The CyberWire Daily Podcast 5.24.22
Ep 1585 | 5.24.22

Verizon's 2022 DBIR shows a sharp rise in ransomware. Origins of Chaos ransomware. GuLoader’s phishbait. Malicious proofs-of-concept. Hyperlocal disinformation and hybrid warfare. Robin Hood?


Dave Bittner: Verizon's 2022 Data Breach Investigation Report shows a sharp rise in ransomware. Origins of the Chaos ransomware operation. The GuLoader campaign uses bogus purchase orders. Security researchers are targeted in a malware campaign. Turla reconnaissance has been detected in Austrian and Estonian networks. Ben Yelin describes a content moderation fight that may be headed to the Supreme Court. Our guest is Richard Melick from Zimperium to discuss threats to mobile security. And a ransomware group acts like Robin Hood - or not.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 22, 2022. 

Verizon's 2022 Data Breach Investigation Report shows a sharp rise in ransomware.

Dave Bittner: Verizon has published its 2022 Data Breach Investigation Report, finding that ransomware rose by 13% last year, a greater increase than the previous five years combined. Eighty-two percent of breaches involved the human element, which encompasses phishing, stolen credentials, misuse or error. The researchers also found that supply chain breaches were behind 62% of intrusions last year. Verizon writes, there are four key paths leading to your estate - credentials, phishing, exploiting vulnerabilities and botnets. All four are pervasive in all areas of the DBIR, and no organization is safe without a plan to handle each of them. And while the rise in ransomware features prominently in the report, Verizon notes that ransomware by itself is at its core simply a model of monetizing an organization's access. 

Origins of the Chaos ransomware operation.

Dave Bittner: Researchers at BlackBerry have published a report outlining the genealogy of the Chaos ransomware family, detailing six versions of the malware that have been released since it first surfaced in June 2021. BlackBerry found that Chaos has ties to the Onyx and Yashma ransomware strains, although Chaos initially - and unsuccessfully - claimed to be an offshoot of Ryuk. It wasn't. The false claim was evidently a reach for C2C credibility. Fortinet had earlier tracked Chaos's rise to prominence as its operators declared their adherence to the Russian cause in Moscow's war against Ukraine. BlackBerry notes that Chaos has advanced beyond its beginnings as a relatively basic operation and has now evolved into a flexible, widely available and difficult to track malware operation. 

GuLoader campaign uses bogus purchase orders.

Dave Bittner: Fortinet reports that they have found a phishing email that drops GuLoader targeting a Ukrainian coffee company. GuLoader, which is also known as CloudEye and vbdropper, is used to drop other malware variants. The phishing email presented itself as a purchase order from an oil company in Saudi Arabia with a PDF containing an executable for GuLoader. The attack is unique in that it uses the less common Nullsoft Scriptable Install System - NSIS - a script-driven installer authoring tool for Windows, to deploy itself. FortiGuard Labs calls it a medium severity threat for Windows users. 

Security researchers targeted in malware campaign.

Dave Bittner: BleepingComputer reports that security researchers were the target of a threat actor using fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor. Cobalt Strike is an often abused but legitimate pentesting tool. The threat actor took advantage of recently patched Windows remote code execution vulnerabilities, presenting themselves as a security researcher who used the fix to inspire two proof-of-concept exploits for the flaw on GitHub. The exploits were quickly found to be fake. 

Hyperlocal disinformation.

Dave Bittner: Hyperlocal sites have been marshaled by Russian influence operators to normalize the occupation of Ukrainian villages controlled by Russian forces, CyberScoop reports. They source their story to Detector Media, which says that the effort is being organized over Telegram. Detector Media writes, we managed to find 88 newly created Telegram channels of the occupiers. However, their list is growing. The vast majority of such channels were registered a few days after February 24. A significant part of local channels was created long before the actual military occupation of the cities. And some of those are the ones that the Russians did not manage to occupy. Conventionally, such channels can be divided into two categories - those that can act as official sources of the occupiers - that is, such Telegram channels post on behalf of the occupiers, for example, inform about humanitarian aid or call for reporting on the movement of Ukrainian military equipment - and those that mimic the media's behavior, publish news about the occupied city or village but are overfilled with propaganda and misinformation. The content mirrors familiar Russian lines of disinformation - Ukrainian corruption and failure, the Western conspiracy behind the war, the promise of liberation and so on. The evidence of Russian creation and coordination that Detector Media cites is circumstantial but convincing. 

