Notes from the underground: data breach extortion and a criminal market shuts down. International cooperation against ransomware. Cyber risk and higher education.
Dave Bittner: Data breach extortion seems to be an emerging criminal trend. Notes on a darknet market’s retirement. Verizon advises Visible users to look to their credentials. Windows users’ attention is drawn to seven potentially serious vulnerabilities. The Necro botnet is installing Monero cryptojackers. Organizing an international response to ransomware. Carole Theriault shares thoughts on social engineering. Dinah Davis from Arctic Wolf on the supply chain attack framework. And a quick look at the state of cyber risk in higher education.
Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Thursday, October 14, 2021.
Dave Bittner: Ransomware has, over the last two years, evolved to the point where double extortion - that is encryption by ransomware accompanied by data theft and an attendant threat to release stolen information - has become the expected norm in such criminal attacks. But we may be seeing the beginning of a further trend in which criminals don’t even bother with ransomware, but simply go for data theft.
Dave Bittner: NCC Group describes an extortion operation that skips the customary ransomware stage of the process. SnapMC, which NCC Group says it's been unable to link to any other known actor, is simply moving directly to data theft, with no encryption of the victims' data. This probably represents a trend, as more gangs can be expected to engage in data breach extortion. This kind of attack requires even less technical capability than the already highly commodified ransomware attacks need.
Dave Bittner: The criminals’ calculation of return-on-investment would be interesting to unmask. Can they make more from extortion than they could simply by selling stolen information? Apparently so, which suggests that some forms of data, at least, are of more value to the organization that owns them than they are to the criminals or, as sometimes suspected, the competitors who might buy them.
Dave Bittner: GroupSense emailed us late this morning to share an observation about the darknet. One of the larger underworld markets, White House, has announced its retirement. GroupSense wrote, quote, "Administrators - the persona, Mr. White - said we have reached our goal and now, according to plan, it’s time for us to retire. The admins also said that user registrations and orders have been disabled." We shall see what becomes of them, if in fact they’re really gone for good.
Dave Bittner: The Record had earlier noticed the underground market’s retirement. White House is, or was, a darknet contraband market that slid into the criminal ecological niche left behind by the 2019 departures of the Dream Market, in an exit scam, the Empire Market, evidently a retirement, and Valhalla and the Wall Street Market, both of which were taken down by U.S. and European authorities.
Dave Bittner: GroupSense characterized the White House as a place where you could buy basically anything you probably shouldn’t be buying. Bryce Webster-Jacobsen, GroupSense’s Director of Intelligence Operations wrote, quote, "The market sells many products across categories like drugs, fraud, software and services. Drugs like fentanyl, which are banned on almost all other marketplaces, is available here. Fraudulent items include credit card details, login and bank details, and services include things like hacking, custom-made fake documents and much more," end quote.
Dave Bittner: Why might the White House be shutting down? Probably not because they’re moderate types who’ve decided they’ve made enough money. As GroupSense’s Webster-Jacobsen puts it, quote, "The administrators were being pursued heavily by authorities, so that likely also played a role in their decision to shut down. It is rare for marketplace administrators to announce their retirements, but perhaps they are trying to preserve a positive reputation with their customer base should they decide to start a new venture," end quote.
Dave Bittner: That seems right. Look at the difficulty REvil has had reestablishing what passes for trust in criminal circles. Since Nature seems to abhor a criminal vacuum as much as she does the other kinds, it will be interesting to see what emerges to fill the void left by the White House. It may well be the White House, perhaps under another name. Number 10? Who knows.
Dave Bittner: The White House contraband market, should you be wondering, is as far as anyone knows unconnected with the Executive Mansion in Washington, which is where the U.S. President lives it up.
Dave Bittner: Verizon recommended yesterday that users of its Visible wireless service should change any Visible usernames and passwords they may have used to access other sites or services. Quote, "Our investigation indicates that threat actors were able to access username, passwords from outside sources and exploit that information to log in to Visible accounts. If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username and password with those services," end quote.
Dave Bittner: The Record says Verizon denied any compromise of its backend infrastructure. The attackers who obtained access to customer accounts appear, Fierce Wireless reports, to have used credentials obtained from other sites in other breaches. And so it's another reason to avoid reusing credentials.
Dave Bittner: Security firm Field Effect says that they have identified a cluster of seven Windows zero-days the security firm refers to collectively as Blackswan. Six represent a privilege escalation risk. The seventh the researchers characterize as an information leak vulnerability. Field Effect thinks the vulnerabilities should motivate users toward greater diligence with respect to patching. Microsoft - a CyberWire sponsor - has patched all seven of the issues between July and October of this year, so fixes are readily available.
