The CyberWire Daily Podcast 12.9.21
Ep 1475 | 12.9.21

Ransomware gangs, paycard skimmers, and Grinchbots. Russia blocks Tor, and the US Senate holds hearings on social media and its arguably malign influence on youth.

Transcript

Dave Bittner: Conti continues undeterred. Magecart skimmers are infesting WooCommerce instances. Users are finding URL redirection attacks difficult to detect. A quick look at the workings of the Hive ransomware gang. Russia blocks Tor. The U.S. Senate holds hearings on social media and adolescent mental health. Dinah Davis from Arctic Wolf on assessing your security posture. Our guest, Neal Dennis of Cyware, discusses automation and unification. And Grinchbots are still prowling for presents.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 9, 2021. 

Dave Bittner: The Russophone Conti ransomware gang does not appear to have been inhibited by recent anxieties circulating in the underworld. Over the weekend, CS Energy, a major electrical utility in the Australian state of Queensland, sustained a ransomware attack that was initially widely attributed to Chinese state actors. Not so, it turns out. Reuters says that the Conti gang was responsible. The gang has listed CS Energy on its leak site. 

Dave Bittner: On the other side of the world, Intelligent CIO reports that Nordic Choice Hotels has also disclosed that it was hit by Conti. The report says, quote, "the incident primarily impacts the hotel's guest reservation and room key card systems. Although there is no indication of passwords or payment information being affected, information pertaining to guest bookings was potentially leaked," end quote. 

Dave Bittner: RiskIQ reports finding three Magecart skimmers deployed in WooCommerce checkout pages. WooCommerce is a WordPress plugin widely used by e-commerce sites. Such businesses should be alert for the possibility that Magecart has been introduced into their sites. 

Dave Bittner: Proofpoint describes large-scale URL redirection attacks exploiting vulnerabilities in popular OAuth 2.0 implementations. Microsoft's and GitHub's are particularly mentioned. URL redirection attacks have fewer of the telltale signs users have come to associate with phishing. Proofpoint writes, quote, "the detected campaigns include, among others, Outlook Web Access phishing, PayPal login phishing and credit card harvesting. And these campaigns are still alive and evolving," end quote. 

Dave Bittner: Group-IB has been looking into the workings of the Hive ransomware operation. The rise of ransomware-as-a-service offerings in the C2C market has driven the increased commodification and scope of this form of criminal activity during 2021, and Hive has been a prominent player in the ransomware-as-a-service market. Group-IB researchers took advantage of errors in Hive's API to gain some insight into the gang's activities. Quote, "by October 16, Hive's API held records of 312 companies that most likely fell victim to Hive's operators," end quote. 

Dave Bittner: According to Reuters, the Russian government has extended its increasingly autarkic control over information transiting its internet precincts by blocking the private service Tor. Tor has responded by offering affected users a workaround involving a mirror site, but it seems likely the Kremlin will itself respond with further restrictions. 

Dave Bittner: The Senate Commerce Subcommittee on Consumer Protection yesterday held hearings on the impact of social media on young people. Subcommittee Chair Senator Richard Blumenthal, Democrat of Connecticut, framed the discussion. 

Richard Blumenthal: In this series of hearings, we've heard some pretty powerful and compelling evidence about the dangers of Big Tech to children's health, well-being and futures. Our nation is in the midst of a teen mental health crisis. Social media didn't create it, but it certainly fanned the fuel and the flames, and it's fueled it. And if anybody has any doubts about the potential harmful effects of social media, the surgeon general yesterday issued a powerful report about the implications of social media, as well as video gaming and other technologies, on teen mental health. And that's part of the reason we're here. 

