The CyberWire Daily Podcast 5.8.23
Ep 1818 | 5.8.23

Developments in the ransomware underworld: ALPHV, Akira, Cactus, and Royal. Some organizations remain vulnerable to problems with unpatched Go-Anywhere instances.

Transcript

Dave Bittner: ALPHV claims responsibility for a cyberattack on Constellation Software. A new Akira ransomware campaign spreads. CACTUS is a new ransomware leveraging VPNs to infiltrate its target. Many organizations are still vulnerable to the GoAnywhere MFT vulnerability. Russian hacktivists interfere with the French Senate's website. Keith Mularski from EY details their "State of the Hack" report. Emily Austin from Censys discusses the state of the Internet. And ransomware gangs target local governments in Texas and California.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Monday, May 8, 2023.

ALPHV claims responsibility for cyberattack on Constellation Software.

Dave Bittner: Canadian software provider Constellation Software disclosed last week what they're calling a cybersecurity incident impacting the company's IT infrastructure. IT World Canada writes that a disclosure from Constellation shared that some IT systems within the company were breached and that there were also leaks of some personal data. The company said, the incident was limited to a small number of systems related to internal financial reporting and related data storage by the operating groups and businesses of Constellation. A limited amount of personal information of individuals was impacted by the incident. A limited amount of data of the business partners of Constellation businesses was also impacted.

Dave Bittner: Bleeping Computer explains that the ALPHV ransomware gang claimed the attack. They've added a new entry for the company to their Data Leak Site. The gang threatens to leak more than a terabyte of data if the ransom demand is ignored. The gang wrote, we have been on your network for a long time and have had time to analyze your business. We have stolen more than one terabyte of your confidential data. If you ignore or refuse the deal, we will be forced to release all of your data to the public. The ALPHV gang, also known as BlackCat, is currently one of the most active ransomware operations.

A new Akira ransomware campaign spreads.

Dave Bittner: Bleeping Computer reports that Akira ransomware has been observed slowly spreading worldwide, and its demands have reached six figures. Akira claims to have conducted attacks against at least 16 companies but doesn't seem to be targeting a particular sector. Akira has leaked the information of four of its victims, presumably for not paying the ransom. Bleeping Computer writes, the ransomware gang demands ransoms ranging from $200,000 to millions of dollars. They are also willing to lower ransom demands for companies who do not need a decrypter and just want to prevent the leaking of stolen data. The ransomware is currently being analyzed for weaknesses, and Bleeping Computer does not advise victims to pay the ransom until it's determined if a free decrypter can recover the files.

Almost 180 organizations are still vulnerable to the Go-Anywhere MFT vulnerability. 

Dave Bittner: The Record reports that dozens of organizations are still exposed to cyberattacks through a widely abused vulnerability in GoAnywhere MFT, a web-based tool that helps organizations transfer files, according to new research. The exploit, CVE-2023-0669, was patched in February but as Censys reports, over two months after the zero-day was disclosed, Censys continues to observe almost 180 hosts running exposed GoAnywhere MFT admin panels, with 30% of these showing indications of remaining unpatched and potentially vulnerable to this exploit. A single vulnerable instance has the potential to serve as a gateway to a data breach that could potentially impact millions of individuals. The number of vulnerable instances is trending slowly downward, but ransomware in general is on the rise, with all of its attendant threat. Experts recommend implementing patches and security updates, as well as staying apprised of CISA's Known Exploited Vulnerabilities Catalog for situational awareness with respect to exploitation of known vulnerabilities.

CACTUS, a new ransomware leveraging VPNs to infiltrate its target.

Dave Bittner: Researchers at Kroll have discovered a new ransomware family called CACTUS. In a report emailed to the CyberWire, Kroll wrote, CACTUS has been observed leveraging documented vulnerabilities in VPN appliances in order to gain initial access. The ransomware uses a novel encrypter requiring a key to decrypt it for implementation, which likely allows it to remain undetected until the threat actors implement the ransomware attack. CACTUS is a new ransomware and, as of yet, hasn't been used enough to gather metrics regarding ransom prices or the consequences of not paying the ransom. Kroll said, as of the writing of this bulletin, Kroll had not yet identified a shaming site or victim identification-related blog authored by CACTUS for purposes of sharing victim data if a ransom was not paid. In terms of ransom, there is not currently enough data to provide an average starting price. It is also yet to be seen what would happen if a ransom were not paid and how successful any threat actor-provided decrypter may be. Researchers recommend updating all VPN services and implementing password managers to minimize threat exposure. Kroll also recommends using multifactor authentication to prevent lateral movement in the infected networks. 

