The CyberWire Daily Podcast 9.1.22
Ep 1654 | 9.1.22

News on three ransomware operations: BianLian, Cuba, and Ragnar Locker. How the gangs are recruiting. Mobile app supply chain blues. Happy Insider Threat Month.


Dave Bittner: The BianLian ransomware gang is better at coding than at the business of crime. The attack on Montenegro seems to be ransomware. A look at Ragnar Locker's current interests. Recruiting for gangland gets elusive, but those who know - well, they know. Our guest is Dan Lanir of OPSWAT with insights on recent federal legislation supporting cyber jobs. Ben Yelin examines a lawsuit filed by the FTC against an online data broker. And it's Insider Threat Month, so keep an eye on yourself.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 1, 2022.

The BianLian ransomware gang is better at coding than at the business of crime.

Dave Bittner: Security firm [redacted] today released a study of a ransomware operation they've been tracking. The gang calls itself BianLian and uses custom malware written in the Go language. The malware is resistant to reverse engineering, [redacted] says, but not completely uncrackable. BianLian has tended to use the ProxyShell vulnerability to gain initial access to its targets, and it's shown a preference for targeting servers that provide remote access. As a double-extortion operation, BianLian maintains a dump site where it can post data stolen from its victims. The gang chooses its victims largely from companies based in North America, Australia and the United Kingdom. The companies range in size from small businesses to big multinationals. 

Dave Bittner: BianLian seems unrelated to the Android banking Trojan that's been referred to by the same name. And while many ostensibly new ransomware groups in fact represent rebrandings of existing groups or have formed from the remnants of gangs disrupted by law enforcement, [redacted] thinks that BianLian is actually a new group. Their report says, while there is a long history of seemingly new ransomware groups rising from the ashes of defunct and/or rebranded groups, we do not have any indications at this time to suggest that is the case with BianLian. For all intents and purposes, the BianLian group appears to represent a new entity in the ransomware ecosystem. 

Dave Bittner: They are better at coding than at the business of crime. [redacted] adds, furthermore, we assess that the BianLian actors represent a group of individuals who are very skilled in network penetration but are relatively new to the extortion and ransomware business. Some of their missteps include mistakenly sending data from one victim to another, possessing a relatively stable backdoor toolkit but have an actively developing encryption tool with an evolving ransom note and long delays in communications with victims. They can be expected to up their game as long as they're at liberty. The usual best practices against ransomware should help protect organizations against BianLian. 

Attack on Montenegro determined to be ransomware.

Dave Bittner: Montenegro, which continues to work to recover government systems from a cyberattack it's blamed on Russia, have now, according to Reuters, called the incident ransomware. The country's public administration minister, Maras Dukaj, said that no ransom demand had yet been received but that some stolen data had been spotted online. Dukaj said, we have already got an official confirmation. It can also be found on the dark web, where the documents that were hacked from our systems computers will be published. So the attack, which has substantially disrupted public services in the Balkan country, seems to be a double-extortion attack. The gang that's claimed responsibility is the Cuba ransomware group, according to ITPro. Cuba is a Russophone operation that has nothing to do with Havana. The FBI described Cuba in December of last year. In April of this year, security firm Profero linked Cuba to Russia, with their attribution based largely on linguistic cues. In June Trend Micro researchers reported a surge in Cuba's activity along with the gang's deployment of some new tools. It seems likely that the operation against Montenegro represents Russian privateering. CyberNews has published a screenshot of Cuba's claim of hack and briefly describes the circumstantial case for linking the gang to Russia. The AP reports that the U.S. Federal Bureau of Investigation has dispatched a response team to Montenegro to assist the Ministry of Justice with its investigation. 

Ragnar Locker's current interests.

Dave Bittner: What's up with Ragnar Locker these days? Well, Cybereason this morning published an account of the Ragnar Locker threat actors. Their key findings confirm much of what's long been known or suspected about the operation and adds details on the group's evolution. Ragnar Locker has joined other ransomware actors like Cuba and the former Conti group in paying particular attention to the energy sector. Ragnar Locker has claimed, for example, the Greek natural gas delivery company DESFA as one of its victims. Active for at least three years, Ragnar Locker has become increasingly evasive. Its ransomware now checks if specific products are installed, especially security products, virtual-based software, backup solutions and IT remote management solutions. And, of course, it's aligned with Russia and avoids being executed in countries located in the Commonwealth of Independent States. The CIS is an association of former Soviet republics that have remained in a more-or-less uneasy alliance with the Russian heir to the USSR. 