Dave Bittner: The report the senator alludes to in his remarks is "Protecting Young Mental Health," which came out Tuesday under the signature of the U.S. surgeon general. The surgeon general wrote in his cover letter that, quote, "while technology platforms have improved our lives in important ways, increasing our ability to build new communities, deliver resources and access information, we know that for many people, they can also have adverse effects. When not deployed responsibly and safely, these tools can pit us against each other, reinforce negative behaviors like bullying and exclusion and undermine the safe and supportive environments young people need and deserve," end quote. The mental health issues the report is particularly concerned with are depressive symptoms and suicidal ideation. 

Dave Bittner: Senator Blumenthal went on to say that in his view, the era of self-policing was over and that Big Tech has forfeited the trust on which any effective system of self-policing would depend. He argued the algorithms were the 600-pound gorillas menacing children and that the platforms' offers of self-regulation are inadequate to restraining the gorillas. 

Dave Bittner: Senator Marsha Blackburn, Republican of Tennessee and subcommittee ranking member, opened her remarks by saying that it wasn't clear how the half measures industry proposed could meet our common goal of protecting teens online. She's concerned about the sheer magnitude of teenage consumption of social media and the effective impossibility of parental tracking, supervision and intervention in that consumption. 

Marsha Blackburn: We know that social media is an integral part of teens' daily lives. According to the Mayo Clinic, 97% of teens between ages 13 and 17 use a social media platform, and 45% say they are online almost constantly. So while telling teens to take a break might seem helpful on the face of things, it's probably not going to get most teenagers to stop doing what they're doing and take a break. 

Marsha Blackburn: Educational tools for parents can be helpful, but frankly, I'm more concerned about the things we know kids and teens are hiding from their parents. We know that Facebook and Instagram have encouraged teens to use secondary accounts and told them to be authentic. So while parents might gain some insight into what their teens do on their main accounts, what do they do about the accounts they don't even know exist? 

Dave Bittner: Instagram CEO Adam Mosseri was the witness the subcommittee called in for questioning. He began by pointing out that little had changed; that teenagers had always spent time with friends, always explored their identities and done the other things that represent both opportunities for growth and danger. The internet has changed the ways in which they do this. And while he believed that Instagram shared the goal of keeping young people safe online and could help do so, any solution had to be an industrywide solution and not the sole responsibility of any one company. 

Adam Mosseri: Now, I recognize that many in this room have deep reservations about our company, but I want to assure you that we do have the same goal. We all want teens to be safe online. The internet isn't going away. And I believe there's important work that we can do together, industry and policymakers, to raise the standards across the internet to better serve and protect young people. 

Adam Mosseri: The reality is that keeping people safe is not just about any one company. An external survey just last month suggested that more teens are using TikTok and YouTube than Instagram. This is an industrywide challenge that requires industrywide solutions and industrywide standards. 

Adam Mosseri: Now, we have a specific proposal. We believe there should be an industry body that will determine the best practices when it comes to what I think are the three most important questions with regards to youth safety - how to verify age, how to build age-appropriate experiences and how to build parental controls. 

Dave Bittner: Those standards Mr. Mosseri proposed should be, he thinks, the bar companies would need to reach, he argued, if they are to receive the Section 230 protections on which internet platforms have come to rely. Senator Blumenthal brought up the view that Instagram was addictive and needed to be regulated accordingly. Mr. Mosseri disagreed. 

Richard Blumenthal: Instagram is addictive. That's the view that has been repeated again and again and again by people who are expert in this field. Parents know it. And for teens who see Instagram's algorithms encouraging, for example, eating disorders, they find it almost impossible to stop. The U.K. code restricts Instagram's use of addictive design. Shouldn't we have a similar rule in the United States? 

Adam Mosseri: Senator, respectfully, I don't believe the research suggests that our products are addictive. Research actually shows that on 11 of 12 difficult issues that teens face, teens are struggling, said Instagram helps more than harms. Now, we always care about how people feel about their experiences on our platform. And it's my responsibility as head of Instagram to do everything I can to help keep people safe, and we're going to continue to do so. 