Russian hacktivists interfere with French Senate's website.

Dave Bittner: The NoName group, which has been heard from intermittently during Russia's war, took to Telegram to claim credit for a distributed denial-of-service attack on Friday, SecurityWeek reports. Cybernews quotes NoName's explanation, we read in the media that France is working with Ukraine on a new aid package, which may include weapons. And without thinking twice, we crashed the website of the French Senate. The Senate tweeted that it was remediating the attack and working to restore full service.

Ransomware targets local governments in Texas and California. 

Dave Bittner: The consequences of the ransomware attack against the city of Dallas escalated over the weekend. The disruption the incident caused to emergency systems interfered with a response to the mass shooting that occurred there over the weekend. Although police officers were able to respond to the incident, system outages kept relevant information from the officers. WFAA reports that Dallas Police Department computers are still down after the city's system was attacked by ransomware on Wednesday, so it's hard for them to get information on prior calls to the home. Separately, ABC7 reported Saturday that San Bernardino County, California, paid a $1.1 million ransom to cyber extortionists, stating, county officials told ABC News on Friday that the county carries insurance for such attacks, and its share of the ransom came out to just over $511,000. After negotiating with the hackers, the insurance company and county agreed to pay to restore the system to its full functionality and secure data. It remains unclear which gang was behind the attack on San Bernardino's networks.

Rest in peace, James Wolford.

Dave Bittner: Finally, we end on a sad note. James Wolford, the CEO and co-owner of Atomic Data, a company he co-founded 22 years ago, passed away suddenly at his home on Friday. Our sincerest condolences to his colleagues, co-workers, and especially his family. May they all receive comfort in their time of mourning.

Dave Bittner: And I am pleased to be joined here with Keith Mularski. He is America's cyber-threat resilience leader at EY. Keith, it is great to speak with you again. Thank you for taking the time with us here at RSA Conference.

Keith Mularski: My pleasure, Dave. It's always good to talk -- chat with you, and great to be back at RSA this year.

Dave Bittner: So I understand you are all on the verge of releasing a new report here with some interesting information in it. What do we got?

Keith Mularski: Yeah. So we're about ready to publish a report called "The State of the Hack." And this would be a perspective of hacking the world's biggest companies over the last year. So everybody publishes a report based off of their cyber-threat intelligence on the state of the hack or what they're getting from incident response. We're going to take it from a good guys' perspective, what we're seeing that maybe not the bad guys are exploiting but maybe things that are still weak that we're seeing out there so that companies could respond to that and be able to mitigate any kind of problems or have increasing better resilience.

Dave Bittner: Well, let's walk through it together here. What are some of the key elements that caught your attention?

Keith Mularski: Yeah. So what we did -- so this is after, you know, over the last 12 months. One of the things that we did see was phishing still was effective, but lower. So out of that, we saw it was 38% effective, out of all of our attacks out there. So we really see that, you know, probably the increased effort of training for anti-phishing, the email gateways that are being used out there like Microsoft and Proofpoint that's out there is making a difference at that. So and actually, there was a report last year that actually -- not ours, but from another vendor -- that said, initial access through exploitation of CVEs had exceeded phishing for the first time. So we kind of confirmed that --

Dave Bittner: Okay.

Keith Mularski: -- so 38% effective. The other thing that we saw that was -- that really jumped out at us because everybody talks about MFA --

Dave Bittner: Right.

Keith Mularski: -- and that you need to have MFA. We found that 70% of MFA was misconfigured in one way or another.

Dave Bittner: Really?

Keith Mularski: Yeah. So -- or that we were able to bypass that by either getting in and being able, you know, to set up another account to then initiate, you know, MFA requests to then get in there and escalate privileges. But that was one of the other big things that really, you know, stood out for us from the last -- from the last year.

Dave Bittner: Before we move on to some of the other things that you gathered here, help me understand. Is -- are these numbers coming from you and your colleagues doing pen testing? Is that primarily what we're talking about?

Keith Mularski: Yeah. So this would be pen testing. So this is the white hats going in to try to find vulnerabilities and, you know, and be able to then talk to our clients to then, you know, say, hey, you know, you may have a problem here. Let's -- let's fix this before it's really exploited.