Turla reconnaissance detected in Austrian and Estonian networks.

Dave Bittner: BleepingComputer reports that the Russian threat actor Turla, also known as Snake or Venomous Bear and associated with the FSB, has staged typosquatting domains for use against Austrian and Estonian targets. The activity so far represents a cyber-reconnaissance phase of battlespace preparation. It is, as the Sekoia researchers who discovered it say, a phishing campaign. 

Pay that ransom to the needy, greedhead.

Dave Bittner: And finally, the Independent describes research by CloudSEK that outlines the operations of the GoodWill ransomware group, a gang that, instead of conventional ransom, asks its victims to do something good for the less fortunate. As the threat group's name suggests - and we hasten to say that there's no connection here with the well-known, legitimate charity Goodwill - the operators are allegedly interested in promoting social justice rather than conventional financial reasons. The actors suggest that victims perform three socially driven activities in exchange for the decryption key. Donate new clothes to the homeless. Record the action and post it on social media. Take five less fortunate children to Domino's, Pizza Hut or KFC for a treat. Take pictures and videos and post them on social media. And provide financial assistance to anyone who needs urgent medical attention but cannot afford it at a nearby hospital. Record audio and share it with the operators. Or so they say. The Independent says it's been unable to determine whether any of those affected have paid it forward or sideways or whatever direction one pays this kind of ransom. 

Dave Bittner: Mobile security platform developer Zimperium recently released the results of their Global Mobile Threat Report, which analyzes the state of mobile security worldwide. For insights on their findings, I checked in with Richard Melick, director of threat reporting at Zimperium. 

Richard Melick: So you have your personal device, which is your personal information, which we should still be securing against. And then there's the corporate-provided device. Well, that corporate-provided device - the standard operating procedure right now is to deploy out that device with a mobile device management solution installed on it. And that is your, quote, unquote, "security layer." I am here to tell you - you can quote me on this - mobile device management is not security. It is not capable of protecting against phishing. It is barely capable to detect and alert of a jailbroken or compromised device. You can deploy out policies and say what apps are installed and what apps are not. But what if those apps are compromised? What about sideloading, where it's not going through the official Play Store? Or somebody goes to a compromised website through a phishing link or an email? What if they're connecting into a compromised network? Those security controls do not exist within mobile device management, and that's what is applied towards employee-owned devices. But in the day and age right now, according to our data, 66% of the smartphones in the enterprise are employee-owned. 

Dave Bittner: Right. 

Richard Melick: Fifty-five percent of tablets are employee-owned. So this massive one in - almost 1 in 3 - let's just focus on the smartphones - 1 in 3 are - sorry, 2 in 3 of the devices connected into enterprises are BYOD. So we're not carrying around two devices. That's not happening anymore. You're not deploying out a mobile device management on - solution onto my personal device. Why? Because that's compromising my privacy. I'm not putting my privacy in the hands of somebody I don't know. This is my device. I paid for it. You're not paying the bill, none of that. And I'd say that even now if somebody was coming and saying - come to me and say, in order to be employed here, we're going to install a mobile device management on your device so we can wipe your device if something was to happen. Absolutely not. I will buy a second device that you can do that to, or we will work something out. But my personal device is my personal device. And now we have that, you know, that problem. 

Richard Melick: Let's go back to what I originally started off with. Technologically, there's not much of a difference between the iPhone and the MacBook or the Android devices and a Chromebook or a Windows device. All these devices are computers. Why are we only applying advanced security solutions to the larger devices that don't fit in our pockets when they have access to the exact same data as the mobile device that fits in my pocket? And that's where we need to get to. We need to start going and saying, we need security solutions for the applications and the endpoints that we carry - does not matter what it is. And it needs to be an advanced solution that understands what a threat is. And this is not a pitch. This is just the idea of - why does my laptop get all the cool security features and my phone does not? 

