The CyberWire Daily Podcast 11.3.21
Ep 1452 | 11.3.21

Ransomware gangs talk about retiring, and about deception. High-level Russo-American talks. US sanctions four spyware vendors. CISA tells US agencies to patch known, exploited vulnerbalities.


Dave Bittner: The BlackMatter ransomware gang says that it's retiring under pressure from the authorities. The spokesman for the Groove group says his gang doesn't exist. He was just playing the media. Quiet, high-level talks held between senior U.S. and Russian officials. The U.S. Commerce Department's sanctions four spyware vendors. Carole Theriault wonders if you can train yourself free of social engineering. Josh Ray from Accenture Security with insights from their Cyber Investigations and Forensic Response team. And CISA tells federal agencies to get patching.

Dave Bittner: A quick program note - we are in the midst of the DataTribe challenge here at our studios today with cybersecurity startups competing for seed funding. So if some of the festivities bleed into our audio, that's why. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 3, 2021. 

Dave Bittner: Group-IB reported this morning that the BlackMatter ransomware-as-a-service gang, apparently itself a rebranding of the DarkSide, has announced that it's shuttering its criminal business. The gang cited certain unsolvable circumstances associated with pressures from authorities as the reason for its decision to close. Rump services will continue for an indeterminate period of time in order to give its affiliates information and decryptors, but the final word to the affiliates is a farewell wish for their further success. Here's what they said - quote, "due to certain unsolvable circumstances associated with pressure from the authorities - part of the team is no longer available after the latest news - the project is closed. After 48 hours, the entire infrastructure will be turned off. It is allowed to issue mail to companies for further communication. Get decryptors. For this, write, give a decryptor inside the company chat where they are needed. We wish you all success. We were glad to work," end quote. So farewell BlackMatter - maybe. We can hope. 

Dave Bittner: But what of BlackMatter's affiliates, the ones the gang wished well in its valediction? They'll probably simply move elsewhere in the C2C market, where there is, for now, at least, no shortage of suppliers. The BlackMatter gang itself may or may not resurface in some form. Other criminal gangs are proving similarly protean. Take Groove, for instance, which appeared in online fora with some eclat on October 22, when a nominal spokesman called upon their business brothers for attacks against the real enemy - basically, the United States. The communique urged, stop competing, unite and begin to destroy the U.S. public sector. 

Dave Bittner: Anyhoo, the spokesperson or persons who go by the hacker name Boriselcin and Orange said it's all a goof. Groove, security firm Flashpoint reports, now says its call for attacks against the U.S. was simply designed to embarrass Western media. What's more, Groove adds, there's no such thing as itself, anyway. Groove, says its blog, is just a one-person operation, that the gang, as a gang, doesn't really exist, and that the whole thing was just an attempt to see whether it was possible to manipulate the Western media through a ransomware blog. 

Dave Bittner: In any case, the cybercriminals' name is Legion, and they shift, fracture, combine and rebrand themselves often. And goof or no goof, the call to destroy the U.S. public sector was howling that would be heard by various wolves, known, lone or unknown. So the distinction Mr. Orange draws may be one without a difference. 

Dave Bittner: Security firm Intel 471 told The Washington Post, quote, "while it's possible that a single actor concocted Groove as a way to troll security researchers and the media, we believe it's more likely that the actor's attempt to create their own ransomware group didn't work out as they had planned. It's also important to remember that the true identity and nature of any ransomware-as-a-service gang is not always clear, and the membership makeup or affiliates of these gangs can be fluid," end quote. 

Dave Bittner: Emsisoft's judgment is even harsher. The anti-ransomware specialists told the Post, quote, "there's no reason to believe that ransomware hackers are ever telling the truth about anything. The default assumption should be that they're lying or, at the very best, simply telling the pieces of the story they wish to become public," end quote. 

