Downloading cracked software.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]
David Liebenberg: So, through some of our regular Ukraine work maundering, we have a taskforce that we have setup looking at specific Ukrainian customers who are, you know, sensitive based on what kind of company they are and, of course, where they're located. And through this regular maundering, we discovered this trend and once we found it on one victim, we found it on a bunch of different victims, first in Ukraine then all over the world.
Dave Bittner: That's David Liebenberg. He's Head of Strategic Analysis at Cisco Talos. Today, we're discussing their discovery of cracked Microsoft Windows software being downloaded by enterprise users around the world. [ Music ]
David Liebenberg: So, that's how we came across it. We didn't realize how prevalent it was when we first encountered it.
Dave Bittner: Well, let's dig into some of the details here. I mean, we're talking about folks having cracked versions of Microsoft Windows installed on their systems. Is this an intentional choice by the organization to take this route?
David Liebenberg: So, it's an open question, right? Why do -- why are we seeing so much of this? I think there is a lot of reasons for it, partly you can you know think of poor hygiene, poor security training, not talking about the risks of these things, but there could also be time pressures, there could be management issues, there could be "Hey, I need this done." "Oh, but that license is too expensive, figure it out." Whatever the reason is, you know, there is some sort of forces at work that are causing organizations all across the globe in all different industries, employees at these organizations are downloading and leveraging these crack tools.
Dave Bittner: What exactly is going on with this? In terms of, are they downloading a version of Microsoft Windows that has already been cracked or are they downloading a tool that will allow them to bypass the installation routines on Microsoft Windows? How does it work?
David Liebenberg: So, universally what we'll see is the crack evader aspect of it, which is I have to credit that -- that neologism with -- with James Nutwind [assumed spelling] on my team.
Dave Bittner: I love it.
David Liebenberg: It was great. Such a great name. So, you always see that sort of activation software cracked and usually we'll see that with a cracked or pirated version of whatever legitimate software it's trying to activate as well, but you know, you could use that cracked activation software with say a trial version or something like that. But, typically, yeah you're going to see both, you know, the activation software and the product being pirated or modified and then torrented and downloaded.
Dave Bittner: And will you -- you mentioned torrenting. I mean, is that primary pathway that people get their hands on these things?
David Liebenberg: That's what we've seen. And, you know, for an advanced actor, right, that can do research and do recon and you know set the stage, they can figure out what, you know, are there particular torrents that are used in a particular geography? Are there are particular tools that are especially important in a particular industry? And they can target, you know specific torrents in specific software that way.
Dave Bittner: Well, beyond as being you know not the right thing to do and, you know, the legal elements of running cracked software, what are some of the other dangers that come into play here?
David Liebenberg: Yeah, so beyond just, you know, the illegality of you know pirating that software, there's two major risks that come from it, and so first, if you're using this cracked version, you're not going to get the regular security updates, you're not going to get the patches, you're going to be at risk from a vulnerability angle. What we've seen even more concerningly is that these adversaries are bundling these cracked activators with malware and these aren't, you know, just minors and nuisance malware like that, they're putting RATs in there, you know, powerful remote access Trojans that they can then use to download second-stage malware to get credentials, escalate privileges, move laterally, and just get a head start into your traditional apocalyptic attack chain. So, you know, while it might seem kind of harmless, in fact, torrenting and downloading these cracked software can lead to really serious security issues.
Dave Bittner: And to be clear here, I mean, if I download one of these "crack evaders" as you all call them and let's say a copy of Windows; the copy of Windows will work despite the fact that I'm having those other stuff installed over the top of it.
David Liebenberg: Yes, exactly. And they're going to do whatever they can to, you know, remain silent so you think hey I'm just using, you know, this free Windows, this is awesome. Well, in the background they've modified your Windows Defender. They've modified, you know, your firewall. They've made changes to, you know, your defenses so that they can operate more clearly. They are maintaining network connections since these activators have to be rechecked periodically. So, they're going to have access of it that way. So, you know, there is going to be potentially a lot of malicious activity going on in the background while you're writing your Word document. [ Music ]
Dave Bittner: You know, you mentioned that this came to your attention in part because of the work that you all are doing in Ukraine. Do you think this ties into the conflicts there?
