The CyberWire Daily Podcast 3.13.23
Ep 1778 | 3.13.23

Coping with Silicon Valley Bank's collapse. BatLoader's abuse of Google Search Ads. More on Emotet’s re-emergence. Medusa rising. NetWire collared. More-or-less quiet on the cyber front.


Unidentified Person: You're listening to the CyberWire network, powered by N2K.

Dave Bittner: Coping with Silicon Valley Bank's collapse. BatLoader's abusing Google search ads. More on Emotet's reemergence. Reflections on Medusa rising. An international law enforcement action against NetWire. And in Ukraine, it's more or less quiet on the cyber front, but in Estonia and Georgia - not so much. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 13, 2023. 

Coping with Silicon Valley Bank's collapse.

Dave Bittner: Hello, friends. It is good to be back. I want to give a special thanks to the fabulous Tre Hester for so capably filling in while I was on vacation with my family. As you have likely heard, a run on Silicon Valley Bank last Friday drove the bank into insolvency. The failure hit the tech sector and the cybersecurity sector hard, especially its venture-backed startups. Just before noon on Friday, the Federal Deposit Insurance Corporation, the FDIC, closed SVB, placed it in receivership and began working to find buyers for the failed bank. Federal regulators worked over the weekend to control the damage. It is, as the AP puts it, the largest failure of a U.S. financial institution since the height of the financial crisis almost 15 years ago. 

Dave Bittner: The U.S. Department of the Treasury, the FDIC and the Federal Reserve announced late Sunday that the government had decided to take extraordinary measures to protect depositors, stating, after receiving a recommendation from the boards of the FDIC and the Federal Reserve and consulting with the president, Secretary Yellen approved actions enabling the FDIC to complete its resolution of Silicon Valley Bank Santa Clara, Calif., in a manner that fully protects all depositors. Depositors will have access to all of their money starting Monday, March 13. A comparable arrangement has been reached for SVB's British unit, Silicon Valley Bank U.K. Reuters reports that HSBC U.K. Bank earlier this morning agreed to acquire SVB U.K. for the token sum of 1 pound. 

Dave Bittner: As the business week opened, depositors this morning indeed found themselves regaining access to funds that had been blocked since Friday, Bloomberg reports. U.S. President Biden this morning held a news conference in which he addressed Silicon Valley Bank's collapse and sought to reassure the country that the American banking system remained sound. He emphasized that depositors' funds would be safeguarded, stating, thanks to the quick action of my administration over the past few days, Americans can have confidence that the banking system is safe. Your deposits will be there when you need them. 

Dave Bittner: The program protects deposits. It's not a bailout. And the shareholders in the bank, its bondholders and, of course, its officers remain exposed. Mr. Biden reiterated, Americans can rest assured that our banking system is safe. Your deposits are safe. Let me also assure you we will not stop at this. We'll do whatever is needed. That last sentence refers to action the president intends to ask Congress to take in order to prevent a recurrence of the sort of bank run that took down SVB. 

BatLoader's abuse of Google Search Ads.

Dave Bittner: eSentire says the operators of the BatLoader malware downloader are continuing to abuse Google search ads to redirect users to malicious webpages. The malware is being distributed via phishing sites that impersonate ChatGPT, Adobe, Spotify, Tableau and Zoom. BatLoader is used to deliver an assortment of malware, including the Redline Stealer, Ursnif and the Vidar Stealer. The researchers note that Microsoft late last year linked BatLoader to Royal Ransomware infections. 

More on Emotet’s re-emergence.

Dave Bittner: Emotet's reemergence last week had the goal of infiltrating corporate networks via malicious emails in order to sell access to ransomware groups, SC Magazine reports. Deep Instinct researcher Simon Kenin shared in a post  that Emotet has now been observed sending malware in Microsoft Word files. Paradoxically, researchers say, the payload's large size - over 500MB - drastically decreases detection and subsequent neutralization of the malicious files. Many security products and sandboxes don't scan or isolate the files due to their size. 

Dave Bittner: Kenin told SC Magazine, when the operator of the botnet sees a high-value target infected, he can sell access to a ransomware group, which will have initial access and try to hack the whole network. The return on investment is much higher for ransomware than banking Trojans these days. For other less valuable targets, a method of pay per install can be used, and the operator just loads other cybercriminals malware in bulk. Kenin says products that aren't solely reliant on static detection and analysis are more effective against attacks like Emotet's most recent campaigns. 

Medusa rising.

