FTC warns of smishing targeting the unemployed. Initial access: buying it one way or another. Is the criminal gig economy vulnerable? Ransomware continues to hit healthcare.
Dave Bittner: Smishing campaigns are seeking to exploit the unemployed. Initial access brokers seem to not have missed a beat, although some gangs are seeking to bypass them by trolling for rogue insiders. Are criminal enterprises vulnerable in the gig economy front? Criminal affiliates are disgruntled, and that's good. Clearly, health care isn't off the target list. Thomas Etheridge from CrowdStrike on eCrime extortion. Chris Jacob from ThreatQuotient joins us with a look back at Black Hat. Anup Ghosh from Fidelis Cybersecurity has insights on active defense. And hey, Director Easterly, can we send you a T-shirt?
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 6, 2021.
Dave Bittner: The U.S. Federal Trade Commission warns those receiving unemployment insurance benefits that a smishing campaign designed to scare them into compromising their devices and their data is in progress. The FTC sensibly observes, quote, "state agencies do not send text messages asking for personal information," end quote. It's a petty, cruel scam conducted with typical criminal opportunism. People receiving or trying to arrange unemployment insurance already have troubles enough. They're likely to be negotiating an unfamiliar bureaucracy, and for all they know, maybe they do need to click some link and submit the information the text is asking for. If you're getting unemployment benefits - well, first, good luck with your job search and take care of yourself. But second, don't pay any attention to text messages telling you the state needs your Social Security number, your date of birth or your first pet's name.
Dave Bittner: Spooked by recent U.S. woofing about retaliation against ransomware gangs, various criminal fora took steps to exclude ransomware content from their sites. This sudden discretion, Computer Weekly writes, seems not to be keeping initial access brokers from hawking their services as usual. They cite a report by security firm Digital Shadows, whose researchers write that C2C ad listings for IABs, as the initial access brokers are known, haven't diminished at all. In fact, they are up a bit.
Dave Bittner: An alternative to buying from initial access brokers is to corrupt insiders to give you access to networks. The LockBit gang, BleepingComputer says, is doing just that. The gang has posted an ad that reads, in part, "would you like to earn millions of dollars? Our company acquire (ph) access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company; for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. Companies pay us the foreclosure for the decryption of files and prevention of data leak," end quote. They even guarantee your privacy.
Dave Bittner: As this year's Black Hat conference winds down, we've got one more check-in from the show floor to share. Chris Jacob is global vice president, threat intelligence engineers at ThreatQuotient, and he joins us with a look back at Black Hat.
Chris Jacob: I would have to say that the show this year has been better than I expected. I was a little concerned that it was going to be 100% vendors and no actual participants. But as it turns out, it was, I think, the same ratio that it normally is just a bit smaller. And smaller was OK this year. It was nice to have a more intimate show, to really get to spend some time with people. Things weren't too crowded. It was easy to have conversations. And, you know, really, the community, I think, needed this to be able to catch up.
Dave Bittner: You know, I heard from a number of vendors on the show floor who said that while it wasn't particularly crowded, that it gave them the opportunity to have more in-depth discussions than they might otherwise been able to have had.
Chris Jacob: Yes, 100% right. I mean, that - I couldn't agree with that sentiment more. I mean, it - you get to spend a little more time with everyone. You get to have a little more in-depth of conversation. And you mentioned the show floor specifically. The show floor - when we say things were a little smaller, the show floor fits well into that category. And so you have to wonder if that big booth - you know, big-booth vendor approach is really going to stay around as we, you know, navigate what's becoming this new reality here. I think that, you know, a lot of vendors are probably going to see that standing in a booth may not be as effective as being able to, again, meet up at the local coffee shop or grab lunch with some of their prospects and customers.
Dave Bittner: Overall, how did you feel the tone was of the show this year? Were people in good spirits, despite the sort of shadow that COVID has cast on so many things? Were people's spirits up?
Chris Jacobs: Yeah, I think so. I think people were happy to get back together. It's been a long time since - you know, since we've been able to get together as a community. I think that there was a lot of willingness to - you know, I didn't see any issues with people wearing masks and trying to stay safe. And everyone is just so excited to get the infosec world back together that the slight inconvenience of needing to wear a mask when in public, I think, was fine. And yeah, the tone was great. People are happy to get back to something that looks like normal.