Recruiting for gangland.

Dave Bittner: Digital Shadows has issued a report on how cybercriminals are skirting bands of ransomware-related content on underground forums. Two of the most popular criminal forums, XXS and Exploit, banned recruitment for ransomware affiliates after the Colonial Pipeline attack last year in order to avoid being targeted by law enforcement. So you can't just say something like, yo, criminals; make good money in ransomware, or, hey, hey; come help us rob and defraud the squares - not anymore, anyway. With the sort of low cunning one finds in gangland, forum users have begun wording their posts in a way that doesn't explicitly mention ransomware. For example, instead of stating that they're seeking ransomware affiliates, the crooks will say their team is looking for pen testers. The researchers conclude, overall, in practical terms, there is almost no compliance with the forum bans on commercial ransomware content on Exploit and XXS. The trade seems to be alive and well on these platforms. For those who wish to recruit affiliates or buy and sell ransomware, success is only a carefully worded post away. 

Mobile app supply chain vulnerabilities.

Dave Bittner: The Symantec Threat Hunter Team, part of Broadcom Software, released a blog yesterday detailing mobile app supply chain vulnerabilities. The team says that issues with the supply chain in relation to mobile apps include mobile app developers unknowingly using vulnerable external software libraries and SDKs, companies outsourcing the development of their mobile apps - which then end up with vulnerabilities that put them at risk - and companies, often larger ones, developing multiple apps across teams using cross-team vulnerable libraries in their apps. Over 1,800 apps were identified to contain hardcoded AWS credentials, of which 98% were IOS apps. 77% contained valid AWS tokens that allow access to AWS cloud services. And 47% included tokens that gave access to numerous files via the Amazon Simple Storage Service. Interestingly, over half of the AWS discovered were found to be used in other apps, even from different developers and companies, and were traced to shared components within apps. 

Insider Threat Awareness Month.

Dave Bittner: And finally, September is Insider Threat Awareness Month. So greetings of the day, and have you done your holiday shopping? But seriously, we've received some comments from industry on insider risk. James Christiansen, CSO and VP of Cloud Security Transformation at Netskope, stated, it's the risk that never goes away because insider threats involve employees, often the weakest link in any company's security posture. Employees are not only vulnerable to common attacks or insecure practices like email phishing, but they have bona fide access to workplace systems and an understanding of internal processes, providing the malicious insider a head start. Joe Payne, CEO and president at Code42, noted that almost all malicious data theft from insiders occurs when people change organizations, which is on the rise because of the great resignation and recent layoffs. 

Dave Bittner: We might also mention that the biggest insider threats may be things like simple inattention, honest mistakes, a desire to help, misguided but well-intentioned initiative. We will be looking in the mirror this month because, as Pogo Possum said, we have met the enemy, and he is us. So let's also commit to some self-examination and resolve to be good to our sister and brother insiders. This isn't Mistrust Your Colleague Month, after all. So stay safe out there. 

Dave Bittner: Coming up after the break, Dan Lanir from OPSWAT has insights on recent federal legislation supporting cyber jobs. And Ben Yelin examines a lawsuit filed by the FTC against an online data broker. Stay with us. 

Dave Bittner: There have been a number of important cybersecurity-workforce-related bills making their way through the federal government. President Biden recently signed the Federal Rotational Cyber Workforce Program Act. And the Industrial Control Systems Cybersecurity Training Act was approved by the House of Representatives. For insights on both of these bits of legislation, I checked in with Dan Lanir, senior vice president of customer success at critical infrastructure security company OPSWAT. 

Dave Bittner: It's an acknowledgment by the government that we need to be able to train up existing professionals in - either in government or the industry on critical infrastructure protection. So, of course, as a community, we recognize we also need to train people that are going to be focused on cybersecurity as a profession, people that are going to get degrees in this. And that will be their jobs and their profession and their passion. But we also need people that are already in industry, already in the government, and people that aren't necessarily - where their jobs aren't necessarily all about cybersecurity. We need to make sure that they're also getting trained and educated on cybersecurity challenges and addressing those challenges, best practices related to staying cyber safe and specifically in the critical infrastructure domain. 