Dave Bittner: BleepingComputer reports that the Medusa ransomware gang has been stepping up its double extortion racket over the past several months. Note that Medusa ransomware operation is unrelated to the MedusaLocker ransomware as a service offering. The threat actor has launched its Medusa blog to leak data from victims who refuse to pay up. The blog gives victims an option to pay a lower sum to advance the deadline by one day. The Medusa gang last week released a lengthy video showing data allegedly stolen from the Minneapolis Public Schools district. The threat actor is demanding $1 million in ransom from the school district. 

Not a remote administration tool, but malware.

Dave Bittner: Authorities in Croatia Thursday arrested a person of interest whom they believe to be the administrator of, a domain used to distribute the NetWire remote access Trojan, Help Net Security reported Friday. Swiss law enforcement also reportedly seized the computer behind the Trojan's infrastructure. 

Dave Bittner: NetWire was simultaneously advertised on hacking forums, as well as legitimate markets, where it was offered as a legitimate remote administration tool. Used as a remote access Trojan, NetWire allowed cybercriminals to remotely access and control devices, as well as lift sensitive data from victims. In an archived version of the site found by TechCrunch reporters, NetWire is described as specifically designed to help businesses complete a variety of tasks connected with maintaining computer infrastructure. It is a single command center where you can keep a list of all your remote computers, monitor their statuses and inventory and connect to any of them for maintenance purposes. 

Dave Bittner: The U.S. Attorney's Office in the Central District of California said in the press release, announcing the site's seizure, that the FBI's investigation into the site began in 2020. TechCrunch reports that in the FBI's investigations, the bureau found that the site never required the FBI to confirm that it owned, operated or had any property right to the test victim machine that the FBI attacked during its testing, as would be appropriate if the attacks were for a legitimate or authorized purpose. KrebsOnSecurity has an account of what the domains used by NetWire suggest about its operators. 

DDoS apart, all remains more-or-less quiet on the cyber front.

Dave Bittner: And finally, to return to the central theater of Russia's hybrid war against Ukraine, a war that Russian officials claim is a defensive action against aggression from the West, especially the Anglo-Saxon precincts of the West. Estonia has successfully conducted its elections, where a majority of the voting is done online, despite extensive DDoS attacks by Russian threat actors on election infrastructure and other government services, the Record reports. The attempts didn't succeed in disrupting voting. But Estonia's prime minister said there are clear signs the Russians are trying to adapt. The Record quotes her as saying, we see now the Russian attacks - actually, they are not attributed officially, so maybe I can't say this so openly, but the attacks on our systems, we see that they are learning. They see that, OK, these things are not going through. So they are improving and constantly trying new ways to really undermine our system. Elsewhere in the near abroad, and especially in Russia's war against Ukraine, there's little new on the cyber front, but as CISA would put it, shields up. It's far too soon for complacency. 

Dave Bittner: After the break, Rob Shapland from Falanx Cyber on ethical hacking and red teaming. Bryan Ware from LookingGlass looks at exploited vulnerabilities in the U.S. financial sector. Stay with us. 

Dave Bittner: Attack surface management company LookingGlass recently released a report featuring their analysis of the top-known exploited vulnerabilities in the U.S. financial sector. Bryan Ware is CEO at LookingGlass. 

Bryan Ware: I think, generally, we believe that the financial services sector is one of the most secure sectors. It's an inherently digital sector. It's - you know, that's where the money is. And so yes, it does attract adversaries, but it also attracts generally high levels of spending and generally good cybersecurity talent. And so I think one of the things that was - I wouldn't call it surprising, but it's just notable that despite all of that investment, there are still significant vulnerabilities that are present. So I think that's one thing. I think the other thing - also not particularly surprised but still notable is that among the concerning vulnerabilities, some of them are quite old. You know, they've been - these vulnerabilities and remediations for them have existed for a long time. And, you know, they're still there. And so, you know, if you combine that with that - this is a pretty well-financed infrastructure sector that has some pretty old vulnerabilities still. I think those two things in combination are definitely notable. 

Dave Bittner: And do you have any insights as to why there might be that little disconnect there? Is it a matter of organizations not having a handle on their inventory, or why do you suppose there - that might be the case? 

Bryan Ware: Yeah, I think it's two or three factors. You know, the first factor is that organizations have reasonably good tools. There are reasonably good tools available and that have been available for a long time to inventory your assets and to scan your assets, to identify vulnerabilities and then to - various ways to kind of prioritize your patch management. And that's a fairly mature capability. We expect that most organizations, particularly in the financial services sector, have that capability. 

Bryan Ware: But there's something that - you know, it's not really all that new but just kind of feels new, and that's that most of those well-established tools don't scan what is connected to the Internet. They do scan what's connected to your internal networks behind a firewall and so forth, but they're not scanning what, you know, Gartner and others call the external attack surface. And of course, over the last several years, everyone has moved more and more things to that external surface using cloud services and SaaS services and VoIP services, etc., etc. And so it's a combination of not having the visibility, not really tracking those things as well, and so they're not well-managed. They're not particularly visible, and we see that really across infrastructure sectors. 