Dave Bittner: That's Chris Jacobs from ThreatQuotient.
Dave Bittner: The criminal economy depends on a lot of gig workers for lower-level tasks, including some coding and administration, a study by the Czech Technical University finds. ZDNet has a discussion of a Black Hat presentation that takes this finding and suggests that one way of disrupting this part of the criminal economy might be to offer better, legitimate gigs. After all, these gang associates are neither highly motivated or highly compensated. With the right opportunity, they might well drift out of crime as they drifted in.
Dave Bittner: And what about criminal affiliates? A lot of cybercrime is organized as an affiliate network, sort of an evil Amway. Not all is well in these precincts of the C2C markets, however. The Record reports that a Conti affiliate, disgruntled over their relatively slim share of criminal profits, has leaked the gang's technical manuals. Take that. And maybe offer the affiliates a chance to sell laundry soap.
Dave Bittner: We've heard a lot about the pious, Robin Hood-esque promises from some ransomware groups to target only rich corporations, not individuals, and to leave critically important targets alone. Sometimes there's an approach to honesty and such avowals as there was in BlackMatter's explanation that their target selection was based on a cost-benefit calculation. If various governments get steamed enough, BlackMatter will draw more scunion (ph) on themselves than they can handle, and they want to avoid that. There is, after all, all that aforementioned American woofing. But only the naive would take the ransomware gang's pledges of respect for public safety, reliable health care delivery and so on for anything better than this kind of mendacious, self-serving marketing. And indeed, there's evidence that health care very much remains on the criminal menu. Why wouldn't it? They're criminals.
Dave Bittner: Italy continues to investigate an incident at the Lazio regional COVID vaccine scheduling service. According to Becker's Hospital Review, Indianapolis-based Eskenazi Health has suffered a ransomware attack that's forced it to take many services offline and divert ambulances from its facilities. And, the Argus Leader reports, Sanford Health, serving the Dakotas, has also sustained a ransomware incident. Which strains of ransomware were involved in these incidents isn't publicly known.
Dave Bittner: And finally, DHS and its CISA unit are at Black Hat, represented by both Homeland Security Secretary Mayorkas and CISA Director Easterly. They're inviting hackers, the good kind of hackers, to consider a security job with the government. And they're also talking up their recent public-private partnership efforts. There's clearly a tradition emerging at CISA, young agency as it is. The directors are going to be known for their fashion. The first director, Christopher Krebs, was famous for his gaudy but natty socks. His successor, Jen Easterly, turned up at Black Hat in dragon-patterned jeans and, we hear, a black Free Britney T-shirt. The Washington Post liked her message, but The Post loved her style. We expect more of the same in years to come. Top hats? Doc Martens? Whatever it is, enjoy.
Dave Bittner: I recently spoke with Anup Ghosh, CEO at Fidelis Cybersecurity, about the notion of hacking back and why it's a controversial topic. Anup Ghosh returns today with part two of that conversation with insights on active defense.
Dave Bittner: Today, we are going to be talking about the notion of leveraging active defense. Can we start off with some high-level stuff here? I mean, can you sort of define for us - what do you consider to be active defense?
Anup Ghosh: Yeah, and this is important because active defense, for a long time, has meant one thing in the Department of Defense, and recently, it's being co-opted in the commercial sector to mean something slightly different. So for those who have worked in the Department of Defense and Cyber, they define it as employment of limited offensive action and counterattacks to deny a contested area or position to the enemy. And notice that's not really specific to cyber, but it's clear this is talking about offense. And of course, private individuals and companies don't have the legal authority to take offensive action, so that definition doesn't really work in the private sector.
Anup Ghosh: More recently, MITRE has put out a definition around active defense that's being more widely adopted by the larger community. And what they describe it as is a range of cyberdefense capabilities from basic defense to cyber deception and adversary engagement operations. And that's one of the keys here - right? - is it allows an organization to not only counter current attacks but to learn more about the adversary and better prepare for new attacks in the future. That's the end of the quote. The key here is that you can actually employ techniques from standard detection sensors that you might put in the network through deception so that when an adversary starts to attack you, you're beginning to collect on the adversary, point one, and, point two, you can introduce costs and complexity to the adversary. As they go about discovering your network, you're creating a false view of the network that can then entrap them. And that's how MITRE is defining act of defense, is employing adversary engagement early in the life cycle and deception to confuse the adversary.