Dave Bittner: Now, for folks who may not be familiar with critical infrastructure and the ICS world, can you give us some insights here as to what, you know, that intersection between the operational side of things and cyber, but where do we stand there? 

Dan Lanir: So, you know, in general, every government, every country in the world has a definition of what critical infrastructure is. The U.S. government, the Department of Homeland Security, defines it as 16 sectors of industry within the country, things like the power grid, health care, the financial system. It's basically the industries that form the foundation of our way of life - right? - the industries that help - the industries that Americans depend on every hour, every day to just lead our modern way of life. And those industries often have their own technologies that historically weren't really part of the IT space, right? We're talking about, like you said, industrial control systems, programmable logic units, sensors, valves, et cetera. And we're seeing more and more situations where, as those areas, those domains become more internet enabled, more of - as they become more internet enabled, become a bigger and bigger focus on trying to attack those areas. And those areas are the most critical for us to make sure that they remain secure. 

Dave Bittner: So how are we going to measure success here, do you suppose? Is this a matter of getting everyone up to a certain baseline level of knowledge when it comes to the cyber components of their day-to-day work? 

Dan Lanir: That's a really, really good question. And measuring success, of course, is - that's the ultimate goal we're trying to get to. And it's obviously very, very challenging to truly define success, right? I mean, success means a reduction in the number of attacks on those systems. The purpose of these acts and this effort is to, as you said, it's to get people better trained on cybersecurity principles, critical infrastructure protection, best practices in conjunction with the technologies that we have to help cyber secure these areas. 

Dave Bittner: And this really is a public-private partnership sort of thing here, right? I mean, neither side can achieve what needs to be done on their own. 

Dan Lanir: Oh, it's definitely, definitely a public-private collaboration. The director of CISA, Jen Easterly, talks about true operational collaboration and the need. There's no way that one or the other entity is going to be successful on their own. We need that collaboration - and not only collaboration between public and private, but even within the private sector. Organizations and entities that in other domains might be competitors need to come together and collaborate to build up a common set of cybersecurity best practices and guardrails to help safeguard critical infrastructure. You know, I'm seeing a lot of efforts from the government side, like the acts that we just discussed and like ongoing executive orders, state-level orders, etc. But you're going to be seeing a lot coming out of the private sector, too. I think the bulk of the - there's going be a large body of work - courses, material focused on real-world challenges and responses to those challenges - that'll be produced by the private sector. 

Dan Lanir: And I also think that the private sector will be introducing and evolving industry standard certifications so that we have a common language, a common definition of sort of what it means to be - to have critical infrastructure protection expertise and the right training levels. So the industrial engineers and the field technicians and the IT staff and the network engineers, they just need to be staying constantly trained and educated on this sort of evolving cybersecurity challenge, right? And that means constantly staying up on education, training, taking courses, getting certified in cybersecurity and specifically critical infrastructure protection certifications, etc. 

Dave Bittner: That's Dan Lanir from OPSWAT. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Ben, good to have you back. 

Ben Yelin: Good to be with you, Dave. 

Dave Bittner: Interesting news coming about the Federal Trade Commission suing a data broker company. This is a story from The New York Times that caught my eye, but several places have been covering this. What's going on here, Ben? 

Ben Yelin: So, as we know, smartphone location tracking, which is a multibillion-dollar business and certainly very lucrative for companies like this one, which is called Kochava or Ko-chay-va (ph) - I'm not sure exactly. 

Dave Bittner: Yeah. 

Ben Yelin: We know that they can reveal intimate details about our personal lives, so our familial associations, our religious associations, our political activities. Since the Supreme Court's decision in the Dobbs case, which overturned Roe v. Wade, we've also seen fears that this type of location tracking could be used to prosecute people who are seeking abortion care. So abortion is criminalized in a limited number of states at the moment. 

Dave Bittner: Right. 

Ben Yelin: Several more are in the process of enacting laws to criminalize the procedure. 

Dave Bittner: Yeah. 