Bryan Ware: Again, we focused on financial services knowing that it was really sophisticated - so potentially notable that even in a sophisticated infrastructure sector - the second thing in your question, though - I think there's just so many vulnerabilities. So many means - I mean, we could talk about the state of software, and I think that's a really important conversation that's going on right now. But as a practical matter, if you're a CIO or a CISO, there's probably more vulnerabilities than you can patch, and prioritizing the ones that you patch is really, really hard. Of course, what we were really trying to get at through the research that we did is - and an even higher bar than that is - it's known to be exploited, and it's connected to the internet, which means that adversaries are going to - they're going to find you, and it will be exploited. And so you've got a limited window to address that. 

Dave Bittner: Well, based on the information that you all have gathered here, what's your advice? What are the words of wisdom for folks out there trying to defend their organizations? 

Bryan Ware: Probably the two most specific things that I could say is prioritize the KEVs for sure. They're not your run-of-the-mill vulnerabilities. You must act with urgency. Adversaries are going to find them. So prioritize those. Of all the vulnerabilities that you have to manage and all the difficulties sometimes it is to take down a system and get it patched, you got to prioritize those. 

Bryan Ware: And then the second thing is you probably already have internal scans that are taking place. And internal, you know, inventory management is taking place. Don't neglect your external attack surface. Don't forget about all those cloud services, all those web services, all those things that you may not even know are connected to the internet that are connected to the internet. And so if you take those two pieces together, I think that getting that additional visibility from your - of your external attack surface and then prioritizing your KEVs - those are going to my two strongest recommendations. 

Bryan Ware: I think there's a third thing that we're starting to have more conversations about, and it's really about, like, how much external attack surface should you really have? You know, ideally, you don't have a whole lot of things that are connected directly to the internet. That should be a really, really minimal set. And it always was when everything was behind a firewall. But it is increasingly getting bigger and bigger. 

Bryan Ware: And I would say that, you know, if you think about kind of the old days of shadow IT, that was usually things that you didn't know were running on your corporate network or on your corporate Wi-Fi that just kind of snuck in the organization somehow. The shadow IT gas now moved to the cloud. The shadow IT is now on the internet. And most of the customers we're talking to are surprised by the things that they find when they start to look at their external attack surface. And so it's not really even about vulnerabilities at that point. It's really about, what am I really running? What are the real assets? Where are they? Let me get those under management. And usually it means, let's minimize that attack surface as much as we can. 

Dave Bittner: That's Bryan Ware from LookingGlass. 

Dave Bittner: A potential consideration for those entering the exciting world of cybersecurity is, which color-coded team do you want to focus your energy and expertise? There's the red team, playing the role of the attacker by trying to find vulnerabilities and break through cybersecurity defenses. The blue team defends against attacks and responds to incidents when they occur. And, of course, there are various shades of purple in between. For insights on what it takes to be an effective red teamer, I spoke with Rob Shapland, ethical hacker and head of cyber innovation at Falanx Cyber. 

Rob Shapland: So red teaming's more like a full-scale simulation of a criminal attack. So in normal ethical hacking or penetration testing, you're given one target. It might be a website. It might be the external-facing infrastructure of a company. But in red teaming, it's kind of anything goes within the confines of the law. So I might be given the name of a company and an objective. So go and get this file from those systems. And I have to plan everything around that, and everything's in scope. All the systems are in scope, social engineering. So I can do phishing attacks. I can do phone calls. I can do physical intrusion of buildings dressed up as an employee, for example. And then it's all based around that objective. If I achieve that objective, I've done the test. If I don't, then obviously, there are findings along the way. But I haven't achieved what I set out to do. 

Dave Bittner: And in terms of the ethics themselves, I mean, how does that intersect with this? 

Rob Shapland: So the ethics of it are - I'm not a blackhat hacker, so I am not trying to install ransomware on the network. I'm not trying to steal data and then sell it to other criminals. The ethical part of it is I will then tell you what I did and then help you fix it, the idea being if real-life criminals do actually go for you, you've already got the defenses set up to hopefully prevent them from getting in. 

Dave Bittner: Can you give us an example of a campaign that you've done here, something that might illustrate exactly what - how you go about this? 

Rob Shapland: Yeah, sure. So I had to do a red team exercise against a company that develops vaccines. They wanted me to go in and attempt to steal the vaccine design off of the network. And so if you think about if you're planning this from scratch, you don't know anything much about the company. So you're going to start off with basic stuff like looking at the company's website, looking at their social media pages, etc. 