Dave Bittner: So just to be really crystal clear here - I mean, there's a lot of discussion and a lot of back-and-forth about the notion of hacking back. And that's not what we're talking about here.
Anup Ghosh: That's correct. And as we discussed, you know, the private sector doesn't have the legal authorities to hack back, not to mention that there's a lot of things that are likely to go wrong if you try and hack back, right? But there are - that doesn't mean you're powerless. And that's where active defense comes in, is to say, look; there are things you can do. It is a - adversary engagement is a mentality. Sort of the opposite of this is, if you're just triaging alerts, you're not really doing adversary engagement. Adversary engagement is sort of an organizing principle, right? And so the whole idea is to say, now that I can see there are symptoms of an attack going on, how do I piece these together to understand what the adversary is doing, what their next move likely is? And the more advanced stage of active defense is actually seeding the network with fake users, with fake devices, fake file systems and even documents that can be active that reveals more about the adversary.
Dave Bittner: So the notion here is, as you say, I mean, a good bit of misdirection, that if someone does make their way into my network, they may think they've made their way into my network, but actually they - we're going to keep them busy somewhere else.
Anup Ghosh: Yeah. I mean, oftentimes, they do legitimately get on to your network. I don't mean legitimately, but they will find their way onto the network. And the - you know, that's when a defense really can leap into action, which is to create a view of your network that is actually false. So populating dark IP space with devices - they're virtualized, but from an adversarial point of view, they look the same. Even manipulating the active directory, that's oftentimes a target with fake credentials - right? - so that an adversary who downloads an active directory and then proceeds to compromise these credentials and use them is a clear indicator that there is an adversary on the network. We will see pings, IP space, that should be dark that's not dark. We can put in place servers and file shares that are not legitimate. And in the case of ransomware, where they are in fact scanning for file shares and begin to encrypt, we can actually create these recursive file directory systems that keep them busy, effectively, infinitely while you can take - while you can respond and isolate that device on the network. And the point of all this is to say you should take an active defense mindset, understanding the adversary is going to get in your network. And now it's really about laying these traps, laying these breadcrumbs, which we do by populating directories on actual assets with breadcrumbs to fake assets to entrap them and move them away from your actual valuable assets you don't want them accessing.
Dave Bittner: What is the value proposition here? I mean, I can imagine someone looking at something like this and saying, well, this adds complexity. Here's a whole nother virtual network that I need to manage. What's the value side of it?
Anup Ghosh: Yeah, I love that, because almost everything we do in defense adds cost and complexity to the defender. And that's sort of your point, which is, hey, I now have another network to manage, you know, more cost. I think deception technologies and its proper role in active defense actually creates and adds complexity to the adversary. It's actually not a network you need to manage because it's completely, you know, it's not an operational network that you need to manage users. It's managed by a deception solution. But from an adversarial point of view, it looks the same, right?
Anup Ghosh: So if I find myself on to a network as an adversary, one of the first things I need to do is discover what's on this network. And that's the advantage that the defender has over the adversaries. You know your network. And you can now seed your network with fake assets that the adversary doesn't know, you know, the proverbial canary in the coal mine. And so when an adversary starts to discover your network and starts to engage with these fake assets, you're tipped off, right? And you can go as far as to lure them into a fake virtual network.
Anup Ghosh: And what you've actually done by lacing networks with these deceptions, you've changed the cost model for the adversary, right? By exposing themselves, you've made it harder for them to sneak around. And now they have to start thinking about more carefully, am I on a network where I might get caught, right? I think changing that equation, that cost equation, adding complexity to the adversary is a game-changing approach. And that's where active defense comes in.
Dave Bittner: That's Anup Ghosh from Fidelis Cybersecurity.
