is made in a Maryland case of revenge porn.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 16, 2021. 

Dave Bittner: A few older threats and vulnerabilities are resurfacing this week. Researchers have begun seeing signs that Emotet, a botnet widely used to distribute spam that carried other payloads, has resurfaced. The other payloads included QakBot and TrickBot, which in turn were used to deliver initial access for ransomware infestations with Ryuk, Conti, ProLock, Egregor and other strains. Recall that Europol had effectively disrupted Emotet's infrastructure back in January and arranged for general uninstallation. That uninstallation was led by German authorities of the malware in April. 

Dave Bittner: Bleeping Computer reports that TrickBot has recently been observed dropping an Emotet loader into infected devices. German security firm G Data blogged that on Sunday it detected a DLL that appeared to be Emotet. It subsequently confirmed the identification. 

Dave Bittner: The Record, which has been in touch with researchers at Cryptolaemus, who have been tracking the reappearance of Emotet, writes that the comeback appears to be in its early stages. Emotet isn't yet actively sending out spam, and it appears the operators may be trying to quietly reestablish their infrastructure. The Cryptolaemus researchers said, "it doesn't seem too large at this time, and we are not seeing active distribution yet," end quote. But the malware's reappearance will be worth keeping an eye on. 

Dave Bittner: The Mirai botnet, venerable by botnet standards, is also back. Cloudflare says that last week it blocked a DDoS attack from 15,000 IoT bots and unpatched GitLab instances running Mirai. The attack peaked at almost 2 terabytes per second. It was a brief attack, lasting just about a minute, but impressive in its volume even if it fell short of setting a record. DDoS attacks appear to be regaining some popularity among criminal organizations, who use them to disrupt businesses they're targeting for extortion. They can also serve as a form of noisy misdirection to cover other, more serious attacks - the bad guy's way of saying, look, there's nothing up my sleeve. 

Dave Bittner: There's also a fresh Rowhammer proof of concept out and about. Researchers at the COMSEC Computer Security Group published an account of a new approach to exploiting this familiar vulnerability. Quote, "it is possible to trigger Rowhammer bit flips on all DRAM devices today despite deployed mitigations on commodity off-the-shelf systems with little effort. This result has a significant impact on the system's security as DRAM devices in the wild cannot easily be fixed," end quote. 

Dave Bittner: Newer DRAM modules, DDR5 devices, are thought to be more resistant to exploitation than earlier and still widely used modules. But it's not clear that they're immune. There's no evidence that this exploit is being used in the wild, but there's also no clear mitigation readily available. And it would seem that Rowhammer in general requires further work. 

Dave Bittner: There are also some new threats and vulnerabilities. An Android banking Trojan researchers at Cleafy are calling SharkBot is affecting banking customers in Europe. According to The Record, SharkBot appears to be in a relatively early stage of development, but it's enjoying some success by using automatic transfer systems to bypass protections normally provided by multifactor authentication. As is the case with many other Android Trojans, SharkBot covets access to the Android Accessibility service, a perfectly legitimate feature that's intended to automate certain interactions in ways that make it easier for physically impaired users to work with their devices. 

Dave Bittner: The Trojan uses the features of Accessibility service to mimic screen taps and perform malicious tasks, such as granting itself admin rights, showing fake login screens on the user's device, collecting keystrokes, intercepting and hiding two-factor SMS messages and accessing mobile banking and cryptocurrency apps to transfer funds. For now, SharkBot's able to interact with 22 banks based in the U.K. and Italy and with five cryptocurrency applications, but it's reasonable to expect the criminal operators to open their net wider. 

Dave Bittner: Intel has released firmware updates for a privilege-escalation vulnerability in some processors' BIOS. Intel is also addressing, according to Ars Technica, an issue that could allow an attacker with physical access to backdoor some chips. Positive Technologies outlines the bug's implications. The issue comes down to a debugging function with excessive privileges. 

Dave Bittner: Positive Technologies' Mark Ermolov wrote in the company's blog, quote, "one example of a real threat is lost or stolen laptops that contain confidential information in encrypted form. Using this vulnerability, an attacker can extract the encryption key and gain access to information within the laptop. The bug can also be exploited in targeted attacks across the supply chain. For example, an employee of an Intel processor-based device supplier could, in theory, extract the Intel CSME firmware key and deploy spyware that security software would not detect. This vulnerability is also dangerous because it facilitates the extraction of the root encryption key used in Intel PTT" - that's Platform Trust Technology - "and Intel EPID (Enhanced Privacy ID) technologies in systems for protecting digital content from illegal copying. For example, a number of Amazon e-book models use Intel EPID-based protection for digital rights management. Using this vulnerability, an intruder might extract the root EPID key from a device, an e-book, and then, having compromised Intel EPID technology, download electronic materials from providers in file form, copy and distribute them," end quote 

Dave Bittner: Again, exploitation would require physical access to the targeted devices, but that access would need only be brief; a matter of minutes, not hours. 