Rob Shapland: And so on that, I basically designed a phishing attack that tricked an employee into opening up an attachment that I designed to try and evade antivirus. And I used sort of a ruse based around their social media pages. So I found out they'd been away on holiday. I saw in the background of one of the photos the name of the hotel they'd been staying in. I then Googled that hotel, quickly stole the logo they use, the font, the style of writing and everything like that and then sent them an email that looked like it had come from that hotel saying they'd left some valuables behind in their room. And I used a really similar domain to what the website used. That allowed me to trick them into opening up an attachment, which gave me access to their laptop, which then allowed me to extract passwords and things from there. 

Rob Shapland: Now, the objective, the actual vaccine design, was stored on their internal network only. It wasn't very easy to get to from the internet. So I decided to do a physical intrusion - so a social engineering attack on their building - and try and get inside. And to do that, I dressed up as a telecoms engineer - so hi-vis jacket, bag full of tools and cables, etc. - turned up at their office and basically said, there's been a network issue. We need to get me in the building to run some diagnostics. It shouldn't take me more than half an hour. Do you mind if I run upstairs? And I was kind of hoping she would just let me in on the back of that. But she said, no, no, I'm sorry. We can't let you in. I need to speak to someone first. Have you got a name of someone that called you? So I pretended that a person in their IT team, a real employee called Adam (ph), had phoned me up. 

Rob Shapland: And the reason I chose Adam is 'cause I knew from his Facebook page that he was on holiday. So he put something on his Facebook page saying he was flying to somewhere in Eastern Europe, I think, and therefore, I knew he wouldn't be able to get a hold of that day. And so I thought, OK, this is a great target, because if she asks me, I can give his name. She'll phone him up, won't be able to get a hold of him. So I did exactly that. She couldn't get a hold of him. She then came back to me and said, look, I'm really sorry, but I can't get a hold of Adam, but I'm really busy. Could you give him a call? And she gave me his phone number. So I took that, left the office and then phoned up my office and said, could one of you guys pretend to be this Adam guy from their head office, phone up this receptionist and pretend it's all right for me to come in? And so one of my team did that, convinced her. And then I got the visitor badge and everything that you need when you're going into a building. 

Rob Shapland: I was just about to go upstairs, and she went, oh, no, no, hold on here for a minute. I'll call down our IT person to help you out, which wasn't great for me because there is no network problem. I've completely made that up. And it's going to be very difficult to hack into a network, of course, with an IT person sat next to you as well. So I thought, OK, maybe this isn't going to work. But I've done building intrusions at about 200 different buildings over the last 10, 15 years, and I know that the only time it really goes wrong is when you break character and look suspicious and things. So I thought, OK, if I just act like an engineer would, wait around here and see what happens. And the IT guy comes and gets me, doesn't really say anything, takes me up in the lift. We get to the top floor, and he turns around to me and says, the strangest thing is we don't even use your company for our telecoms, but come in anyway. 

Rob Shapland: So he kind of let me in regardless, sat me down at a desk and gave me basically unfettered access to their network for about the next hour and a half 'cause he went off for a meeting. And that was enough time to use the username and password I'd stolen from the phishing attack previously, deploy that. That happened to be someone quite senior in the company that had extended access across the network. And I was then able to access the file server that stored the vaccine design, extract that onto my laptop and get out of the building. So it's kind of a very whistle-stop tour. There was obviously a lot more sort of surrounding work around that. But combining phishing attacks with a physical intrusion of their building and then some basic network attacks was basically the red team scenario that I chose there. 

Dave Bittner: You know, it strikes me that for folks who are interested in this line of work, that, you know, not only are your technical skills important, but you've got to be good at improvisation as well. 

Rob Shapland: Absolutely. Yeah. Yeah, 'cause if you don't include those social engineering elements, you're really limiting what you can do, and you're not fully simulating what a criminal might do as well. So, you know, even talking about phishing scenarios, you've got to be quite creative in how you come up with the idea of how you're going to convince that person to open that attachment and that link, like I said, and using social media to make that attack really believable. But also, yeah, the physical intrusion is obviously completely different to the technical side of ethical hacking because you're essentially being an actor. You're going in pretending to be an engineer or an employee. You're playing a role. You're preparing the props. You're then not panicking when you go inside. And then you're switching to your technical role once you've got into the building and trying to use that access. So it's a really varied, interesting job. And obviously red teaming is a little bit along the line of the career. You don't generally go straight into penetration testing or ethical hacking or straight into red teaming because you don't have the skills yet. But it's something you can build up to. And once you do, it's an incredibly rewarding and interesting career. 

Dave Bittner: That's Rob Shapland from Falanx Cyber. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.