Dave Bittner: The Necro bot, a python bot, is actively installing a Monero cryptojacker in vulnerable Visual Tools DVR VX16 instances, Juniper Networks reports. Necro works in both Linux and Windows environments.
Dave Bittner: From CyberScoop's account, it appears that the theme of the U.S.-convened conference on ransomware is that the threat is transnational and therefore demands an international response. CyberScoop quotes U.S. National Security Adviser Jake Sullivan as saying at yesterday's sessions, quote, "no one country, no one group can solve this problem. Transnational criminals are most often the perpetrators of ransomware crime, and they often leverage global infrastructure and money-laundering networks across multiple countries, multiple jurisdictions to carry out their attacks," end quote.
Dave Bittner: The gangs may be transnational, but there seems to be little doubt that they receive a safe harbor and arguably a degree of toleration and encouragement from various states, especially Russia, which is most often mentioned in dispatches as the principal enabler of ransomware groups.
Dave Bittner: Australia's government has used the occasion of the conference to explain its own national approach to ransomware, which its published strategy characterizes as aiming to make Australia a harder target for this particular kind of attack. The legislative goals of the strategy are worth noting. First, introducing a specific mandatory ransomware incident reporting to the Australian government; introducing a stand-alone offence for all forms of cyber extortion; introducing a stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure as opposed to be regulated by the Security Legislation Amendment; modernizing legislation to ensure that cybercriminals are held to account for their actions and law enforcement is able to track and seize or freeze their ill-gotten gains. Comparable laws are likely to emerge in other nations concerned about controlling ransomware.
Dave Bittner: And finally, Moody's Investor Service has released a sector report in its series of global cyber-risk issuer surveys that looks at higher education. Some of the trends they note are unsurprising. Cloud adoption by colleges and universities is up, for example, as it is in most other places. Others are less obvious. Private institutions, for example, are spending more on cybersecurity than are their public counterparts. Moody's thinks this is probably due to public universities' greater willingness to rely on government-provided protection.
Dave Bittner: And institutions of higher education are buying cyber insurance, too. As Moody's puts it, among universities that carry stand-alone cyber insurance, the most common policies include coverage of ransom payments, incident response, business interruption and regulatory fines. That is, colleges and universities are transferring about the same kinds of risk that other businesses are insuring themselves against.
Dave Bittner: Chances are you or someone you know has been the target of social engineering. And increasingly, those seeking to do wrong are targeting specific high-value executives within an organization. Our CyberWire U.K. correspondent Carole Theriault shares this commentary on how bosses need to be mindful that they aren't inadvertently part of the problem.
Carole Theriault: In a recent conversation with Chris Kirsch, who's a social engineering expert - in fact, he is one of the winners of DEF CON'S social engineering capture the flag competitions - I asked him, you know the question we ask all people that are experts in this space - what can people do to protect themselves? What should people look out for? Well, look. First, let's listen to what he said. And then let's chat a bit about how bosses can help or hinder cybersecurity.
Chris Kirsch: The first one is if anybody calls you and you don't know them, like you don't know them by their voice or know exactly who they are and you'd recognize them, say, hey, can I call you back? Right? I'm sorry. Can you give me 10 minutes? I'll call you back. That allows you to verify their identity, to call them back on a known number. They might give you a number because otherwise you're calling them back on their line. You haven't gained anything. But if you're able to verify that number on a public resource, on the company web page, for example, and call them back, now you have a verified connection. Right?
Chris Kirsch: Another thing is if anybody puts time pressure on you to do something right then and there, often combined with emotional pressure - so hey, I'm a CEO, and we have to get this out for the board meeting right now. Of course you want to be helpful. Even if it's the CEO or the assistant of the CEO, if you say, hey, I'm sure you're aware there are a lot of people out there that are scamming companies in this way. I just want to make sure that we're doing the right thing. I will prioritize this on my list. I will get back to you immediately. I just want to make sure that this is a legitimate call. I think you won't ever get into trouble for that because I think there is more times where the person who's calling you is actually a scammer in these situations than a real emergency that needs to be handled then and there.
Carole Theriault: And I would say, you know, shout to all the bosses out there. You know, if you kind of call someone and they ask to verify you, you don't go scream at them saying, don't you know who I am? Right?
Chris Kirsch: Exactly, yeah.
Carole Theriault: Support that employee of putting that extra hurdle in place that might stop you actually getting ripped off.
Chris Kirsch: Yeah. If somebody's getting angry at you and putting on more pressure, I would say it's often a sign that they're probably not legitimate because they're trying to increase that emotional pain for you, right?
