They won't ask for sensitive information over the phone.
Alex Hinchliffe: If you're monitoring DNS logs or have protection in place to look for dodgy things happening with regards to DNS, then you have a chance of detecting this kind of activity.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Alex Hinchcliffe from Unit 42 at Palo Alto Networks. We're going to be discussing some of their ransomware research.
Dave Bittner: All right, Joe, let's go ahead and jump into our stories this week. Why don't you start things off for us?
Joe Carrigan: Dave, you ever been called in for jury duty?
Dave Bittner: I have. Yes.
Joe Carrigan: Yeah. Me too - one time.
Dave Bittner: I've been - yes, I have received the letter in the mail I think probably a half a dozen times. I've only actually had to go in once and went through the sorting process that they - you know, like Harry Potter with the Sorting Hat where the lawyers, you know, decide if you're...
Joe Carrigan: (Imitating Sorting Hat) Murder trial.
Dave Bittner: Right, exactly. And I think the moment the first couple of syllables of the words journalist came out of my mouth, they were like, next.
Joe Carrigan: (Laughter).
Dave Bittner: So I have never sat on a jury, but I have been summoned to do my civic duty.
Joe Carrigan: It is our civic duty, as you said, Dave, to serve as a juror when called in the U.S. and other countries around the world. And in Maryland, if you fail to appear for jury duty when you're supposed to be there, there are penalties...
Dave Bittner: Yeah.
Joe Carrigan: ...That can include a fine of up to a thousand dollars and 60 days in jail or both.
Dave Bittner: Yeah.
Joe Carrigan: Right? So you can be out a thousand bucks and two months.
Dave Bittner: I have to say, by the way, this has caused me anxiety once or twice where - like, what happens if you - if they send you a letter and you just don't get it?
Joe Carrigan: Right.
Dave Bittner: Right? Like, then what? Do they come knocking on your door? I don't know. But fortunately, I've never had to deal with that.
Joe Carrigan: You're still entitled to due process for missing jury duty, though. So you're not...
Dave Bittner: Oh, OK. All right.
Joe Carrigan: You probably go before a judge and you say, I never got the letter. I would absolutely comply with this.
Dave Bittner: Right. OK. They don't just haul you off in handcuffs (laughter).
Joe Carrigan: Right, exactly.
Dave Bittner: OK, good.
Joe Carrigan: But they may actually issue a warrant for your arrest, right? And that's actually the crux of my story because these penalties are real. Scammers take advantage of it. And there is a story on ScamBusters about a jury duty scam. So here's what happens. You got a phone call from somebody who says I'm from the state government or I'm from the federal government, and you were supposed to appear for jury duty and didn't.
Dave Bittner: See? Yeah, yeah, there it is (laughter).
Joe Carrigan: Right, exactly. It's so good. I love that we don't rehearse this before we start, right? We just talk about what we're going to talk about here. And this is exactly the fear that you were expressing just a moment ago.
Dave Bittner: Yeah.
Joe Carrigan: Right? So you get this phone call, and the guy says - the guy on the other line says, you need to give me some information for verification purposes, right? And then the person starts asking for all kinds of information, like your name, your address, your birthday. Of course, they're going to say this is for verification purposes, right?
Dave Bittner: Right. Bank routing number.
Joe Carrigan: Social Security number.
Dave Bittner: Visa card number (laughter).
Joe Carrigan: They say that you've been charged with a crime and you have to pay a fine in Maryland, $1,000. So if you want to pay that over the phone right now, we can do that.
Dave Bittner: Right.
Joe Carrigan: So give me your credit card number. It's very easy to see why this works because of exactly what you said. This is something that has always bugged you or sits in the back of your mind. And in fact, I'm sitting here thinking about it. You know, you're telling me you've been called dozens of times or at least gotten mailed dozens of times. It's only happened to me once.
Dave Bittner: Or so you think.
Joe Carrigan: Right, exactly, now I'm nervous.
(LAUGHTER)
Dave Bittner: Right. Right. Yeah, just staying one step ahead of the law.
Joe Carrigan: Right.
Dave Bittner: (Laughter).