Dave Bittner: CISA warns that vulnerabilities affecting Distributed Data Service standards are being reported. The agency's advisory says, quote, "CISA is aware of a public report detailing vulnerabilities found in multiple open-source and proprietary Object Management Group Data-Distribution Service implementations. This advisory addresses a vulnerability that originates within and affects the implementation of the DDS standard. In addition, this advisory addresses other vulnerabilities found within the DDS implementation. CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks," end quote. 

Dave Bittner: There is no known exploitation of these vulnerabilities in the wild, but CISA recommends applying the patches and mitigations the affected vendors are making available. Those vendors include Eclipse, eProsima, GurumNetworks, Object Computing, Real-Time Innovations and TwinOaks Computing. If you're a customer, check in with them for specifics. 

Dave Bittner: And finally, an arrest has been made in the seamy DIY world of revenge porn, in which alienated affection leads a disappointed once-and-future suitor to distribute, nonconsensually, saucy photos of an inamorata online. In this case, a small-town mayor in Maryland, the honorable Andrew Bradshaw, Republican of Cambridge - and we stress that's Cambridge, Md., and not Cambridge, Mass., still less Cambridge, England - has been arrested and charged under Maryland law with some 50 counts of distributing revenge porn, the Dorchester Star reports. And that's Dorchester, Md., not Dorchester, Mass., still less Dorchester, England. His honor, of course, enjoys the presumption of innocence until such time as he's convicted should, of course, he be convicted of what he's allegedly done. 

Dave Bittner: The supply chain is in a lot of headlines these days, both in the real world and cyberspace. Our own Rick Howard checked in with Carlos Vega from Devo for his insights on the supply chain. 

Rick Howard: A few weeks ago, I had the great pleasure to talk to a longtime friend of mine and an old army buddy. 

Carlos Vega: My name is J.C. Vega. I've been in cybersecurity for over 20 years and in security for over 30 years, and I recently took over the CISO job at Devo, the cloud-based SIEM. 

Rick Howard: And we got to talking about why we both thought that the way the network defender community currently defends cyber supply chains is broken. 

Carlos Vega: First of all, we got to expect the anomalies, and we have to be prepared to respond when we do detect something. We say that in cyber, the adversary is moving at machine speed, and we have to be able to coordinate and react at machine speed. And there's some truth to that, but there's another aspect of it, and that is developing those trust relationships in the environment itself. That means the dependencies that you have with your suppliers or even partners, you have to be able to engage them to either inform, persuade or influence them to adjust their posture to meet your security requirements. 

Rick Howard: You're saying that the way we fix this is we make our suppliers get better at security than we are. 

Carlos Vega: We don't make them get better independently of our system. We complement one another. And the idea is that if you look at, you know, the different terms - defense and collective defense, Zero Trust - if you find weakness in one of your partners, you may have to invest in them to help them bring up their standard so that they can comply with your security requirements. And that's an investment. 

Rick Howard: I'm not against that idea, but let me play devil's advocate here. SolarWinds - that's a significant company. What would you suppose you would help them do? 

Carlos Vega: They have competitors, and sometimes it's going to be the market that is going to drive the standard. Sometimes it's going to be regulation that drives a standard. And sometimes it's going to be your risk acceptance. So it's not necessarily just saying I'm beholden to one product or one service. The idea is you have choices out there, and you can choose to accept that risk or you can choose to do something else. 

Rick Howard: That part, I totally agree. You know, why would you allow anything from the SolarWinds administration box to touch anything else in your environment? To me, that's a Zero Trust strategy, not a technology. I'm not talking about a Zero Trust strategy. I'm talking about identity management or two-factor authentication. I'm not going to allow anything coming from the SolarWinds admin box to reach out and authorize, you know, tokens for my exchange environment in the cloud. That's a no-brainer. 

Carlos Vega: When we first got into this, you know, root was the God key. If you had root access to something, you can control everything. And the idea of looking at these systems - what type of permissions? Why would this system need root access to operate in your environment? And so you have to see what permissions do they have? Do they need that permission? Do they really need that permission? And if they do, then how do you mitigate that risk? How do you reduce your exposure to them? How do you keep them outside of your precious assets so that they cannot cause a material harm to your organization? 