Dave Bittner: Right. Right. Well, let's dig into some of the other elements here that you gathered.

Keith Mularski: Yeah. So the -- the most -- the technique that we used to gain initial access the most -- that was most effective -- was via password spraying. So we hear about password spraying a lot. And again, so that was used the most to gain that initial access. Some of the other things that -- number two on the list were man-in-the-middle attacks, SMB relays, unsecure credentials. So those were some of those, you know, other things that we did to get that initial access there. The median time to get domain administrator access --

Dave Bittner: Right.

Keith Mularski: -- once we got that initial access, was one day. So when you think about all that, that's pretty -- that's pretty quick --

Dave Bittner: Yeah.

Keith Mularski: -- when you're thinking about that. And the average number of steps -- so techniques that that we took in order to get that domain administrator access was five. So five different steps to get there. So being able to move pretty quickly. So I think, you know, from that that one of the biggest takeaways in that that we recommend is, you know, with the speed is automation. So being able to have SOAR in place to be able to detect quickly, you know, because sometimes we were detected, and there were alerts that were getting fired off. But the blue team didn't react fast enough to --

Dave Bittner: Interesting.

Keith Mularski: -- you know, quarantine us.

Dave Bittner: Right. Right.

Keith Mularski: So automation and speed is really of the essence.

Dave Bittner: Wow.

Keith Mularski: Some of the other things, you know, that we found here were -- this kind of goes with that password spraying -- was domain and password lockout policies were really susceptible to password guessing. So ensuring that you do have that in place because then the password spraying would be ineffective.

Dave Bittner: Right.

Keith Mularski: Outdated Windows. So that's, you know -- or versions of software. So for that exploitation as well.

Dave Bittner: Yeah.

Keith Mularski: So those are some of the biggest takeaways, you know, that -- that we saw that I wanted to share with you. We're going to get into much more detail when this gets published here in the next couple of weeks, you know, with all the particular techniques and all that utilized.

Dave Bittner: I'm curious, from an internal point of view, you know, you and your team there, do you come up with your own playbook over time that -- you know, just to save yourselves some amount of work, you probably say, well, here are the things that work 90% of the time, so we're going to start there. Is that -- does that happen behind the scenes?

Keith Mularski: Yeah. Absolutely. You know, hey, you know, we were able to bypass this, you know, in this situation, let's try that in other places. And then, our goal is to then, if we find that vulnerability, you know, we want to get the word out there that, hey, this is vulnerable, and this is what you need to do to fix that.

Dave Bittner: So based on the information you gathered here, what are your recommendations? How should people best use their time and resources to defend themselves?

Keith Mularski: Yeah. So again, you know, vulnerability management is really key --

Dave Bittner: Right.

Keith Mularski: -- you know, on that with, you know, going away from phishing to exploitating [sic] unpatched CVEs. So that's key number one. Again, the automation -- so SOAR -- key number two. And just having, you know, good hygiene, you know, from your password policies and things like. Those would be my three big takeaways to share with you today.

Dave Bittner: It's remarkable that year after year, we -- you know, there's the -- we keep beating that drum about the basics and yet, year after year, we keep beating the drum about the basics. Right?

Keith Mularski: Well, it's always, you know, to use a sports analogy, you always see the teams that do the basics right -- a block and tackle or, you know, just hit -- situational hitting, if you're baseball, those are the teams that are successful. So again, if you're just doing the basics and you're doing that effectively, you're going to be one step ahead of everybody else.

Dave Bittner: Yeah. Keith Mularski from EY. Thank you so much for joining us.

Keith Mularski: My pleasure, Dave.

Dave Bittner: Emily Austin is Senior Security Researcher at Censys. I caught up with her at the RSA Conference for details from their "2023 State of the Internet Report."

Emily Austin: At Censys, we have the most comprehensive Internet-wide scan dataset available. And the creation of this report -- this is the second year we've done it. And the goal really is just sort of illustrate some of the power of that data and kind of show off, you know, what you can do with the data, what we're able to see. And in this year's report, we actually focused on the web. We decided to drill deep into that. I mean, the web is such a -- you know, it's a huge presence in our lives. And we decided to specifically drill into HTTP -- service that represents a lot of what we see on the Internet -- over 80% of the services that we see. And after that, we get into a little bit of TLS and encryption on the Internet. So we start digging into the presence of certificates. And finally, we close out the report by looking at misconfigurations and exposures across the web.