Joe Carrigan: I'm nervous about what happens next time I get pulled over, you know? I have been pulled over a couple times recently, so - you know, within the past couple of years.
Dave Bittner: Yeah, old lead foot Carrigan over there.
Joe Carrigan: That's right. Yeah.
Dave Bittner: (Laughter).
Joe Carrigan: That's what they say.
Dave Bittner: Yeah.
Joe Carrigan: But I have not had them say - you know, they always ask, do you have any warrants out for your arrest, right? And I always answer the same way - not that I know of.
Dave Bittner: (Laughter).
Joe Carrigan: But who knows. Maybe there was a jury duty summons that I didn't get, and now there's a summons for failing to appear for jury duty. So who - I don't know that there are any - you know, that's also an unnerving question. So when these - what's - this call comes in - I mean, first off, no legitimate court system is going to ask you over the phone for sensitive information like your Social Security number, your date of birth, all that information.
Dave Bittner: Right.
Joe Carrigan: If they do call you at all, they're going to say you didn't appear for jury duty. You need to come down to the courthouse.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: And I don't know what the process is at that point in time, but if - that's if they do call you, but they're probably just going to send you another letter.
Dave Bittner: Right, a nasty gram.
Joe Carrigan: A nasty gram, right.
Dave Bittner: Right.
Joe Carrigan: But - so when someone calls you - I've adopted this new policy, right? I get - I started answering the car warranty calls.
Dave Bittner: Oh.
Joe Carrigan: Right?
Dave Bittner: OK.
Joe Carrigan: And they say our records indicate that your car is about to go out of warranty. And I say, well, what kind of car do I have? And they go, well, you have to tell us that. And I'm like, you say your records indicate my car is about to go out of warranty.
Dave Bittner: Yeah.
Joe Carrigan: What do your records say about what my car is? Do the same thing here. You missed jury duty. Oh, yeah? What's my name?
Dave Bittner: Right, right.
Joe Carrigan: Of course, that doesn't mean they don't have it because there's all kinds of information about you out there. Like, the T-Mobile breach - it would be very easy for someone to utilize that number or that information to get your phone number and then know your name. So when you go, oh, yeah, what's my name, they just go, oh, you're Joe Carrigan. Oh.
Dave Bittner: Right.
Joe Carrigan: Yeah, I am Joe Carrigan. OK.
Dave Bittner: Here's your address.
Joe Carrigan: Here's your address. Here's all your information.
Dave Bittner: And your email and your password (laughter).
Joe Carrigan: Right.
Dave Bittner: Right, right.
Joe Carrigan: So that information does exist. But, you know, I still would do it to have fun with these people.
Dave Bittner: OK.
Joe Carrigan: But be aware of the scam. If someone's calling you telling you that you missed jury duty and you didn't get a summons, it's probably a scam.
Dave Bittner: Yeah, yeah. I think you're right. And, boy, that - I could - I just said I could totally see that playing into someone's anxiety because that is a real anxiety that I have experienced before.
Joe Carrigan: Right.
Dave Bittner: So, yeah, interesting.
Joe Carrigan: Yeah.
Dave Bittner: All right.
Joe Carrigan: I'm experiencing it right now.
Dave Bittner: (Laughter).
Joe Carrigan: All I can think about. I'll obsess about it for the rest of the day.
Dave Bittner: Well, just, you know, straighten up, fly right, keep under the speed limit, and you won't have run into any trouble, right? Keep your nose clean, Joe.
Joe Carrigan: Hopefully.
Dave Bittner: Yeah. All right - good stuff. And we'll have a link to that story in the show notes, of course. My story this week comes from WIRED, written by Lily Hay Newman. She always does great work over there at WIRED. And it's titled "You Can Now Ditch the Password on Your Microsoft Account." You no longer need a long string of characters to access Windows and Office 365. So Microsoft for a while has offered passwordless (ph) access on their enterprise accounts.
Joe Carrigan: Yes.
Dave Bittner: And now they have - they're rolling it out for consumer accounts. And I think this is very interesting. So if you want to, right now it's opt-in. You can go in and basically get rid of your password and log into your Microsoft accounts using other means. I think this is a good thing.
Joe Carrigan: I'm interested to see what the other means are.