Rick Howard: And that goes back to your original idea. If you have some piece of software that demands that they have root privileges in your network, that's where you can leverage and say, listen, I'm not going to buy you guys because you got an obvious problem with your security. I'll go to your competitor. 

Carlos Vega: Find out how the system works. What are the intricacies that make that process or that tool provide the functions to your system? If you're tied to that system and that tool, then I have to change and adapt my environment, given the risk that I have with those tools or processes that I have there. I can't control everything, but I should control, maintain control of the things that I do have complete responsibility for. 

Rick Howard: That was J.C. Vega, the CISO at Devo. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Joe, I don't know how to say this, and I hate to air things publicly like this, but... 

Joe Carrigan: Uh-oh. 

Dave Bittner: ...I've got some bad news. 

Joe Carrigan: Oh, no. 

Dave Bittner: We've had some complaints. 

Joe Carrigan: OK. 

Dave Bittner: Specifically, we've had complaints about you... 

Joe Carrigan: OK. 

Dave Bittner: ...And your appearances on our show. I have put them - I've gathered them together, and I've emailed them to you. You'll find a PDF file in your email. So I just need you to click through on that PDF file to read some of these complaints. 

Joe Carrigan: And I'll open that right away, Dave. 


Dave Bittner: And of course, I am just kidding, Joe (laughter). We - everyone loves you, and you get lots of great reviews. But... 

Joe Carrigan: Oh, do I? Good. I'm glad to hear that. 

Dave Bittner: But what I have done is I have led us into this - I've cleverly led us into this story... 

Joe Carrigan: Right. 

Dave Bittner: ...From the folks over at Naked Security by Sophos, written by the great Paul Ducklin. And this is about a scam that's taking advantage of people's emotions in kind of a unique way. What's going on here, Joe? 

Joe Carrigan: So what Paul is talking about here is the - kind of like what you just said. It's an attack targeting more junior members of a support team or some customer-facing team. They have a great formula in here that says guilt plus fear equals haste - right? - which is what they're trying to do. What these malicious actors are trying to get you to do is to click through the link without thinking about it. 

Dave Bittner: OK. 

Joe Carrigan: They're trying to make you feel guilty and to scare you to do that. And there is a great example that Paul received here that - apparently, people call him Duck. The email reads, Duck, call me back. And it says, Duck, I'm on my way into the office. Why didn't you tell me about this customer complaint in PDF on you? Call me back right now. And then it has a link to the report - to the customer complaint report. 

Joe Carrigan: Now, one of the things that Paul talks about in this is that while this is technically a spear-phishing attack because they have targeted him and other people in his organization directly... 

Dave Bittner: Yeah. 

Joe Carrigan: ...It's very easy to automate this process with a spreadsheet of contact information and with a list of email addresses that has the contact information associated with it. Because frequently, when you send out an email, it has your first and your last name. 

Dave Bittner: Right. 

Joe Carrigan: One of the things that always sets me off is when it says Joseph in my (laughter)... 

Dave Bittner: Oh, right. 

Joe Carrigan: ...In my email because nobody addresses me as Joseph. They all address me as Joe. 

Dave Bittner: Right. 

Joe Carrigan: Right? So whoever signed me up for the PR Newswire... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Maybe you go into that database and change it to Joe, and I can more quickly delete your emails. Anyway... 

Dave Bittner: (Laughter). 

Joe Carrigan: So Paul talks about how easy it is to put one of these things together. It's very minimal the amount of open-source intelligence gathering you have to do. And then he talks about how, initially, the campaigns were not put together well. Like, they went to a Google-branded webpage that was hosted on Microsoft services - and, of course, that doesn't jibe in people's minds, and... 

Dave Bittner: Right 

Joe Carrigan: ...Maybe that sets people off, but they're hoping that you're upset, that you don't notice this. Then at one point in time, you are asked to download a file, and it says, didn't - you know, it's even got a picture here that says, preview of the report is ready to open. It didn't work. Try downloading again. 

Joe Carrigan: And when you download it, it actually downloads an .appx bundle, which is a Microsoft bundle that is - it's essentially an executable. You can think of it as an installation program that doesn't bother the user with architecture concerns. 

Dave Bittner: OK. 

Joe Carrigan: OK? And what that means is when a user downloads a program, they have to know what their architecture is. Am I on 32-bit, or am I on 64-bit? Am I on an X86, or am I on an ARM processor? 

Dave Bittner: OK. 

Joe Carrigan: Right? Well, those questions are not readily answerable by the vast majority of computer users. They have to go think about that. In fact, I don't even - I mean, I know what I have on mine, but on this Chromebook, I don't know what the architecture is. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: I'd have to look it up. So the solution to that is they build these .appx bundles that will run on just about any Windows platform that you have it. So it's got the compiled code for everything, or maybe it can put the right machine instructions in there. 

