Hacktivism in Belarus. The Taliban’s data grab. Four rising ransomware operations. The White House cybersecurity summit with industry leaders is in progress.
Dave Bittner: Politically motivated hacktivism in Belarus. The Taliban's data grab in Afghanistan. Four rising ransomware operations. Mike Benjamin from Black Lotus Labs on UDP reflectors. Our guest is Chris Grove of Nozomi Networks with insights on OT and IoT security. And the White House says concrete announcements are expected after today's meeting on cybersecurity with industry leaders, so we're staying tuned.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 25, 2021.
Dave Bittner: We've recently seen episodes of what appear to be politically motivated hacktivism in Iran, evidently intended to discredit or otherwise inconvenience the government of the Islamic Republic. At least two groups, Indra and Adalat Ali, have claimed credit for actions against, respectively, support systems for passenger rail and closed-circuit television feeds at a prison. Other groups have appeared in other countries. Dissident hacktivists appear to have intensified their efforts against the government of President Lukashenko. The Belarusian Cyber Partisans, Bloomberg reports, claim to have compromised a large number of official databases, including lists of alleged police informants, personal information about top government officials and spies, video footage gathered from police drones and detention centers and secret recordings of phone calls from a government wiretapping system. They've released some of these publicly, and Bloomberg says that they've shown some of the rest of their take to Bloomberg, enough to convince them that the Belarusian Cyber Partisans have indeed obtained at least a significant fraction of what they claim to have taken.
Dave Bittner: Releasing lists of informants or personal information about government officials and operators are always a serious matter, whatever one thinks of the much-criticized Belarusian regime, generally regarded as the last traditional dictatorship remaining in Europe. Doxing has consequences for its targets, even in societies with strong civic institutions and a tradition of the rule of law, neither of which are to be expected in most parts of the near abroad, least of all in Belarus. Compromise of such information is unlikely, in the long run, to play out benignly in Minsk. In any case, the Belarusian Cyber Partisans' aim is the overthrow of President Lukashenko's regime. The Cyber Partisans said, quote, "Operation Heatwave is part of a general plan to free the Belarusian people from tyranny," end quote. That the hack they claim to have carried out actually took place in some form isn't in doubt. Last Wednesday, the Moscow Times reported the Belarusian court designated the Cyber Partisans as an extremist organization, taking official notice of their cyber operations.
Dave Bittner: The fact that data can be toxic, whatever government collects it, may be seen elsewhere. Concern persists over the growing likelihood that the Taliban will exploit data seized from the wreckage of the former U.S.-supported Afghan regime. Politico reports on the ongoing U.S. effort to contain the damage. Their story observes that, quote, "Telecom companies store reams of records on who Afghan users have called and where they've been. Government databases include records of foreign-funded projects and associated personnel records, and stashes of biometric data, like fingerprints, make people easy to identify," end quote.
Dave Bittner: Much of this data, the biometrics aside - which are of a different nature and more directly related to security and intelligence - are of the sort routinely gathered in the ordinary course of doing business. Telcos keep call records, for example, and project managers have to account for how they're spending their resources and on how their projects are doing with respect to cost, schedule and performance. Even the U.S. had to scramble to either destroy or evacuate records it held on the ground. It's unlikely that the former regime even reached the point of scrambling, and the Taliban is thought unlikely to show restraint in exploitation of whatever it can collect.
Dave Bittner: Palo Alto Networks' Unit 42 describes four rising ransomware operations - Hive, HelloKitty, LockBit 2.0 and AvosLocker. The gangs behind them run complex and effective extortion campaigns. Unit 42 expects them to become increasingly prevalent. Palo Alto writes, quote, "AvosLocker is ransomware as a service that started operations in late June, using a blue beetle logo to identify itself in communications with victims and press releases aimed at recruiting new affiliates," end quote. Its operations claimed to have counted coup against the organizations in Belgium, Lebanon, Spain, the U.A.E., the U.K. and the U.S. Their initial ransom demands have run between $50- and $75,000. The researchers say that Hive Ransomware is double-extortion ransomware that started operations in June. Hive uses all tools available in the extortion tool set to create pressure on the victim, including the date of initial compromise, countdown, the date the leak was actually disclosed on their site and even the option to share the disclosed leak on social media.