Dave Bittner: Well, yes, and they do talk about that here. You can do - I believe you can do biometric if your hardware is capable of that.
Joe Carrigan: OK.
Dave Bittner: They will do - you can use your phone, your device, you know...
Joe Carrigan: Right.
Dave Bittner: ...Sending you an indication on your device to verify that you're logging in. I mean, there's nothing exotic about the alternative means that they're using here. But basically, instead of using them as a second factor, they're using them as the primary factor.
Joe Carrigan: Right.
Dave Bittner: You could use a YubiKey also, a hardware key. So...
Joe Carrigan: I like that one the best.
Dave Bittner: Yeah. So they have a number of options here. But I think this is interesting, first of all, that an organization as big as Microsoft - and by the way, I should mention Microsoft is a sometimes sponsor of the CyberWire. They like us to mention that whenever we talk about a Microsoft story.
Joe Carrigan: Right.
Dave Bittner: But that someone as big as Microsoft is rolling this out - I wonder if this could be something that leads the way that - you know, we've - you and I have asked many times, what would it take for folks to jettison passwords altogether? I think it would be interesting if this were a first step towards having the password list method be the default...
Joe Carrigan: Yes.
Dave Bittner: ...Because I don't think it is yet. I think right now it's just an option. But wouldn't it be interesting if passwords, someday soon, hopefully...
Joe Carrigan: Right.
Dave Bittner: ...Become the option?
Joe Carrigan: Yeah. We've been talking about ditching passwords for probably about a decade and a half now. Since, you know, the mid-2000s, we've been talking about getting rid of passwords because they're awful. And we're not good at using them as humans.
Dave Bittner: Right.
Joe Carrigan: And it is a holdover like email from the late '60s, early '70s. It was never envisioned to be used on an internet-wide scale.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: It was just envisioned as a way to stop people from using all the time on a Time Sharing System. And when you take something that's not designed to scale and scale it, then you have all kinds of problems. And we, of course, have had all kinds of problems with passwords. So, yeah, we've been thinking about jettisoning passwords. And now Microsoft doing this is great. I have - I'm not a big fan of biometrics. I've said that frequently...
Dave Bittner: Yeah.
Joe Carrigan: ...Mainly because they're immutable.
Dave Bittner: Right.
Joe Carrigan: You know, you can't ever change them.
Dave Bittner: Right.
Joe Carrigan: And that may or may not be bad. But if it becomes possible to reproduce a biometric signature and spoof a biometric signature, that's going to be a problem.
Dave Bittner: Yeah.
Joe Carrigan: If any biometric protocol gets hacked thus, it's going to be an issue.
Dave Bittner: Yeah.
Joe Carrigan: Of course, you can change the protocol once that vulnerability is discovered, but I still don't like it. The using a phone device - I'd like to know how that works. I'd like to know the technical details of that because if it's - let's say I have a Microsoft app on my phone that I'm logged into, and that app is what provides the input to me that somebody's trying to log into my account who's not me. Well, how am I going to log into that account or into that app? Do I have to use a password on that app?
Dave Bittner: Yeah.
Joe Carrigan: It sounds like passwords don't really go away in that sense. Using a YubiKey is the option I like the best because it uses universal two-factor, which is a public key private key scheme. That key is generated on the fly, actually. The YubiKey doesn't store the private key. It generates it based on who you're asking, who's on which website you're going to and a secret that it has inside. But the only thing Microsoft stores in that case is a public key, which is fine if that gets breached. It doesn't matter. And actually, that public key is only good for Microsoft. It would not be good anywhere else...
Dave Bittner: Yeah.
Joe Carrigan: ...With the way universal two-factor works.
Dave Bittner: Yeah.
Joe Carrigan: So it's - I like that option much better. So if you're going to do this, use a YubiKey. Go out and buy a couple of YubiKeys - two or three of them. And set them all up to be used with this.
Dave Bittner: Yeah. I - like, I use LastPass as my password manager, and they have a system with your mobile device. For example, if I'm logging in to LastPass on my desktop machine, the second factor is the mobile app on my phone. And all it does is pops up a little window on my phone that says, is this you trying to log in on the desktop? And I just say, yup.
