A look at the cybercriminal underground, its commodity tools, its rising gangs, how it recruits talent and affiliates, and even how it raises investments.
Dave Bittner: Legitimate tools are abused as commodity initial access payloads. Hades ransomware is circulating in some new sectors. Criminal markets are sharing more features with legitimate markets, including advertising, recruiting and even funding rounds. Cybercrime uses cryptocurrency, but the key to success may be location more than technology. Ben Yelin describes insurance companies collaborating on cyber breach data collection. Our guest is Michael Osborn from Moody's on a recent rash of cyberattacks hitting higher education. And Denmark’s central bank is reported to have been a victim of the SolarWinds compromise.
Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Tuesday, June 29, 2021.
Dave Bittner: Proofpoint has concluded that Cobalt Strike, the well-known legitimate penetration-testing tool, is becoming increasingly popular as an initial access payload deployed by threat actors. It's become a commodity tool, more often used by cybercriminals than by state-run advanced persistent threats. Criminal activity using Cobalt Strike peaked in 2019 and 2020 and has fallen off somewhat since, but it remains a problem.
Dave Bittner: Crediting research by Accenture, CyberScoop reports that the Hades ransomware gang is coming into sharper focus. It's recently been targeting consumer goods and services, insurance and manufacturing and distribution industry sectors. It's also added Phoenix Cryptolocker to its arsenal. Unlike other ransomware groups, Hades does not appear to use an affiliate network. Attribution remains murky, with various researchers calling it a new group and others linking Hades to either Russian or Chinese threat actors.
Dave Bittner: Criminal markets continue to develop similarities with legitimate markets. LIFARS has shared a new wrinkle in this trend with Fast Company. Cybercriminal groups are investing in promising new ransomware enterprises in much the same way venture capital firms invest in tech startups. In exchange for financial support, the criminal backers receive a cut of future profits.
Dave Bittner: Calls for investment are typically made over secure chat apps like Telegram, and only investors with proven connections to the criminal underworld are accepted. So if you’re a prospective backer of a ransomware gang - not that you would be, of course, but just suppose - you’d have to show that you’d made your bones, as La Cosa Nostra says in the movies. In this case, you don’t do that by whacking some jamoke, but rather by showing some evidence that you’ve been involved in digital crime. Fast Company says that sending a token amount of cryptocurrency traceable to a ransomware incident or something similar to a certain address will usually suffice.
Dave Bittner: Why would you bother either soliciting investment or deciding to invest? Aren’t criminal operations like ransomware effectively self-funding? They are, for the most part, but they have their startup expenses, too, and even hoods need to eat while they’re waiting for the victims to pay up.
Dave Bittner: Some of those startup costs may include hiring skilled coders who can build or modify the ransomware, they need infrastructure to process payment and distribute decryptors, and they need access to deep-pocketed targets. They could phish for that access themselves, but increasingly they find that it’s easier to buy that from criminal initial access brokers who’ve already phished, stolen or brute-forced compromised systems.
Dave Bittner: As far as investors are concerned, LIFARS CEO Ondrej Krehel says it's a way of spreading your risk around. You can put all your money in one basket or you can diversify, he told Fast Company.
Dave Bittner: Ransomware gangs are also advertising not only for affiliates, but for tech talent as well, BleepingComputer reports. They do that in ways that will be familiar to people looking for customers or talent in legitimate markets. Show your wares and your capabilities in the best possible light. Everybody wants to join a winner, and that's the conventional wisdom in the underground as much as it is up here.
Dave Bittner: So the hoods see a small alt-coin transaction as acceptable evidence that you're probably a fellow criminal and not a police officer or an agent provocateur. That confidence, of course, can't be absolute since the authorities can be wily, but the crooks' instincts are probably more or less sound. And again, like Cobalt Strike, cryptocurrency is far from being inherently nefarious. It has plenty of legitimate uses.
Dave Bittner: But cryptocurrency has undeniably acquired a bad reputation. FireEye CEO Kevin Mandia told CNBC yesterday that, quote, "It's an enabler that you can break in anonymously and be paid anonymously, and now you can commit crime from 10,000 miles away in a safe harbor," end quote.
Dave Bittner: Not everyone agrees, it's important to note. CNBC also quotes Katie Haun, a partner at venture capital firm Andreessen Horowitz, an investor in crypto startups, who says it's a myth that bitcoin is good for criminal activity. She says, quote, "Crypto is a step-level function improvement above the existing financial system in terms of traceability. The fact is, when crypto is used for illicit activity, it leaves digital breadcrumbs. And I can tell you that firsthand, I used blockchain technology to actually solve crimes," end quote. Haun had former experience as a prosecutor.