Dave Bittner: Concerns of this kind aren't new and neither is congressional attention to them. Historically minded listeners will be reminded of the hearings on the dangers of comic books the Senate held back in the 1950s. There was posturing and grandstanding there as well and some overwrought hand-wringing over the ways in which Mad Magazine, to pick one publication, was, in those pre-Comics Code days, leading young Americans into depravity. Mad's publisher, Mr. William Gaines himself, testified on behalf of what Mad always called the usual gang of idiots and revealed in the case of his testimony that he was a certified teacher with a degree in education qualified to teach in New York public schools. 

Dave Bittner: Despite all this, and lest one be inclined to dismiss hearings like these as so much playing to the electorate, it's difficult to look at accounts of the hearings and not conclude that, the First Amendment and the resilience of young minds aside, there wasn't some fairly objectionable content in the comics as there is in social media. What can or should be done about such content is less clear. 

Dave Bittner: Anyhoo, social media are having their comic book moment on Capitol Hill. Expect the evolution of various forms of a social media code to follow the path set by the comics code more than half a century ago. And also, note that the Comics Code has faded over the past few decades, as a stroll through any local comic book store will quickly reveal. We can also hope, as regular Joes and ordinary Janes, that the platform impresarios turn out to be at least as entertaining as was Mr. Gaines - but so far, no joy. 

Dave Bittner: As the holiday season advances toward Christmas, researchers at security firm Imperva report increased Grinchbot activity. They say advanced bot traffic sessions on retail sites in November 2021 grew nearly 73% over the previous month, indicating that many bot operators increased their efforts as the Singles Day, Black Friday and Cyber Monday e-commerce holidays came and went. 

Dave Bittner: The Grinchbot's goal is to partially corner the market for presents that are likely to be in high demand on e-commerce retail sites. That way, they can resell them for a sweet profit. So if you have been having trouble getting a PS5 or a Pokemon 15th anniversary celebration ultra-premium collection - well, shopper, blame the Grinchbots. 

Dave Bittner: The team at virtual cyber fusion platform provider Cyware recently commissioned Forrester Consulting to take a look at the flow of security operations data within organizations to help understand where security teams are hitting data-sharing speed bumps and how best to overcome them. Neal Dennis is a senior intel analyst at Cyware Labs. 

Neal Dennis: So I would like to say I'm surprised at this, but I really am not. There was - roughly 24% of respondents to this report said that they actually had legit unfettered access to the data that makes their world go round. So translation - 76% of the people out there know that there's data that exists that can help make their life better, but they can't get access to it in a free-flowing way or access it in a way that makes their life less complicated. So I thought that was kind of earth-shattering a little bit to see it that far. But once again, I'm not as surprised as I probably should be with that status check. 

Neal Dennis: And then the other big one for me when I was looking at this, there was similarly lack of intent to implement SOAR automation orchestration on any front. In the responses, roughly only about - I think it was roughly 8% or so made mention that they were either expanding, upgrading or intended to implement some kind of SOAR functionality within their org. You know, 90-plus percent of the respondents had no SOAR in play, roughly, you know, so that's also kind of surprising. 

Dave Bittner: What are the barriers here? What's keeping people from streamlining these operations? 

Neal Dennis: I think today, a lot of it just has to do with maybe a misunderstanding of what technologies are available today and the costs associated with those technologies versus what was maybe five, 10 years ago. When the concept of SOAR and orchestration automation really first started gaining traction, you know, five-plus years back, you know, there was only a handful of offerings out there. It wasn't really a big thing just yet. And the solution back then was, I'm just going to hire another person. And he's - he is my, quote-unquote, "SOAR," basically. You know, he's - he, she is going to be the ones going and checking boxes. So I think there's some lack of understanding of what it really takes to implement orchestration and automation in an environment today. 