Joe Carrigan: Yup.
Dave Bittner: And that's it.
Joe Carrigan: That's good. Google...
Dave Bittner: And I'm in. Yeah.
Joe Carrigan: Google does that, too, with a lot of their stuff. But again, you have to log into the phone initially.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: So.
Dave Bittner: I do like the biometrics on my iPhone. I think Face ID is very convenient. I like the way that it is stored on device in the secure enclave. So I think it's a good balance between...
Joe Carrigan: Yeah.
Dave Bittner: ...Security and not - that Apple does not actually have my biometric information.
Joe Carrigan: Right.
Dave Bittner: It's just - you know.
Joe Carrigan: Yeah. If someone wanted to argue biometrics with me, you know, I'm - if you want to do that, I wouldn't say that's bad - especially with Face ID. Face ID is remarkably strong...
Dave Bittner: Yeah.
Joe Carrigan: ...For a biometric. It's of course built into the Apple hardware...
Dave Bittner: Right.
Joe Carrigan: ...Like you're saying. But not just the storage of the secret, but the generation - you know, in order to - in order for you to generate something, you have to be in front of the camera. The camera has to actually sense your pulse, which is remarkable to me.
Dave Bittner: Yeah.
Joe Carrigan: And it - I mean, there are a lot of features built into that - into Face ID.
Dave Bittner: Yeah. Yeah. And it just works, which is the...
Joe Carrigan: It does. Well, that's...
Dave Bittner: That's the trick, right?
Joe Carrigan: That's Apple, right? Everything just works.
Dave Bittner: (Laughter) Right, right. All right. Well, I think this is a really interesting development from Microsoft here. And...
Joe Carrigan: Me, too.
Dave Bittner: ...You know, they have the scale and the clout certainly to lead the way on something like this. So this article points out that they already have 200 million passwordless users on the enterprise side. So they've had the ability to really test this out and make sure that it's going to work.
Dave Bittner: There's a nice quote here from Bret Arsenault, who is Microsoft chief information security officer. He said, "you think that everyone hates passwords, but there is one faction of people who love passwords. They're called criminals."
(LAUGHTER)
Dave Bittner: I think that's right.
Joe Carrigan: Yeah.
Dave Bittner: I think that's right. So if that's something we could take out of the equation, out of the ecosystem, it seems like a good thing to me.
Dave Bittner: All right. We'll have a link to that story in our show notes. And of course, we would love to hear from you. If you have something you'd like us to cover, you can email us to hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe. It is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Lucio (ph), who's sent us Catch of the Days before, I think. But he sent us a bunch of stuff today. First off, he says he listens every week, so we appreciate that. Thank you, Lucio.
Dave Bittner: Very nice. Thank you.
Joe Carrigan: And he wanted to thank us for recommending sites for learning more about cybersecurity. Lucio says he does use Cybrary.
Dave Bittner: OK.
Joe Carrigan: That's kind of hard to say - Cybrary.
Dave Bittner: Cybrary - yeah.
Joe Carrigan: Right. He thinks the price is pretty reasonable. It costs about 20 bucks a month if you pay for an annual subscription. He does say there are no refunds, so you can't get a prorated - if you quit six months in, you're not getting half your money back.
Dave Bittner: (Laughter) OK.
Joe Carrigan: They do have a seven-day trial.
Dave Bittner: Yeah.
Joe Carrigan: So Lucio says it's pretty good.
Dave Bittner: Yeah, not a terribly high risk there...
Joe Carrigan: Right.
Dave Bittner: ...If you want to check it out. Yeah, yeah.
Joe Carrigan: Yup. He sent us a text message that he received, as well as some other stuff we'll get to in a minute. But Dave, why don't you read this text message?
Dave Bittner: All right. It goes like this. Hey there. Sorry to keep messaging you, but we only have seven brain pill samples left. These prevent dementia, boost your IQ in minutes, improve focus and concentration, improve memory by 350%, reverse the effects of aging. Supercharged energy booster - feel young again. Remember, you're going to love it. Grab that free sample. You owe it to yourself. You only live once. Feel young forever. Read this article. Click here.
Joe Carrigan: Lucio didn't go on to click the article, which is...