Dave Bittner: HelloKitty isn't a true newcomer, but it's on the rise in any case. Palo Alto says they've tracked it since 2020. It began as a Windows shop, but last month it fielded a Linux variant that worked against VMware's ESXi hypervisor, a product that's widely used in cloud and on-premises data centers. HelloKitty asks for a lot, as much as $10 million, but the researchers say the gang has so far been paid only three times and that their total take has amounted to around $1.5 million. LockBit 2.0 is the venerable operator coming in at a positively hoary, by gangland standards, 3 years of age. Like AvosLocker, it's a ransomware-as-a-service provider. Palo Alto regards their marketing to potential new affiliates as particularly slick. They claim 52 victims among organizations located in Argentina, Malaysia, Australia, Brazil, Switzerland, Germany, Italy, the U.S., Mexico, Belgium, Austria, Romania and the U.K.
Dave Bittner: U.S. President Biden has convened a meeting of industry leaders at the White House for discussions of ways of improving cybersecurity. According to The Washington Post, participants include the CEOs of Apple, Amazon and JPMorgan Chase, as well as CEOs from major insurance, energy and water companies. Representatives of computer education not-for-profits are also attending. The meeting has been planned for a month, and administration sources tell the Record that, quote, "You will definitely be seeing a set of concrete announcements."
Dave Bittner: The team at Nozomi Networks recently released the latest version of their OT IoT security report, reviewing the incidents and trends they've been tracking in the first half of this year. I checked in with Chris Grove, security strategist at Nozomi Networks, for highlights from the report.
Chris Grove: So first, the sector the most vulnerabilities have been found in recently is the critical manufacturing sector. So the types of devices you'll find in there are programmable logic controllers or called - they're PLCs. And they come from companies like Rockwell, Siemens and others. We're not throwing anyone under the bus here. I'm not mentioning them because they've had a certain number of vulnerabilities. But typically, the manufacturers you'll find in the operations side are not the same ones that we'll find on the IT side.
Dave Bittner: Interesting. And are the issues here primarily ones of configuration? Or are there built-in vulnerabilities in these devices? Or is it a combination of both?
Chris Grove: So it depends on where the operator is in their journey of what we call the IT-OT convergence, which is where the IT systems are sort of creeping into the operations side. And more and more things that the operations technology folks leverage nowadays sort of come from IT. Like, having authentication on a system is not something, typically, that they would have had before. So in order to bring it in, they would bring in IT-type technologies to get there. The problem is that the technologies are so different and the teams that work on them are so different that the languages that they use are - could be totally different as well. And so it's going to really depend on where they are in their journey. If they still have an IT cybersecurity team that doesn't know where the factory is, they don't know anyone out there at the plant, they're going to be more challenged to solving these types of problems than someone who has a fully integrated cybersecurity team on the operations side. And then they understand the ramifications of those vulnerabilities.
Chris Grove: But if I just simplify it, generally, the operations technology vendors are producing what's called insecure-by-design products that these PLCs and these remote terminal units and this OT hardware is not designed to withstand and attack. It doesn't have built-in defenses. It doesn't have update mechanisms or authentication, even, built-in firewalling, virus scanning - none of that stuff exists in these industrial controllers. So the vulnerabilities that we find tend to be much more important because we rely on this hardened layer around that operations technology to protect it. So a vulnerability in an IT system could lead to something much worse. Just look at what happened to Colonial Pipeline, where an IT system came under attack. It was their scheduling system, which caused a problem on the OT side that resulted in the shutdown of the pipeline.
Dave Bittner: So what are the recommendations here? How do you suggest that folks best go about defending themselves?
Chris Grove: So first, a mature cybersecurity program is going to be the best defense. So start investing last year is the best...
Dave Bittner: Right.
Chris Grove: You need it in place before the incident happens. When you're in the midst of an emergency is not the right time to start shopping for defenses - doing tabletop exercises and asking the organization the tough questions that many times don't get asked. Like, we got breached. Let's - first, let's move to a post-breach mentality. Let's not pretend like our defenses are working. They got in. Just like these other hard targets, they get broken into. So let's stop pretending like it's never going to happen. Let's say that it happened. What do we need to move forward? What tools will we need? What data will we need? How do we recover these systems and get them back in our control? And then how do we make that whole process better? And in many cases, they're going to find out the things that they need were visibility.
Chris Grove: They needed to know the blast radius of the attackers. How they got in, where did they go, where are they now, where are they lurking, and where are they going to emerge from once we clean this environment up? And then they're going to need backups, and backups not just for machines but operational backup. How do you restore operations when multiple components are down? And that's a little bit more than just putting data together. That's restarting a complicated machine. And then SAS, software as a service. But the No. 1 thing organizations can do is, really, move to that post-breach mentality. Stop pretending like the defenses will always be there. We have to start thinking that the attackers are here today; we just haven't detected them yet. And whether it's nation-state actors or whether it's ransomware operators, their sophistication is much higher now than it used to be. And it's not a matter of if; it's a matter of when. So we have to really start preparing for that day.