Dave Bittner: Right. 

Joe Carrigan: But when you start running it, you get an application that looks like it's been trusted by Microsoft. It's been signed with a certificate, but the certificate is from an accounting firm in southwest England if you actually look at the information about it. But it still says it's Adobe on the install screen. 

Dave Bittner: Oh, OK. 

Joe Carrigan: And one of the capabilities, or actually the only capability it wants, is all system resources. 

Dave Bittner: Oh, just that. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: So what happens here when you install this is it immediately calls out to an IP-verification service, which Paul notes - that's really not necessary because as soon as this machine connects to command-and-control servers, they'll have the IP address, the public-facing IP address. 

Dave Bittner: OK. 

Joe Carrigan: But they're double-checking that. And then it gathers up what might seem like innocuous information. It gathers up all the statistics about your machine, like what your architecture is, how much RAM you have, how much free hard drive space you have, and sends that to command and control. It - this is a bizarre backdoor install, which is... 

Dave Bittner: Ah, OK. 

Joe Carrigan: ...Malware that is capable of downloading more malware. So you think of it as a kit, right? So I - if I'm a bad guy, I go out and I get a bunch of these machines infected with this bizarre backdoor. And now I have control over them. They're all reporting back to me on some regular basis. Now I have an army of bots ready to do whatever I want, and all I have to do is either buy or write or develop or something the functionality I want... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And distribute it to these bots, and they'll do it. It could be anything. It could be crypto mining. It could be ransomware. It could be password-cracking. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, it's - it could be whatever I want it to be. 

Dave Bittner: But the real clever part of this, you know, beside what's going on technically... 

Joe Carrigan: Right. 

Dave Bittner: ...Is the hook itself - the... 

Joe Carrigan: The hook itself is... 

Dave Bittner: ...The emotional part. 

Joe Carrigan: Right. We got away from that because we're on the CyberWire podcast, not on "Hacking Humans," but (laughter) we - this is the kind of stuff we talk about on "Hacking Humans." They're looking to fire off your amygdala - right? 

Dave Bittner: Yeah. 

Joe Carrigan: ...To short-circuit your thinking and to induce cognitive narrowing so that you don't think about the things that are setting off red flags about the situation. All you think about is your job security. They're attacking you very low on Maslow's hierarchy of needs here. 

Dave Bittner: (Laughter) Right. Right. You're in trouble at work. 

Joe Carrigan: Right. 

Dave Bittner and Joe Carrigan: Yeah. 

Joe Carrigan: How am I going to feed my family if this happens? 

Dave Bittner: Yeah. 

Joe Carrigan: So Sophos has some advice, or I should say Paul put some advice in here. It's stop, think, connect - because the, you know - don't act. 

Dave Bittner: Yeah. 

Joe Carrigan: Don't act right away. Just stop and think about it. One piece of advice he has for companies is really good. Always use official channels for communicating with your staff. But he says, establish a policy of what that looks like. If you have people that are customer-facing, they're going to get customer complaints. It's going to happen. 

Dave Bittner: Right. 

Joe Carrigan: So address that with these people as soon as - on Day 1, as part of their onboarding. When you get a customer complaint, here is what will happen, right? This is how this process works. Everybody who works in customer service gets customer complaints, right? So don't be alarmed. Don't be worried about it. You know, if you have five or six of these a year, no big deal - or whatever your risk tolerance is, you know. 

Dave Bittner: Yeah. 

Joe Carrigan: And here's how the process works. That way, when they see this email come in, they're already equipped to know, OK, this might be fraudulent. 

Dave Bittner: Yeah. 

Joe Carrigan: 'Cause this isn't what the process is that they told me it would be. 

Dave Bittner: Right. 

Joe Carrigan: Other things, he says, is set up an easy-to-remember contact point for security reports. Have a, like, spam at whatever your address is or security or whatever. If you're not letting .exe files come through your firewall, don't let these other application bundles come through. And there's a whole list of them that are available. Get familiar with what they are. And don't be seduced by on-screen security promises like the verified signature. Paul theorizes that this accounting firm's sign-in keys were probably stolen in another breach... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And then used to sign this backdoor as a trusted application. 

Dave Bittner: Yeah. Yeah. All right. Well, it's an interesting story. I'd say that social engineering hook is pretty compelling. 

Joe Carrigan: Right. 

Dave Bittner: And our thanks to the folks over at Naked Security by Sophos and Paul Ducklin for putting this out there. 

Joe Carrigan: It's a great find, Paul. 

Dave Bittner: Yeah. Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.