Dave Bittner: But isn't it partially that the mobile operating systems don't allow for this? 

Richard Melick: Allow for what? That's a broad question there, Dave. 

Dave Bittner: Well, I mean, they don't allow the security device to have the global access to the device that I think security apps are used to on a desktop computer. 

Richard Melick: Yes and no. So security devices, security applications do not get kernel access. That's where the limitation comes. That's the big difference. And that's fantastic. That's a great security layer. The kernel access is a technological limitation for the traditional approach towards endpoint security on a mobile device. That said, there are the other layers of security that can be implemented, such as phishing protection, network protection, application scanning and the likes that can go onto this endpoint, onto this mobile endpoint and say, OK, you are about to connect to a known malicious network based off multiple vectors of data that's been fed in, or hey, this application that you're downloading is a privacy risk. Here's why. That link you're about to click on is going to go to a compromised website or is going to try to collect your information or sideload an application. There are other ways to protect the mobile ecosystems against the threats that are different in some ways than traditional security but also very similar. Artificial intelligence still exists for the mobile ecosystems. The idea of - what does a threat look like in mathematical terms can be applied towards application scanning and phishing - in phishing protection or network scans in man-in-the-middle attacks? So there is those software controls that can be installed in the iOS and Android ecosystems. But that idea, though, is that it's not the exact same as traditional space. 

Dave Bittner: You know, based on the information that you've gathered here for this report, what are the take-homes? I mean, what do you want people to come away from reading this report? What's the action item here? 

Richard Melick: Take-home is that the mobile security space is one that we do not need to be dismissing. What we have are devices that have been forgotten about or accepted in their current state for so long. We have to start reeducating the market. And this report, I hope, is the start of that reeducation as we start to build up towards the larger conversation of addressing the full attack surface of everybody from the SMBs, all the way up to the large enterprises. The trends do not lie. The data does not lie. The vulnerabilities exploits the attacks, the trends, the human element that we have all trained against on the traditional desktops. The traditional endpoints are still applicable on the mobile devices. 

Dave Bittner: That's Richard Melick from Zimperium. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Good to be with you, Dave. 

Dave Bittner: So over on "Caveat," over the course of the past couple of weeks, actually, we have been tracking some interesting court decisions coming out of Texas and Florida. And these two decisions may be on a collision course here. They have some policy implications for those of us in cyber. Can you give us the rundown? What's going on here, Ben? 

Ben Yelin: Sure. So we have two separate state statutes that are very similar, one in the state of Texas and one in the state of Florida. The basic idea behind these statutes is to regulate content moderation among big tech platforms. So there's this general allegation that the tech platforms are biased against, particularly, people with a conservative ideology. So what these laws say is it is illegal in the state of Texas to make any content moderation decisions that are biased in terms of their viewpoint or are biased in terms of their - politically biased or ideologically biased in terms of their viewpoints. So Texas passed a law first. It's House Bill 20, and a district court - so the lowest level of federal court - held that that law was unconstitutional. Basically, what they said is companies like Twitter and Meta and whomever have their own First Amendment free speech rights. They have the right to make content moderation decisions. And in the name of trying to foster free speech, what these state legislatures have actually done is restrict the free speech rights of this private entity, these tech companies. 

Dave Bittner: I see. 

Ben Yelin: So that was the district court decision in Texas. That was appealed by the state of Texas to the fifth circuit court of appeals. And they vacated the district court decision, meaning they superseded it. And as a result, the Texas law is now in place. It is illegal in the state of Texas currently to have viewpoint discrimination in one's content moderation decisions. This was a big surprise. We didn't get much from the fifth circuit in terms of its reasoning. All they said was that the decision of the lower court, the district court, had been enjoined, meaning it had been stopped. 

Dave Bittner: OK. 

Ben Yelin: But there was no explanation as to how they saw the constitutionality of this issue. 

Dave Bittner: Now, there were a lot of raised eyebrows from legal experts and scholars and so forth, right? 

Ben Yelin: Yeah, it was rather shocking. I mean, I don't think anybody thought - I think a lot of scholars thought that the purpose in terms of these state legislators was just to make a point about content moderation, knowing that the courts would strike it down. 