Dave Bittner: (Laughter).
Joe Carrigan: Or click the link, which is good.
Dave Bittner: Yeah.
Joe Carrigan: (Laughter) Which is good. This is probably just a spam message, but I like it. Boost your IQ in minutes. Improve memory by 350%.
Dave Bittner: Yeah.
Joe Carrigan: There's an old Far Side where this salesman's talking to a guy who looks like his faculties are less than average.
Dave Bittner: Yeah.
Joe Carrigan: And the guy goes, double my IQ? I'm in - or something.
Dave Bittner: (Laughter).
Joe Carrigan: Reminds me of that.
Dave Bittner: OK.
Joe Carrigan: So...
Dave Bittner: Very nice.
Joe Carrigan: I...
Dave Bittner: Very nice.
Joe Carrigan: I thought I'd throw that in there.
Dave Bittner: Yeah. I mean, this has something here for everyone.
Joe Carrigan: Right. Yeah.
Dave Bittner: Yeah. It's just - I'll be - let's see. I'll be smarter. I'll have more energy. I'll feel young again - better memory.
Joe Carrigan: You'll feel young forever, Dave. That's a pretty bold promise.
Dave Bittner: Forever is a long time.
Joe Carrigan: Right. It's like...
Dave Bittner: Forever is a long time (laughter).
Joe Carrigan: You know...
Dave Bittner: I mean, it...
Joe Carrigan: Do you show up, and it's like "The Lost Boys," and they make you into a vampire?
Dave Bittner: What if it just kills you?
Joe Carrigan: Right (laughter).
Dave Bittner: It reminds me of that joke about - Joe, did you know that there is a mushroom that if you eat it, it will provide sustenance to you for the rest of your life?
Joe Carrigan: Ah. No. Tell me about this mushroom, Dave.
Dave Bittner: Well, it'll kill you.
Joe Carrigan: (Laughter).
Dave Bittner: So the rest of your life won't be very long.
Joe Carrigan: (Laughter) Right.
Dave Bittner: That's the joke. All right (laughter).
Joe Carrigan: Yup.
Dave Bittner: Well, our thanks to Lucio for sending that in. Again, you can write us at hackinghumans@thecyberwire.com. We would love to hear your Catch of the Days.
Dave Bittner: All right. Joe, I recently had the pleasure of speaking with Alex Hinchliffe. He is from Unit 42 at Palo Alto Networks. And our conversation centers on some of the research they've been doing when it comes to ransomware. Here's my conversation with Alex Hinchliffe.
Alex Hinchliffe: Our counterparts in our fairly newly formed incident response team called Unit 42 Consulting - that's formerly Crypsis - they were working some cases with some victims from this particular ransomware. And the collaboration between the two teams - that's the consulting side doing the incident response and the threat intel side, where I am - have been collaborating and sharing information a bit more freely recently. So we just simply came across this case for quite an interesting ransomware. And it's interesting for various different reasons. But we picked up on it and worked on it together and then published a blog.
Dave Bittner: Well, let's go through some of the details together. I mean, certainly, at this point, I think most folks are familiar with what ransomware is and how it works. What are some of the things that set this Mespinoza group apart?
Alex Hinchliffe: Yeah. So it's interesting. I mean, ransomware has been around for many, many years, I mean, since the 1980s, I believe, if I'm correct in thinking back that far. But lately, I guess since about 2010, '11, in a more prevalent fashion and has evolved over those years. But more recently, we're seeing this kind of what we call a post-intrusion ransomware and more targeted ransomware that looks a bit more like a traditional breach, where there's some kind of, you know, spearhead into a victim organization. And then instead of simply, you know, deploying ransomware on one system and asking for some money, they grab credentials, they move laterally, they try to deploy their ransomware to as many hosts as possible and effectively bring into question that business' viability.
Alex Hinchliffe: So that's the kind of breed of ransomware they're talking about here. What sets this apart slightly differently is they actually install a backdoor, which we call gasket - this particular Trojan that we've called gasket - to provide another communication mechanism, command-and-control mechanism, with the victim's systems. And that is a bit different. I mean, with ransomware, it's quite rare to see any command-and-control traffic from ransomware because once it's deployed, the communication, if you like, to the victim is through a ransom note that says you need to pay us. And this is how to go about doing it, you know? Call this number or email this address. In this particular case, they actually set up a secondary communication mechanism, presumably that if the organization kicked them out and managed to restore from back-up and do these other things, potentially, they might have a way of getting back in and trying again.