Neal Dennis: I think people misinterpret the scale required to do this. And I think they also believe - there's a good chunk of individuals who think that it really is only for incident response solely, as in, you know, we have an email come across the line. I need to figure out what the value of that potential email is, if it's malicious, not malicious, and do that kind of level of triage. And then it kind of stops. I don't believe people fully understand that, you know, we can take these orchestration automation fundamentals and apply them to so much more than just the basic levels of incident response, the basic levels of triage within a SOC. I mean, there's so much there that can go into play to tie a lot of things together. 

Dave Bittner: Are there any potential speed bumps that people should know about, any words of wisdom along the way, you know, things just to be mindful of as you're making your way through this transition. 

Neal Dennis: Definitely. So when we implement SOAR, when we start talking about what it takes to break down these silos and start to unify the org and even start to collaborate externally, we always have to remember there's still a need for the human in the loop. You're going to come out - you're going to create these playbooks, these automation checkpoints within your flows. No one should ever tell you that you're going to completely replace the human for the totality of every single process they're writing a playbook for. 

Neal Dennis: Are there things that we can get the human out of the loop for? Definitely. But at some point in time, the human still has to have access. The human still has to have the ability to at least inject their thoughts into that process when and where needed, based off of whatever logic they built. 

Neal Dennis: So in my mind, anyone who comes out and says we're going to completely automate and orchestrate out every single thing that you've got going on or all of these little things here, and you'll never have to have a human back in this - I think we need to be wary that you should always have the opportunity to put the human back in the loop, to pulse-check things, to make sure that it's doing what it's supposed to be doing and even inject them as a data point into some of these unique playbooks that you might create. I think that's a very key implementation factor. 

Neal Dennis: And then lastly, you know, some of the other hurdles to think about - you know, these data silos - if you go forth with implementing SOAR in your solutions as part of a solution offering, involve the rest of your staff. Involve the rest of the teams within your org. Look external of just the SOC. Go to the vulnerability management team if they're not within the SOC. Go to the red team. Go to the threat hunters. Go to your - definitely please go to your threat intel analyst if you have those. 

Neal Dennis: Look at your infrastructure management crew, the ones who are handling the actual products out there in your security stack and making sure that they're up and working. Involve them in these decisions. Figure out what it's like for them to do the work they're doing, the things that you're sending them, and make sure it doesn't get stovepiped anymore. So get everybody together, implement it as a team, help break down those stovepipes along the way and start making that a more collaborative effort. 

Dave Bittner: That's Neal Dennis from Cyware. 

Dave Bittner: And joining me once again is Dinah Davis. She's the VP of R&D operations at Arctic Wolf, also the founder and editor in chief at Code Like a Girl. Dinah, always great to have you back. 

Dave Bittner: You know, as we're coming here up to the new year, I think it's that time when people sort of take stock on things. And I want to check in with you on some tips for folks out there to assess their security posture. What can you share with us today? 

Dinah Davis: Yeah. So I mean, understanding your security posture is really important because if you don't, you don't actually know how to secure yourself, right? It's like owning a house and not knowing where all the doors are, so you don't even know if you're locking them all, right? So there's, you know, a few surfaces where you really want to look at - attack surfaces. You want to look at your assets, your network, your endpoints, cloud, your people and your vendors. 

Dinah Davis: So for your assets, you want to do a vulnerability assessment. You want to know what version of software is running on all the things you have in your system. Because if it's at a later version and there are security patches available, then you're vulnerable. So the old adage of, like, patch early, patch often, like, just never stop patching (laughter) is basically the answer there. 

Dave Bittner: Yeah. 

Dinah Davis: For your network, do you have the right firewalls in place, the right intrusion detection systems? Are you monitoring your network traffic to see what could be coming in and going out, right? For the endpoints, you want to make sure you're running an endpoint software - right? - which - you know, like an agent of some kind that is watching what's happening on the computers that aren't inside your network, right? Because in this work-from-home world that we live in now, all of the computers aren't just, you know, monitored and safe because they're behind the company's firewall. They're out there everywhere. And so you need to monitor what applications are getting put on the machine and watching for nefarious things in that way. 