Ben Yelin: And a great piece of evidence to prosecute somebody is location data. So they went to an abortion clinic. They went across state lines to obtain an abortion. So this has created justifiable fear that these types of data brokers, who are really in this just for the money - they see that data is valuable. They're willing to sell it - that that's going to be a privacy violation for people who are seeking reproductive care. So the Federal Trade Commission has taken action. And they are suing one such company, this Kochava company. They say that the company's sale of geolocation information on tens of millions of smartphones could, quote, "expose people's private visits to places like abortion clinics and domestic violence shelters." This is part of a broader Biden administration effort to crack down on this type of data broker activity. So the Biden administration issued an executive order after the Dobbs decision, saying that they were seeking to bolster privacy protections for this type of information. So they want to curb intrusive surveillance practices that might cut against reproductive rights for millions of women in the country. And they urged the FTC to take action to address some of these data brokerage issues. And that's what the FTC has done. 

Ben Yelin: So they have initiated a lawsuit on this company. The lawsuit could result in civil or criminal penalties for the company. They could levy fines, so the consequences could be relatively steep. It might be in the interest for the company to try to settle with the FTC, to come up with some sort of equitable solution where the company can still maintain its existence and not be bankrupted by this legal proceeding but also can pay a fine, rectify its previous behavior and vow to protect this important consumer data. So it'll be a really interesting case as it comes down the pike. We are just at the first step with the FTC initiating this lawsuit, but it'll be really interesting to see what happens as this makes its way through the court system. 

Dave Bittner: If I'm an organization that's also in this business, if I'm another data brokerage organization, this has my attention, right? 

Ben Yelin: It certainly does. Kochava and I think many of the other same companies insist that they comply with all of the laws on the books. They say that location data comes from third-party information brokers who collect it from consumers who are consenting to have this data collected. They were confronted with the EULA. They wanted to play that game or use that application to order a sandwich or do whatever, and they press the accept button without really reading. And that allowed people or allowed these companies to collect that data and to sell it and potentially make it available to law enforcement. Law enforcement agencies are buying data from these data brokers, and they don't have to obtain a warrant under the Fourth Amendment to do so. So that's why it could be potentially dangerous when we're talking about criminal prosecutions because it's something that law enforcement could have access to. 

Ben Yelin: But, yes, if you're another company that engages in these practices, if at the FTC, despite what seems like Kochava's compliance with the current laws we understand - if they're being threatened with this legal action, I think other companies could impute that as they're taking this issue particularly seriously. And I think there's going to be a more watchful eye on data that's collected pursuant to reproductive rights because that's in the news. That's the end result. The consequence that came from the Dobbs decision, and that's the focus of this presidential administration. 

Dave Bittner: Is - to what degree is this putting a regulatory Band-Aid on a more serious disease? I mean, is this the best we can do - and by we, I mean the Biden administration - while waiting for Congress to put in some meaningful privacy legislation? 

Ben Yelin: Yeah. I mean, it's not the most efficient form of policy change because you can't literally sue every company that does this. I mean, you can try. But that's a very cost - that costs a lot of money and is very time intensive. Ideally, what the FTC is trying to do, which is to protect consumers against these data broker practices, would be best done through federal data privacy legislation. And we know that such legislation is being considered right now in Congress. There's a real effort underway to get data privacy legislation enacted before the end of this calendar year. I don't think we're going to have a resolution to this FTC case by that time. So in an ideal world, Congress could see how the FTC is seeking to enforce these new consumer protections, and they would codify those protections into law. But I don't think the timing is going to work out because I think Congress is working on a shorter timeline than the FTC in pursuing this case. 

Ben Yelin: I think the concern is from the perspective of those who care about data privacy and/or reproductive rights, this is a enforcement action coming from the current FTC and its current commissioners. A future presidential administration and a future crop of FTC commissioners could simply decide not to take this type of enforcement action if they didn't believe this was a violation of privacy, personal liberty. If they didn't think it was a worthwhile use of the FTC's enforcement power, they could simply not do anything. So I think Congress has the incentive to really try to codify this into statutes that it could be protected from future FTC commissioners, future presidential administrations. 

Dave Bittner: All right. Interesting stuff. Again, this is an article over in The New York Times written by Natasha Singer. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.