Dave Bittner: Wow. Well, can you walk us through - how would someone find themselves a target of these folks? And then, what would get you infected?
Alex Hinchliffe: Yeah. So from what we've seen - and obviously, it's through our kind of aperture on the world, through our telemetry and through the incident response cases that we've worked. It's always been through a remote desktop protocol and from Microsoft systems. What we've seen is that quite often, especially post-pandemic, with more people working from home, more people trying to do their learning from home and everything else that the remote desktop and remote capabilities have increased. And a lot of organizations are exposing this unnecessarily on the internet.
Alex Hinchliffe: And in this case, Mespinoza will effectively scan the internet looking for remote desktop protocol systems, and then try and, you know, compromise that system and get access to the network. What we've seen at Unit 42 is they've never used vulnerabilities to take control of the system. So they've never used a bug, if you like, in the RDP service or any other remote control software. It typically is using credentials. We don't know how those credentials came to be in possession of the Mespinoza group or where they were compromised. But essentially, they've got these credentials. And they can get their way into the RDP system.
Dave Bittner: And what are their capabilities? I mean, once they get a hold of someone's system and they're able to, you know, have purchase on that, what can they do within?
Alex Hinchliffe: Yeah. So once they get access - I mean, I think this particular group - I wouldn't say they're the fastest. There have been some media reports talking about ransomware that can effectively hold us - hold an organization compromised in a matter of minutes or hours. In one particular case that we worked with Mespinoza, I think it was about three days or just under three days from the point at which they breached the network.
Alex Hinchliffe: Once they were in, to your question, they dumped credentials. And they managed to harvest credentials from various different systems, like Active Directory, which controls all the usernames and passwords on a corporate network, typically - but also systems like PuTTY and WinSCP and other tools that are used to communicate with other systems. And they all - typically, they store session information in them. So they use tools to, you know, gather as many credentials as possible, which helps them move around the network. And once they have enough of the network compromised - and indeed, like some other ransomwares, they even use Wake-on-LAN technology to try and wake up hosts on the network that may have been, you know, shut down or put to standby mode so that they can get more and more victims. Once they have all that, they essentially use a centralized server to deploy the ransomware and execute it on every single system.
Dave Bittner: Now, before they start running the Mespinoza ransomware itself, is it right that they go through an exfiltration process as well?
Alex Hinchliffe: That's right, they do. And that's not the case with every ransomware, but it certainly seems to be good - quite a popular technique - this kind of double extortion technique where, yes, they will exfiltrate data, hold that hostage as well, potentially, you know, leak some of it on a leak website which they have, and then essentially use it as leverage for getting payment.
Alex Hinchliffe: And what they typically do in the case of Mespinoza is that they search and enumerate lots of different file types on all the victims' systems looking for certain keywords around finance and confidentiality and PII information about employees and things like that; and even some more sensitive terms like illegal and fraud, potentially trying to find, if you like, any dirt on the organization or anything that they've been involved in that could provide even more leverage for the ransom demands.
Dave Bittner: One of the things that you all point out in your research here is that this group seems to be a little cocky. They have a certain amount of swagger in their communications with their victims.
Alex Hinchliffe: Yeah, certainly. And I think - we were debating whether to call them kind of arrogant in their ransom note. They have a mini kind of FAQ section about what's happening and how to, you know, get in contact and how to get files decrypted and so on. And there's one question in there, which is, what to tell my boss. And the answer is, protect your system, amigo, which actually stands for the acronym P-Y-S-A or PYSA, which is the alias for Mespinoza. So Mespinoza is also known as PYSA ransomware. So yeah, that's quite interesting.
Alex Hinchliffe: They call their victims partners because I guess that they're - with some of them, they're doing financial transactions; you know, getting the ransom payments from their victims. So they - it's almost like a business transaction to them. They call them partners.