David Liebenberg: Absolutely. I do think that there are APTs and advanced actors involved in that conflict, who know that this is a potential means of entry. So, you know, we have observed that there are advanced actors; there's open source reporting of, you know, advanced actors using this to target organizations in sensitive areas like that, so it's an easy way to for an APT to just kind of get a head start and get in there and then launch the rest of their attack chain.
Dave Bittner: What are your recommendations then for organizations to protect themselves against this?
David Liebenberg: I think first and foremost there needs to be very strong and emphatic awareness campaign, whatever you want to call it, there has to be robust training and instructions not to do this, the risks that can be involved, the sheer scale and scope of the problem, just really drilling it into employees and perhaps to the next level of management all the way up that this is an incredibly serious issue. It's not just about, you know, the legality as we mentioned against the legitimate software, but also all these security issues that could happen. Beyond that, you know, you want to do all the sort of traditional things that can limit harm once an adversary has entered. So, you want to make sure that you're, you know, segmenting your network so when this happens they don't move to the ICS, they don't move to the more sensitive areas, you have that blocked off. You want to make sure you have multifactor authentication. You want to have regular monitoring and logging and, as I always say, get an IR plan in place, make sure you are not putting out trying to plan how to put out the fire while the fire is raging.
Dave Bittner: Yeah, well while you all have been digging into this, are there other apps or operating systems besides Windows that seem to be targeted here?
David Liebenberg: So, Windows is the one we looked at primarily, but I have to assume that there is going to be a rich landscape of these kind of "crack evaders" for al whole suite of, you know, different software used for different industries and different geographies. So, there was a European biomolecular research institute, BleepingComputer wrote about this, and a student downloaded some pirated statistics software and through that Ryuk happened. It's not just Windows and it's not just RATs and/or you know minors or APT, this could be ransomware, this could be truly, you know, any threat that you can think of could be bundled with these things.
Dave Bittner: You know, it's strikes me David, that there's a cultural component here as well, in that, when we talk about shadow IT and if the IT department says to someone, you know, "No you can't have that copy of Abobe Photoshop" and, you know, the employee says "Well, I need that to do my work." That could lead them in this direction.
David Liebenberg: Exactly. That -- I think that plays a huge part in this is these kind of pressures that will come through the business and through employment where there's going to be this kind of conflict between what would be secure and what would be expedient or what will just help me keep my job, right? I mean, you see that as a factor in so many different kinds of attacks like a phishing attack that plays upon, you know, an employee's responsibilities or fears that something might happen. So, you know, fear of losing your job or fear of, you know, getting disciplined is a powerful kind of motivator for people to do things that might not be so secure.
Dave Bittner: Is there any sense at all for what might be causing the increase here that you all are trying tracking?
David Liebenberg: I think, you know, it might just be something that's a little bit understudied and under monitored, like I did not know personally the scale of this issue until we took a look at it. So, I think if we expand our research, we look into other software, we find more you know indicators to pivot on, you could find that, you know, it's a much wider problem than we had any idea about. But I think, as with, you know, all malicious activity, there's also going to be responses to, you know, different trends whether that's geopolitical, so you know, the conflict -- a conflict somewhere where Russia's invasion of Ukraine leading to elevated threat activity; you can see that reflected in something like this as well. But in general, I think it's just there's a mountain under the sea that we haven't fully -- fully explored yet, but it seems to be a pretty vast problem.
Dave Bittner: And to be clear here, I mean we've been talking about Ukraine, but your research has found this here in the U.S. as well.
David Liebenberg: Absolutely. And, you know, we have a geographical distribution that shows a strong concentration in eastern Europe and one of the more surprising things from our sort of geographical distribution information is there is a pretty small section in APAC. I know from my years of research on threat actors in that area, that there is a lot of pirated software that goes on there too, that is also exploited and used in different adversarial campaigns. So, I think if you looked at different crack evaders, in addition to Windows and other software that requires licensing, you would see very interesting different geographical distribution and different industries targeted. So, it's a very fascinating diverse and kind of difficult problem. [ Music ]
Dave Bittner: Our thanks to David Liebenberg from Cisco Talos for joining us. Our discussion today was on their work tracking Microsoft Windows software being downloaded by enterprise users across the globe. We'll have a link in the Show Notes. [ Music ] The CyberWire "Research Saturday" podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Elliott Peltzman. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. [ Music ]