Dave Bittner: So it seems not so much the alt-coin as the criminals' base of operations that presents the problem. If the extortionists work with the tacit or explicit permission of a host government, it's difficult to bring them to book, which is what Mandia appeared to have in mind when he told NBC that governments had an important role to play in suppressing ransomware. He said, quote, "We have to consider all the tools of diplomacy to back the desired outcome we want, which is, quite frankly, to make sure that there's risk imposed to those who take advantage of cyberspace and the anonymity it offers," end quote.
Dave Bittner: Denmark's central bank was among the organizations exposed in the SolarWinds compromise, Reuters reports, with a backdoor that stood open for some seven months. The bank told Reuters that there were no signs that the attack had any real consequences. One hopes not. And in fact, if those who came in through the SolarWinds backdoor were, in fact, as is widely believed, operators of Russia's SVR, they may be right. At least the SVR probably wasn't directly interested in bank robbery, since collection of information as opposed to coin is more in their line. Had the unwelcome visitors been privateers, of course, things might well have been otherwise.
Dave Bittner: The FBI recently issued a warning to universities highlighting their vulnerability to cyberattacks. We often discuss how a ransomware attack, for example, can lead to financial and reputational damage. But what about an organization's credit rating? Michael Osborn is vice president and senior analyst for public finance at Moody's Investors Service, and he joins us to share how the credit rating agencies are looking at an organization's cyberdefenses.
Michael Osborn: You know, it's similar to warnings of the past, you know, both from the FBI, from maybe other agencies as well, around the risk of, you know, bad actors and wanting to extract information from higher education institutions. And this particular warning revolves around a certain type of ransomware that affected, I think, it was universities in a certain number of states and some other types of institutions. But, you know, it's just another reminder that this type of attack is on the rise, that it is a real threat in higher education and that it has the potential to affect credit quality, you know, if it were to ever rise to a very serious level. And that's what we're concerned with at Moody's is, you know, its ultimate impact on credit.
Dave Bittner: What are the types of data that is at risk here with universities? What's the spectrum of things that could be affected?
Michael Osborn: Yeah. So there's a lot. And, you know, some of the attacks we've seen highlight that. You know, you might have student record data, which might be less important than, say, confidential research or financial information of students, parents, maybe the university itself. If a university runs a hospital, it - now you're talking about a different level of exposure and vulnerability with patient data records and potentially life-threatening information. And so it really runs the full gamut. And we've seen attacks threaten most of that type of information over the last several years.
Dave Bittner: And how are universities positioned to defend themselves?
Michael Osborn: Well, I think the No. 1 response seems to be, you know, cyber insurance. There's a rise in those types of policies. I think the universities that are sort of large, wealthier and have, you know, some more resources at their disposal are implementing their own, you know, cyberdefenses. And, you know, that could run, you know, a number of different ways. But, you know, I think for most universities, they don't have access to those types of resources. So insurance seems to be, you know, one mitigant at least trying to insulate them from financial harm; hard to insure against reputational harm. You know, some universities, some - again, some of the sort of bigger universities, both public and private, are part of various consortiums where they're, you know, working with their colleagues in the industry to, you know, thwart, you know, bad actors. But, you know, it's - you know, they're throwing a lot at it. That's for sure. And in an environment where the digital infrastructure is more open than it ever has, you know, with students learning, you know, online, at home and those networks being exposed more, you know, it's becoming more important. And it's consuming a larger part of university budgets.
Dave Bittner: That's Michael Osborn from Moody's Investors Service.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security. But more important than that, he is my co-host over on the "Caveat" podcast, which if you have not yet checked out, what the heck are you waiting for (laughter)?
Ben Yelin: We're begging you, please listen to our podcast.
Dave Bittner: Well, we don't want to sound desperate or anything, but it's a good show and worthy of your time (laughter). So Ben, good to have you back.
Ben Yelin: Good to be with you again, Dave.
Dave Bittner: This article from Insurance Journal caught my eye. And it's "Seven Major Cyber Insurers Form Company to Coordinate Cyber Analysis and Risk Mitigation." I think the modern era of ransomware has really been a punch to the gut to a lot of these insurance companies. Can you unpack what's going on here?
Ben Yelin: Yeah. So obviously, we've seen an increase in cyberattacks. And it's not just the high-profile incidents, it's also just an increase of incidents generally. So it's costing insurance companies a lot more to cover cyber incidents. So because these claims are on the rise, a bunch of leading insurers - they mention AIG, AXIS, Beazley, Chubb, The Hartford, Liberty Mutual and Travelers - have formed their own company, a separate company, to pool their data and expertise and take collective action to address this problem. So they've created this entity called CyberAcuView. And that new entity is going to compile data, enhance value and service to policyholders. That's what they say they're going to do. So what does that actually mean?