Carole Theriault: I spent years and years doing cybersecurity training, both inside a cybersecurity global firm and outside for all types of organizations in different industries. And I can tell you that the worst trainee are the bosses. It seems as though the more senior you are, the more self-important you might feel and the less inclined you are to accept that your behavior needs to be moderated to put your company at less risk. And it's really frustrating because if a company does not have cybersecurity as one of its core fundamental responsibilities and is serving and trusting people, well, don't blame me if your reputation takes a hit when you get your name dragged through the press for being irresponsible. So I say, do the right thing. Do the training. Pay attention. And then repeat those tenets to your employees. That is how you build a solid culture of cyber awareness in an organization. This was Carole Theriault for the CyberWire.
Dave Bittner: And I'm pleased to be joined once again by Dinah Davis. She's the VP of R&D operations at Arctic Wolf. Dinah, it is always great to have you back. You know, supply chain issues have been in the news here, and I know it's something that you keep an eye on. I wanted to check in with you today. What is on your mind when it comes to supply chain attacks and the whole framework around that?
Dinah Davis: So we are seeing a ton of supply chain attacks coming in, and I think it's important that we understand how they happen. And the European Union cybersecurity report just recently came out, and they actually suggested a taxonomy for supply chain attacks so we could, you know, talk about them in a more constructive way, so you can compare them to one another. It's always helpful to kind of have that framework to do that. Plus, you know, I've got a math mind. And I just like putting things in boxes and, you know...
Dave Bittner: (Laughter) Right, right.
Dinah Davis: ...Making them (unintelligible).
Dave Bittner: Nice and tidy.
Dinah Davis: Yeah, nice and tidy. But I did like the framework. I think it helps simplify for people what a supply chain attack is. So there's basically four key elements in a supply chain attack. There's the supplier itself and the supplier's assets. OK? So let's - we'll use Kaseya as an example as we go through this. OK?
Dave Bittner: OK.
Dinah Davis: So Kaseya is a supplier of, you know, a networking management tool for customers. And their assets are their servers, is their code, is all of that kind of stuff, right? Then you have the customer and the customer assets, right? And so a supply chain attack usually is the attackers go after the supplier and some of the supplier's assets as a first attack. And the second attack is that they use those assets that they've compromised to get to the customer and then compromise the customer's assets, right? And so that's why I kind of liked this framework.
Dinah Davis: And you can think about it like, what are the attacks like to the supplier, and what are the attacks like to the customer? And a lot of the time, you know, the supplier attacks are around exploiting software vulnerability. But one aspect I never really thought of with the customer one is they're actually exploiting a trusted relationship. So there is some technical, you know, attack that they're going to do, like a malware infection or something like that in the case of Kaseya. But the biggest piece of it is they're attacking the fact that you trust your supplier. So you're not double-checking on things because...
Dave Bittner: Right.
Dinah Davis: ...You trust your supplier. So I like the framework there. It helps ground things. Some other interesting things that the report had was that there was at least 24 supply chain attacks from January 2020 to early July 2021 - big ones, right? And the other thing I think is kind of scary with supply chain attacks is they attack one supplier, and then how many customers do they get? It's...
Dave Bittner: Right.
Dinah Davis: It's a - there's a big multiplier effect on them.
Dave Bittner: Yeah. That trust issue, I think, is really kind of the ballgame here, I mean, because you think when you go through the trouble of choosing your suppliers, a big part of that is trust. And that could be their place in the marketplace. It could be their technical prowess. It could be a personal relationship that you have or built or anything like that. It's one thing to establish that trust, but then to have it go on, to maintain it over time - if I'm looking for my suppliers, is this a matter of checking in with them from time to time and saying, you know, hey, you need to demonstrate to me that you're meeting these standards?
Dinah Davis: Yeah, it absolutely is. So, like, any company should make sure they're identifying all of their suppliers, right? You want to make sure you know what your risks are with each supplier. So if you look at Kaseya, Kaseya's tool has admin access to your networks, right? And it needs to to do its job. There's no way it can manage your network and not have that access, right?
Dave Bittner: Right. Right.
Dinah Davis: So you need to define where your risks are with the suppliers and then look at what requirements you're going to put in place. What's the contract you signed with them? If they are compromised, what's the repercussions on them? Do you get a big - you know, do they owe you a lot of money because they messed you up? Like, what are those things that are in place, right? And it's not easy. It's just not going to be easy because you...
Dave Bittner: Yeah.
Dinah Davis: ...Have to trust suppliers. You can't build everything yourself. So you do have to just look at what risks you're willing to take and what risks you are not willing to take.
Dave Bittner: Right. And - but I think that consideration - we're at the point now where that consideration needs to be a part of every business's plans is...
Dinah Davis: Yes.
Dave Bittner: What if one of our suppliers gets popped? Are we prepared for that? Will we be able to detect that? - and so on, right?
Dinah Davis: Yes, exactly.
Dave Bittner: All right. Well, Dinah Davis, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.