Dave Bittner: And I'm pleased to be joined once again by Thomas Etheridge. He's senior vice president of services at CrowdStrike. Thomas, it's always great to have you back. You know, we've been seeing this ongoing shift, particularly in the world of ransomware, towards not just locking up folks' files, but also having an extortion component to that. Can you share with us - what are you and your team tracking on the extortion front?
Thomas Etheridge: Absolutely. Thanks, Dave, and appreciate being back, talking to you. One of the things we noticed in the last year and a half, and it's been reported in both our front lines report as well as our global threat report, is the - it's not a new tactic, but it's certainly a tactic that we've seen threat actors increase their leverage of where, once they gain access to an organization's infrastructure, rather than focus on encryption of key assets right away, they'll make additional attempts at trying to exfil critical data from some of the systems and stores within their environment to be able to leverage that for an extortion attempt.
Thomas Etheridge: So it's - they'll make their first attempt after they encrypt resources to try to gain a payment. And if that fails, they then go back to the organization and threaten to release that data publicly or to a competitor in order to force the organization to be able to pay a ransom. And that's something we've been reporting on pretty consistently for the last year and a half.
Dave Bittner: Isn't this, by its nature, a little - I don't know - noisier within someone's network, this attempt to exfiltrate data, not just lock it up?
Thomas Etheridge: Well, Dave, I think most - in most cases that we've seen and that we've been reporting in, the threat actor group has had pretty wide and deep access using living-off-the-land techniques and other stealthy methods to be able to stay in the environment for enough time to understand where those critical assets and where that critical information exists, in many cases potentially compromising email platforms to listen in on conversations and email traffic back and forth about where some of that information resides within the organization. So being able to get that deep within an organization very quickly and being able to understand how they're going to leverage that data from extortion and from a ransom perspective is something we've seen pretty prevalent in the last year-plus.
Dave Bittner: You know, the advice for a long time for protecting yourself against ransomware certainly was having backups. What do you recommend with extortion? How do folks best protect themselves?
Thomas Etheridge: One of the things that we strongly encourage is the leverage of, you know, kind of that next-generation endpoint security technology, continuous monitoring, making sure that organizations are able to not only detect but be able to remediate malware drops that happen on their endpoint infrastructure before the threat actor is able to take advantage of those tools that they've deployed to be able to traverse the network undetected and/or impact critical servers in the environment.
Thomas Etheridge: So backups are really important. Having those backups stored in an offsite or off-network secure location is definitely a recommendation that we provide to our customers. But having some of those advanced tools, monitoring for these threats in real time and being able to remediate a threat when you first see an instance of attackers' tools or malware being deployed on the environment before the attackers are able to compromise or take advantage of that malware is something we would highly recommend.
Dave Bittner: While you and your team are tracking this, what do the curves look like? I mean, is this a problem that's growing in prevalence? Where are we with that?
Thomas Etheridge: Well, I think data extortion is not new to 2020 or 2021. It's a little bit of a departure from the traditional big game hunting operations that we've reported on previously in that it's being accelerated by some of these e-crime threat actor groups to try to increase the likelihood of a payment. And how big of a business it is and how prevalent it is can probably be indicated by the number of dedicated leak sites that are associated with specific ransomware families that have been stood up to provide a mechanism to make data that's been stolen from an organization available for sale.
Thomas Etheridge: In the last reporting we had on this in our Global Threat Report, we saw that. And at least 23 ransomware operators in 2020 had adopted this data extortion approach, the most prevalent of which we saw impacting industrial and engineering sector as well as the manufacturing sector, where about 228 incidents that we covered were reported against that particular vertical. Manufacturing in particular is especially vulnerable because not just encrypting the servers but pulling data really disrupts day-to-day operations and could affect, you know, not only that core business but downstream businesses as well. So we're really seeing this tactic pick up in the market.
Dave Bittner: All right. Well, Thomas Etheridge, thanks for joining us.
Thomas Etheridge: Thank you, Dave.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. Find out more about sponsoring our programs at thecyberwire.com/sponsor.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies. Be sure to check out this weekend's "Research Saturday" and my conversation with Asheer Malhotra from Cisco Talos. We're discussing InSideCopy and how that APT continues to evolve its arsenal. That's "Research Saturday." Check it out.
Dave Bittner: Our amazing CyberWire team is Tre Hester, Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.