Dave Bittner: Right. Could this put them in the crosshairs for any, you know, coordination that could attract regulators' attention?
Ben Yelin: Probably not.
Dave Bittner: OK.
Ben Yelin: I don't - I would not think this is some sort...
Dave Bittner: It seems as though they're coming at this from a position of good faith.
Ben Yelin: I think it is a position...
Dave Bittner: Yeah.
Ben Yelin: It's more like a consortium of experts trying to solve a problem that seems to be pretty unsolvable at this point.
Dave Bittner: OK. All right.
Ben Yelin: I think the issue is that companies increasingly want cyber insurance, but insurance premiums have gone up so high that - you know, because of these incidents that people can't afford the types of insurance policies that would insure them against ransomware attacks. And as a result, companies feel that they're not in a position to offer cyber insurance because it's so expensive for them to try and cover.
Dave Bittner: Yeah.
Ben Yelin: And we already have a form of insurance like that, Dave.
Dave Bittner: (Laughter) Yeah. You know, I'm glad you brought that up because this strikes me - or I guess I have been wondering for a while. Is cyber insurance headed the same way that flood insurance has headed in that it is a type of insurance for which a private organization cannot make money? It is too - the payouts are too high relative to what you can possibly charge for the policies. So what you end up with is a government-backed insurance program that isn't particularly good.
Ben Yelin: No. It's...
Dave Bittner: I mean...
Ben Yelin: In fact, bad would be a word I'd use to describe...
Dave Bittner: Yeah.
Ben Yelin: ...Our flood insurance system.
Dave Bittner: Right. I mean, and I will tell you, you know, I live in an area that - my community has been affected by this. We got remapped into a flood zone. And it was expensive (laughter).
Ben Yelin: Yeah.
Dave Bittner: It was both expensive but also bad coverage. I mean, you pay a lot for insurance that really doesn't cover very much.
Ben Yelin: No.
Dave Bittner: And I wonder if we're headed that way with cyber insurance because of the big payouts.
Ben Yelin: Yeah. I mean, I think the situations are quite analogous, where the likelihood of the risk has gotten significantly higher. And the damages - so the consequences of that risk has also gotten substantially higher - that it is really impossible to cover. So, I mean, that's why I think the formation of this consortium is potentially a good solution. They can get kind of the best experts in the room to come in, figure out what best practices would be, figure out, you know, by consulting law enforcement regulators how you can ameliorate the problem in the first place, stop the proliferation of these cyberattacks and then come up with innovative risk solutions, insurance practices on the back end if something does happen. I think that's kind of the best that these companies can do because I think they're really at a loss. They found a dead end here.
Dave Bittner: Yeah.
Ben Yelin: It is not profitable for them to cover this insurance. But also, all of their clients are coming to them saying, we need cyber insurance.
Dave Bittner: Right, right.
Ben Yelin: So, I mean, I think they're kind of just desperately searching for a solution here.
Dave Bittner: You know, we recently just had President Biden meet with President Putin. And cyber was at the top of their list of things that they talked about. Could the companies come at this from that direction also, putting pressure on politicians to bring this up in a diplomatic way to say, look, we're - you know (laughter), you got an industry here that's dying because of what's going on with these cyberattacks. You know, you got to put the pressure on our adversaries overseas.
Ben Yelin: Yeah. I mean, I think this could be a big part of this newly formed organization - is, you know, they have a interest in policies that mitigates cyberattacks. So they have - you know, the power and authority vested in them by the fact that they're seven large insurers...
Dave Bittner: Right.
Ben Yelin: ...Allows them probably access to regulators and lawmakers to go in and say, we are trying to help on the back end to make sure that there is a profitable way to cover cyber incidents.
Dave Bittner: Right.
Ben Yelin: But we also need you to help us on the front end. So what are you doing at the regulatory level? What are you doing in terms of international diplomacy to prevent cyberattacks from happening in the first place? You're not going to prevent every ransomware attack through diplomacy or through regulation. It's just not going to happen. Cybercriminals are getting smarter. They are not all acting on behalf of, you know, foreign governments. So it's not going to ameliorate the risk entirely. But it should be part of your broader effort to kind of redefine this entire field because I think this field of cyber insurance is having this reckoning that flood insurance had perhaps a generation ago.
Dave Bittner: Yeah, yeah. All right. Well, an interesting move for sure. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. If your company would like to reach a quarter-million unique listeners every month, send us a note at thecyberwire.com/sponsor.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.