Dave Bittner: I see. 

Ben Yelin: But you wanted to get the political message out there, pass a law saying that you think that these platforms are biased and make the courts do something about it. I mean, that's a... 

Dave Bittner: Right, right. 

Ben Yelin: ...Well-worn tactic of political advocacy. 

Dave Bittner: Yeah. 

Ben Yelin: But the fifth circuit, shocking everybody, said, OK, we're going to let this law go into place. 

Dave Bittner: (Laughter) Don't throw me in the briar patch. 

Ben Yelin: Exactly. The tech companies seemingly right now really have no idea how to comply with the statute. They don't know how it's going to be enforced. 

Dave Bittner: OK. 

Ben Yelin: They are unsure if they're going to be sued for their content moderation decisions, which decisions they're going to be sued for. I think there is a bit of a panic among these tech companies. And as a result, they have appealed this decision to the United States Supreme Court. 

Dave Bittner: OK. 

Ben Yelin: The Supreme Court could step in at any time and vacate the decision of the fifth circuit. They have not yet done so, but that's certainly an option that's out there. 

Dave Bittner: But that takes us to Florida. 

Ben Yelin: That takes us to the great state of Florida. 

Dave Bittner: Yeah. 

Ben Yelin: So Florida passed a similar law, Senate Bill 7072. This bill is nearly identical. It made its way up to the 11th circuit court of appeals, which is the appeals court for the Southeast United States. And that court came to the opposite conclusion, saying that this type of ban on viewpoint-based content moderation is unconstitutional. The state of Florida, and for that matter the state of Texas, have tried to argue that even though these are private companies, they are so-called common carriers. Generally, our government is allowed to regulate private companies if they are common carriers, where they are the entity that fills some sort of service on behalf of the government - so whether that's transportation, something like the railroads, who had a monopoly on transportation in the 1800s... 

Dave Bittner: Yeah. 

Ben Yelin: ...Or something like telecommunications company, where there really... 

Dave Bittner: Right. 

Ben Yelin: ...Is no government institution who's performing these functions. So the common carriers step in, and it's kind of their prerogative to enforce constitutional rights. 

Dave Bittner: OK. 

Ben Yelin: That's the argument that Florida and Texas have been making. What the 11th circuit said in this decision is these are not common carriers. These are private companies, and they have the right to police their own services as they see fit. That is a vestige of their free-speech rights. Content moderation itself is a form of free speech. And one really interesting element of this decision was the fact that critics can even claim that they're being discriminated against by social media platforms - the fact that Florida legislators can do that is evidence itself that the companies are First Amendment speakers in terms of how our Constitution works. One CNN reporter who was reviewing this decision called it the judicial equivalent of pointing out a, quote, "self-own"... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Which I thought was very well put. 

Dave Bittner: So this could be on its way to the Supreme Court, then? 

Ben Yelin: Absolutely. So I think we are on a collision course here. We have two judicial circuits who have come to opposite conclusions as to the constitutionality of these types of laws. I don't believe Florida and Texas are going to be the only states who try some types of - some type of regulation on big tech content moderation, so we might see more cases like this. And because we have a disagreement among circuits, I think it's very likely that this is an issue that's going to make its way to the Supreme Court. Now, they could weigh in at any time and say the 5th Circuit went over its skis, and that decision is going to be vacated, the district court decision would go back into effect, and the law would no longer be in effect, or they could hear either of these cases on the merits. And I think we might see that next year. There might be oral arguments where we have a discussion about whether these platforms have, as private actors, a constitutional right to free speech or whether they can be regulated like common carriers. 

Ben Yelin: All we know so far from the Supreme Court is that one justice, Justice Thomas, has at least entertained the idea that big tech companies can be considered common carriers and can be subject to this type of regulation. We don't really know how the other eight justices feel on this issue, although I will say that Justice Thomas is part of the ideological majority on the Supreme Court, so it's certainly not out of the question that the 5th Circuit holding on this would prevail. So we are in limbo, but I do think this is headed to some sort of final resolution at the Supreme Court. 

Dave Bittner: All right, stay tuned. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.