Dave Bittner: That's Chris Grove from Nozomi Networks.
Dave Bittner: And I'm pleased to be joined once again by Mike Benjamin. He's the vice president of security and head of Black Lotus Labs at Lumen Technologies. Mike, it's always great to have you back. I wanted to touch base with you today on something we've been seeing a bit more in the news, and that's ransom DDoS - a little bit different. First of all, can you give us a little background? And describe to us, how do you define ransom DDoS?
Mike Benjamin: Yeah, absolutely. So the ransom DDoS space - or you'll also hear it called DDoS extortion, just to remove confusion with ransomware - really is a place where an actor threatens to or actually does denial-of-service attack you as the victim and then demand money to not do it again. And so either by just the risk of it occurring or the proof that they can do it, they're hoping that you pay them financially to avoid further outage or further impacts to whatever it is they're trying to knock off the internet.
Dave Bittner: Now, is this a new thing? I have a recollection of hearing of this sort of thing in the past.
Mike Benjamin: Unfortunately, it's not new. We've been tracking this for a number of years. And most recently in the late summer last year, there was a large resurgence of this occurring. And really what's changed throughout time is whether they launch attacks, how big they are, how much money they ask for, things like that. So last year was unique that they were attacking the vast majority of the time. In years past, we had just seen them threaten. And this year, after a lull throughout the winter, we're seeing it come back. And again, they're attacking. And so rather than just sending an email and hoping to make a few dollars, they are causing impact, and they are launching attacks. And so similar to the campaigns we saw last year - but like you said, it did occur and then it stopped, and now it's back again.
Dave Bittner: And what's going on in terms of being able to figure out who might be behind this?
Mike Benjamin: Well, the work that we do at Black Lotus Labs - we are using network data in order to trace back where attacks come from. And that's true of malware. It's true of, you know, accessing a remote access Trojan, whatever it is, but also true of denial-of-service attacks. And so we work with other network providers, and we try to find where the origin of an attack is. And some attacks are straightforward because they come in an unspoofed manner, very often from a Linux system of some sort, often an IoT device or an IoT DDoS botnet. But in some cases, or the most common these days, is coming from a spoofed origin. And so it does require a little bit extra work in order to find where that spoofed origin is. And then to work with whatever that sort of stub of the internet is - that first front door into the internet - to make sure that they're deploying anti-spoofing technology and making sure that that first entrance can't allow that packet into the internet.
Dave Bittner: When it comes to the DDoSing itself, what's the scale that we're talking about here?
Mike Benjamin: Well, attacks in general these days can get into a relatively common occurrence of hundreds of gigabits a second. In the case of this particular actor, the last few weeks, what we've been seeing is more in the tens of gigabits. But if you think about your average connection to your average company, tens of gigabits is more than enough to cause a material impact to network connectivity. You know, thankfully for a larger infrastructure, that's not going to cause that big of an impact. But even folks with large capacity may have applications sat on a single server. Tens of gigabits of inbound traffic can cause a problem for most any server.
Dave Bittner: And so what's your advice for folks to prevent this?
Mike Benjamin: Well, the first is making sure that there's filtering on protocols that aren't needed as far upstream as possible. So the protocols that are used in those UDP attacks are what we would call reflection or amplification attacks, where a request is sent to a real server, but the response is sent to where the actors spoofed it from. And so - that being the victim. So major DNS servers, NTP, a number of other services will be the source of the packet. However, while we all do need DNS and NTP in most of our infrastructure, we don't need it on every IP address. And the actor is using things like Connectionless LDAP, Memcache (d), SSDP, these other protocols that most of us don't need at the perimeter of our network. And so filtering those entirely and then going back to the DNS and the NTP we do need and rate-limiting them to the point where if an attack does happen to hit the real place we pull our NTP or our DNS through, at least it's not knocking the entirety of the network connection down. So that's sort of step one is making sure the front door is as closed as possible.
Mike Benjamin: The next is thinking about how to distribute applications and distribute infrastructure and put things in more places. Obviously, it's harder to attack something if it exists in more places. But at the end of the day, there does hit a volume. And while I said earlier that we see tens or hundreds of gigabits, we have seen terabits of attack traffic. At some point, it does require DDoS mitigation from an upstream. And at some point, it does need some help. But those other things can be there to help along the way.
Dave Bittner: All right. Well, good advice, as always. Mike Benjamin, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.