Dinah Davis: One area people don't often think about is the cloud. They think, you know, just because something's in the cloud, it's safe. That company is, like, taking care of it - right? - if you think of, like, an Office 365 or something. But... 

Dave Bittner: Right. 

Dinah Davis: ...We actually at Arctic Wolf noticed a business email compromise attack just by monitoring the Office 365 logs for one of our clients. So we first noticed the issue when we got a log in from a suspicious country for one of the company's executives. We flagged that with the customer and were like, hey, I don't think your company's - your executives are supposed to be logging in, you know, from this area. 

Dave Bittner: Right (laughter). Is he on vacation or - in the Far East? 

Dinah Davis: Yeah. And I mean, the customer decided that, like, no immediate action was needed. They were like, well, this can be caused by VPN, so we don't know. And then - you know, so we kept an eye on the situation. And that's when the second indicator of compromise came in, which was a mail rule. 

Dave Bittner: Ooh. 

Dinah Davis: Yeah. This is really common, actually. They go and they get in, and then they want to change a mail rule. And why would they do that, right? Well, they can start forwarding all email that says the word finance in it or bill or anything like that to them. So we indicated to the clients that, you know, we thought there was an attack in progress. And reviewing the Office 365 logs, we actually found that the rule they created would conceal any email replies from that account. So the hackers were targeting a wire transfer and had already sent a wire transfer request for $700,000. 

Dave Bittner: Wow. 

Dinah Davis: Working with the customer and their account team, we were able to put an emergency stop on the wire transfer. And then the IT team locked down the compromised account and reset everything, kicked them out. You know, if we hadn't have been there, they might not have seen that happened, right? So what happened was, the attacker went in and was that person. He had - they had their account. So they sent the wire transfer email to the bank. And then the - and stopped all replies from coming back. So the - if the bank replied and said, are you sure? Do you really want to do this? Or, you know, they wouldn't - the person wouldn't have seen those replies because of the email filter they put in. 

Dave Bittner: Now, do you have any insights on the initial access here in terms of getting that user's credentials and whether or not they had multifactor? 

Dinah Davis: I don't actually. But multifactor would have - makes it intensely harder, like infinitely harder. 

Dave Bittner: Right. 

Dinah Davis: Right? 

Dave Bittner: Right. 

Dinah Davis: It's kind of like that adage of, like, you got to run faster than everyone else away from the bear. 

Dave Bittner: Right. Right. Right. 

(LAUGHTER) 

Dinah Davis: The slowest one's going to lose, so the one without the multifactor is an easier target. If you make yourself a slightly harder target, they're going to just move on to the next one, right? 

Dinah Davis: So two more areas for your attack surface - right? - your people. So 80% of what people learn, they forget within four months unless they're reengaged, like, right away, right? So you want to do training often. You want to do it only two or three-minute segments. You want the content that is shared with the employees to be, like, really relevant. And, you know, you don't want to crush the IT team while you're doing it. So you don't want to have to make them do a whole bunch of work, right? 

Dinah Davis: So - and then the other thing for employees is take the risk away. Implement an SSO program. When they only have to remember one hard password, that's way better. And if you think they're compromised, you can shut down their access to everything in your system in one shot. 

Dave Bittner: Right. 

Dinah Davis: So SSO is really quite important. And then finally, we have vendors, and so that's all about managing your supply chain and, you know, making sure that you understand what they have access to, what they don't have access to and that kind of thing. 

Dave Bittner: Well, it's a great list for sure, and I think a lot of cautionary tales packed in there. I mean, some of it - you know, you think about, oh, these are the basics, but when you list them all out like that, it's a good reminder that there really is a lot. And, you know, security folks have a lot on their plates. 

Dinah Davis: Yeah. Exactly. 

Dave Bittner: All right. Well, Dinah Davis, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.