Dave Bittner: Well, let's dig into some of the specifics here. What are some of the things that surfaced from the report that caught your eye?

Emily Austin: Yeah. So there's a little bit of good news and a little bit of bad news. I love the good news because I think, in security, we don't get a lot of good news all the time. Right?

Dave Bittner: Right.

Emily Austin: It's a little bit more rare.

Dave Bittner: Sure.

Emily Austin: So for good news, we know from research from Google that about 90% of web traffic these days is encrypted, which is, you know, a far cry from where it was even five to seven years ago. So it's huge. And from looking at our own data, looking at HTTP services that use TLS, use encryption, we see that about 95% of them use or negotiate one of the two latest versions of TLS -- so 1.2 or 1.3. And further, we've seen steady growth in TLS 1.3 adoption over the last year. So this, I think, is kind of a win for users' security and privacy, for just the everyday person on the Internet. Like, this is huge. Right? So that's positive. But of course, with security, you know, nothing gold can stay. [laughter]

Dave Bittner: Ponyboy.

Emily Austin: Right. [laughter] Exactly. So -- so on the flip side, exposures and misconfigurations are still a huge problem, Internet-wide. As an example, we found over 8,000 servers hosting open directories that contained really anything you can think of that would be something you don't want on the public Internet. Right? So credentials, files, SSL and SSH private keys, database backups, CSVs and Excel files with sensitive data. And to be clear, we didn't actually look at these files, but based on the naming conventions of them, we can surmise what's in them.

Dave Bittner: Sure.

Emily Austin: This is a little disappointing to me, just because this is something that takes just a few minutes to find, if you know how to look for it. And it's essentially just giving a threat actor, like, a foothold into an organization really easily. So that's -- that's still a huge, huge problem.

Dave Bittner: Give -- can you give me some insights on how you all went about gathering this data? What is the view that you all have that allows you to -- to gather this stuff up?

Emily Austin: Yeah. So we scan the entire IPv4 space all the time -- constantly, we're scanning. And so we have that all collected into our universal Internet data set. It's also available at search.censys.io. And so we take that, and it is -- it is a little bit like boiling the ocean in some ways. Right? You kind of have to figure out, well, what is the perspective we want to take on this? And, like I said, this year we decided really to focus on the web, so that -- that gets into HTTP. So that's a huge chunk of services right there. And then, starting to drill into, well, what's the software? And what's the products that we see running over HTTP? Because it's not just websites. A lot of it is, but that's not everything. And then, kind of fanning out into adjacent technology -- encryption of those things. So kind of thinking about, you know, the story of -- this is a technology that's pervasive, and it's in our lives every day. So let's -- let's dig into it. And I think that's kind of how we -- how we approached it.

Dave Bittner: Any other specifics that you want to shine a light on?

Emily Austin: Yeah. So I think one final thing, on the misconfiguration exposure side, we found over 200,000 Prometheus monitoring instances on the Internet. Prometheus is unauthenticated by default. It's in the documentation. It's expected that you, as the developer, the maintainer of the tool, will set up authentication in some way, or protect it. And we found that about 48% of the endpoints being monitored in Prometheus tools that we could see existed in private IP and DNS zones. So this is akin to -- so if you think about the public Internet. Right? This is akin to, if you're going to rob a building, and you can see the public IP addresses, this is kind of driving by the building, seeing where the windows are, seeing where the doors are. But for the private IP addresses and DNS space, this is like someone's giving you a blueprint to the inside of the building. They've labeled all the offices, they've labeled, you know, where the network closet is. So again, very easy to find and very useful for a threat actor performing reconnaissance.

Dave Bittner: So what are the take-homes here? I mean, based on the information you all have gathered, what are your recommendations?

Emily Austin: You know, as unexciting as it may be, security hygiene is really, really important. We don't talk about it a lot. It's not a fancy, fun topic in the news. It's not, you know, a remote code execution or a zero-day. But by and large, like, this is still the stuff that's going to get you hacked, particularly if someone happens upon it, you know, in an opportunistic way, because it is easy to find. So you know, patch management, asset management, vulnerability management. They're not necessarily glamorous or exciting, but they are so critical to secure your organization.

Dave Bittner: That's Emily Austin from Censys.

And that's the CyberWire. For links to all of today's stories, check out our "Daily Briefing" at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called "Security Ha." I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like "the CyberWire" are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law-enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment -- your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiban. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by John Petrik. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.