Alex Hinchliffe: And the leak website, as well, is the stylesheet - or the theme, if you like, of the website is like an old BIOS interface from a PC, you know, 10 years ago, which kind of indicates maybe that they are kind of nerds or geeks and they like that kind of interface. But it's also, again, a little bit cocky.
Dave Bittner: Right. You have a - enjoy this sense of whimsy while you're being extorted for money.
Alex Hinchliffe: Yeah. Yeah.
Dave Bittner: Yeah. What are your recommendations then? I mean, for folks to best protect themselves against this, what do you suggest?
Alex Hinchliffe: Well, I think there's multiple things that can be done. And since in this case we're talking about the initial entry point being across the network and across the internet using RDP, that certainly organizations need to understand their footprint, if you like, or their attack surface area, especially when it comes to the network. And so whatever is visible to them, if they were scanning themselves from the internet, is clearly visible to anyone else with access to the internet. So I think they need to understand more about what's connected to the internet and lock down whatever they can. So expose less to the internet. And whatever is exposed to the internet, make sure it's as secure as possible in terms of credentials, multi-factor authentication and also protecting it behind a VPN or a firewall or something like that.
Alex Hinchliffe: I think once the ransomware is - or once the attackers are in the network and once the ransomware is about to be deployed, I think endpoint protection really plays a good role here. And there, especially in more modern endpoint protection, which can look at behavioral techniques, it typically can understand when a program is looking like ransomware because most ransomware does the same stuff. They enumerate all the files on the hard drive, try and find the ones they're interested in, make a copy of them, encrypt that copy and so on. So actually, it's relatively easy to spot ransomware when it's running. So if you have the endpoint protection to cover you, then that's good.
Alex Hinchliffe: And in this particular case, a bit like some of the other post-intrusion ransomware actors, they use lots of tools; typically open source tools for pen testers and system administrators. And those tools, in this case, are used for scanning the network and looking at all the open ports on the network and various other things that help the actors move as quick as they do through the victim network. So looking at things like use of PowerShell scripts to communicate with the registry and disable security products or communicate with Active Directory, those kind of things.
Alex Hinchliffe: And again, quite unique to this group is the backdoor Trojan that they installed in the victim systems. And actually, that communication channel has two. One is HTTP, the other is DNS. And I believe it relied mainly on the DNS one. So actually, if you can - if you have the ability of detecting DNS tunneling traffic - and in this case, it used text records, which are very rarely used and quite suspicious - again, you have a way of - if you're monitoring DNS logs or have protection in place to look for dodgy things happening with regards to DNS, then you have a chance of detecting this kind of activity.
Dave Bittner: So is it fair to say that this group is relying more on the speed at which they can do things rather than being stealthy?
Alex Hinchliffe: Yes, I'd say so. I mean, with ransomware, it's hard to be stealthy anyway because often, you know, you render a computer almost useless anyway. You do...
Dave Bittner: Right.
Alex Hinchliffe: You often throw off a message saying, hey, you're encrypted. You know, pay us one bitcoin and you can have your files back. So in that sense, it's far from subtle. But yeah, I think with these - with this group, once they're in, they have the tools, the discipline and now the experience. I think they've been active for - since about April 2020, so quite a while. They're gaining experience. They're evolving. So they are pretty brash, pretty quick off the mark to fulfill their mission.
Dave Bittner: All right, Joe. What do you think?
Joe Carrigan: Dave, ransomware is now like a feature of a full-scale penetration, right? It used to just be that it would just be something that these guys let loose in your network or hopefully got you to install something. But in a penetration, these attackers are spreading through the network. They're elevating their privileges. They're installing backdoors, which is terrifying because that just helps them maintain continued access.
Dave Bittner: Right.
Joe Carrigan: They even wake up sleeping or computers that have been turned off with this wake-on-LAN feature. They send all the IPs in the range a message and then scan the range again to see if computers come back up. Because you could have a computer off that's sitting there. If it's connected to the network and has wake-on-LAN...
Dave Bittner: Yeah.
Joe Carrigan: This is - I hadn't even considered this as a threat vector, but it is.
Dave Bittner: So in the middle of the night, all the - you know, your computers are shut down at your office, but...