Dave Bittner: To return to BlackMatter for a moment, what might one make of its claims that they were feeling local pressure and the hint that part of the team is no longer available? There's been some speculation that recent, quiet efforts at conciliation between Russia and the U.S. in cyberspace may have been an occasion for Russian authorities to make a token gesture of goodwill by pressuring some of the less-favored gangs. U.S. Director of Central Intelligence William Burns met with a senior Russian security official yesterday to discuss a range of issues in the bilateral relationship. So DarkMatter may have been crowded. Or, of course, their statements to that effect may be so much smoke and mirrors. 

Dave Bittner: The U.S. Department of Commerce has sanctioned four companies for providing foreign governments spyware. NSO Group and Candiru, both based in Israel, have been added to the Entity List, as have Positive Technologies, a Russian firm, and the Computer Security Initiative Consultancy PTE, headquartered in Singapore. Of the two Israeli firms, Commerce said they were added to the Entity List based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics and embassy workers. These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order. 

Dave Bittner: Positive Technologies and the Computer Security Initiative Consultancy were placed on the Entity List after, according to Commerce, a determination that they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide. The sanctions, Commerce explains, represent a move in support of human rights. Quote, "this effort is aimed at improving citizens' digital security, combating cyber threats and mitigating unlawful surveillance and follows a recent interim final rule released by the Commerce Department establishing controls on the export, re-export or in-country transfer of certain items that can be used for malicious cyber activities," end quote. 

Dave Bittner: CISA has issued Binding Operational Directive 22-01, which requires U.S. federal agencies to address known exploited vulnerabilities. The directive, which is accompanied by a new catalog of vulnerabilities, will require affected agencies to fix almost 300 known flaws identified between 2017 and this year. The bugs on the list are evaluated as a significant risk to the federal enterprise. The directive applies essentially to all federal civilian agencies other than the CIA and the Office of the Director of National Intelligence. The Defense Department also falls outside CISA's authority. 

Dave Bittner: Language has been introduced into the U.S. House version of the Defense Authorization Act that would add four new eyes to the familiar Five Eyes intelligence-sharing group, Defense One reports. Germany, Japan, India and South Korea would join the five anglophone powers in the current pact. It's not yet expansion, which, of course, all the Eyes would have to agree to, but rather a tentative move in that direction. Sponsors of the language in the House Intelligence Committee say expanding the group in this way would enable more effective cooperation against a common threat from China and would also update the intelligence-sharing agreement by moving it beyond its 20th century World War roots. 

Dave Bittner: CISA has issued two more industrial control system advisories. One report fixes in Sensormatic Electronics VideoEdge. The other describes an update to WECON PI Studio (Update A). 

Dave Bittner: Finally, the magazine Inc. has published its inaugural list of the 250 best-led companies in the U.S. Cloudflare, CrowdStrike, Exabeam, and KnowBe4 are all mentioned in dispatches. Congratulations to them all. 

Dave Bittner: Our U.K. correspondent Carole Theriault has been considering the role security awareness training plays in an organization's security posture. She files this report. 

Carole Theriault: OK, so let me put an argument out there for you listeners to noodle upon. And that thought is this - most of us are sitting ducks when it comes to social engineering. And I'm citing lack of experience as a main contributing factor. 

Carole Theriault: Let me just pivot from cybersecurity for a second to drive my point home here. So I live in the south of the United Kingdom, where it rarely snows. Like, for every thousand times a driver goes out, once will be snowy. And when it does snow, the roads become a mess, one, because the U.K. doesn't seem to have enough of machinery to clear the roads, but also because the average driver has no idea how to handle their car in snow. I mean, these guys were careening around corners like Jessica Rabbit sachets, or they glide through stop signs as though they're Tom Cruise in "Risky Business." 

Carole Theriault: But you know what? It's not their fault. If snow happens 1 in 1,000 times, how are they supposed to develop excellent reflexes and do those counterintuitive things like pumping on the brake rather than slamming on the brake when you hit ice? Sure, they may have studied a few pages of what to do in this type of weather when they got their license, but they have little to no experience of actually driving on snow, which means they have no muscle memory, which means I don't want to be on the roads in the U.K. in a snowstorm. 

Carole Theriault: Now, apply this to social engineering scams. Let's say for every thousand interactions that an average businessperson has, one is using social engineering tactics to gain a snippet of information. How the heck is the average user supposed to spot these, even if they did watch a 30-minute presentation on cybersecurity 18 months ago? The likelihood is that they will give away that snippet of information without a second thought because in the other 999 interactions, they would have been praised or thanked, at least, for providing reliable information so quickly and calmly. 

Carole Theriault: So I categorically do not blame the person who is being duped by a scam, especially if they don't have hands-on on experience in dealing with them. So if you want to make your staff part of the social engineering defense, don't just rely on a presentation that's given every six months or so. Consider testing them regularly. Let them know this will happen so they are extra vigilant. Make sure they have the information as to what they should do precisely if they have that niggly feeling that something isn't all OK with the communication they have had or are having with someone, be it by phone, by email, on a Zoom call, it doesn't matter. I mean, you don't become proficient in driving in snow by watching "Fargo," right? You need to get behind the wheel and feel your way through it with an expert beside you, ideally. This is Carole Theriault for the CyberWire. 

Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He is managing director and global cyber defense lead at Accenture Security. Josh, it is always great to have you back. You know, I know you and some of your colleagues over at Accenture on the Cyber Investigations and Forensic Response Team recently released some information - a mid-year review of some of the things you all have been tracking. Can you bring us up to date here? What attracted your attention in the report? 

Josh Ray: Absolutely, Dave. And thanks again for having me back, as always. And I think, you know, the listeners here will find some of these statistics startling, but maybe not overly surprising to those that are in the mission space. So the team actually found that global activity jumped 125% in the first half of 2021 compared to the same period last year. And that's - I mean, that's a pretty startling figure. And what we found was that this triple-digit increase was really driven primarily by a lot of web shell activity and targeted ransomware and extortion operations, as you can imagine, but also, as we've seen, a significant increase in supply chain intrusions. From an industry's perspective - which I thought was actually pretty interesting - that the consumer goods and services were targeted the most often. And this really accounted for about 21% of all the cyberattacks that we saw, and that was closely followed by industrial and manufacturing and banking, traveling and hospitality industries. So that's kind of interesting. I could speak a little bit more about the geographic piece and things like that, too, if that's of interest. 

Dave Bittner: Yeah, let's go through that. What sort of things did you find there? 

Josh Ray: Yeah, the - not surprisingly, I think, is that the U.S. was - actually made up about 70% of our incident volume. And it was the most targeted country, but again, followed very closely by both U.K. at 24% and Australia. And from really a category, you know, standpoint, as I mentioned before, ransomware and extortion operations continue to really reign supreme here. But we found that about 85% of the companies that were being targeted had an annual recurring revenue of north of a billion dollars, which to me is really a strong indicator that this notion of big game hunting is very much alive and well for the threat. 

Dave Bittner: Yeah, that's interesting. Now, was there anything that stood out to you as being kind of an outlier? Was there anything in the data that you all gathered that was surprising or unexpected? 

Josh Ray: Well, you know, I think as the world, I guess, with quotes, "kind of begins to normalize from the pandemic," there were really three scenarios that kind of jumped out at us. And really, what we think is that as things start to ramp up, we really will start to see an increased trend in upward activity targeting against consumer goods and services, but especially travel and hospitality. And this is tough because these are industries that are already really kind of reeling from staff shortages, especially from an infosec standpoint. And the second one - probably no surprise - but notice the heightened awareness around government action and lots of industry collaboration. Ransomware is still going to be a top threat to businesses globally. And what we've seen is that actors are actually really adopting stronger pressure tactics and going right to much more aggressive extortion techniques as well, too. And then I think finally, really what we'll finally see is that this notion of supply chain and product weaknesses as the threat really looks to continue to enable persistence operation is also going to continue, I think, well into the next calendar year as well. 

Dave Bittner: All right. Well, interesting insights as always. Josh Ray, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.