Joe Carrigan: Right. Like, if - even if your users shut the computers...
Dave Bittner: Yeah.
Joe Carrigan: ...Off at the end of the day, these guys can still turn them on if you have wake-on-LAN enabled.
Dave Bittner: Wow. OK.
Joe Carrigan: They steal all kinds of data. And then they install the ransomware in an attempt to monetize the attack directly.
Joe Carrigan: I find it interesting that these guys are accessing everything via Remote Desktop Protocol or RDP. For any of our listeners that don't know what that is, Remote Desktop Protocol is a very useful tool for computers within a network that let you essentially act like you're sitting at the computer itself.
Dave Bittner: Yeah.
Joe Carrigan: So...
Dave Bittner: You remotely access someone else's computer.
Joe Carrigan: Right. But it - I mean, you're literally sitting there looking at a Windows desktop. It's not like you're on the backend talking through a terminal or something.
Dave Bittner: Right. OK.
Joe Carrigan: So you get the full Windows experience. And people are putting these systems - according to Alex, they're just putting them out there on the internet. I don't doubt that at all. But that's really bad. It's essentially like taking a computer that's on your network and putting it out on the street, right?
Dave Bittner: (Laughter) Right. Right.
Joe Carrigan: Would you do that? No. No, you wouldn't do that. You should at least be putting that thing behind a VPN...
Dave Bittner: Yeah.
Joe Carrigan: ...And then using multi-factor authentication on that VPN to make sure that the user who connects to it is authorized and not some impersonator. These things are very easy to find when they're exposed. If you just put an RDP server on the internet, it is a very simple matter to scan that IP address and find if the RDP ports are open. It's trivial, in fact.
Joe Carrigan: In fact, it's trivial to scan the entire internet and get back a list of IP addresses that have the RDP ports - the default RDP ports open. And it's very noisy, but if you do that massive scan from one location while you're conducting your attack from another location, it's fine. It works just great. So don't think that just by putting something out on the internet and going, well, nobody's ever going to look here - every attacker is always going to look there (laughter).
Dave Bittner: Right.
Joe Carrigan: They're going to see it.
Dave Bittner: Well, they're just systematically scanning everything.
Joe Carrigan: Right, exactly.
Dave Bittner: Yeah.
Joe Carrigan: And they're doing it all the time looking for new targets.
Joe Carrigan: Alex said once they found the RDP system, they're not hacking in, right? They're not using any exploits. They're just using credentials to get into these systems, which means these credentials were somehow phished before. Well, guess how you stop using - people from using phished credentials? Multi-factor authentication again.
Dave Bittner: Right.
Joe Carrigan: So if you have multi-factor authentication, not only - well, if you have this thing out there - you shouldn't have it out there. You should have it on the VPN. But you should also have it on the remote desktop. You should have Active Directory using multi-factor authentication - or perhaps the new passwordless thing you talked about today with Microsoft.
Dave Bittner: Right.
Joe Carrigan: I think that could work.
Joe Carrigan: Speed is key for these guys. Three days is remarkably fast. About a year ago, we were talking about the average time to discovering someone's in your network being, like, six months.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: And now - I mean, these guys are not going in there to do reconnaissance for six months and stick around in your network and maintain a presence and observe. They're actually going in there with - you know, essentially doing a smash, grab and disable, right? So - but three days to get in there, do all this stuff and get out and then demand a ransom is remarkably fast.
Joe Carrigan: They call their victims partners...
Dave Bittner: (Laughter).
Joe Carrigan: ...Which is kind of bold, I think. And one of the things that Alex said that's key is these guys have been around since 2020. And as they practice their skills, they really, really, really get a lot better at them.
Dave Bittner: Yeah.
Joe Carrigan: So they're only going to get more efficient at doing this.
Dave Bittner: Yeah. Lots of refinement that goes on. They...
Joe Carrigan: Right.
Dave Bittner: They have the ability to iterate quickly.
Joe Carrigan: Yes, they do.
Dave Bittner: Yeah. All right. Well, again, our thanks to Alex Hinchliffe from Unit42 at Palo Alto for joining us. We do appreciate him taking the time.
Dave Bittner: We want to thank all of you for listening. That is our show. Of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
