The CyberWire Daily Podcast 11.8.21
Ep 1455 | 11.8.21

REvil operators arrested and indicted. China says a foreign intelligence service accessed passenger travel records. Suspected Emissary Panda campaign.


Dave Bittner: REvil operators are arrested and indicted. China says a foreign intelligence service accessed passenger travel records. Suspected Emissary Panda campaigns. Conti apologizes - sort of. Caleb Barlow thinks it's time to rethink your security documentation. Our guest is Jessica Hetrick of Optiv Security on cyberfraud running rampant. And the FBI warns of ransomware attacks targeting casinos.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 8, 2021. 

Dave Bittner: The U.S. Justice Department this afternoon unsealed indictments against two operators of the REvil ransomware. U.S. Attorney General Merrick Garland said a Ukrainian developer and operator of REvil ransomware, Yaroslav Vasinskyi, was arrested in Poland in August and is expected to be extradited to the U.S. for prosecution. The Justice Department says Vasinskyi was involved in the July attack against IT management software provider Kaseya. 

Dave Bittner: The Justice Department has also seized $6.1 million worth of cryptocurrency belonging to another alleged REvil operator, a Russian national named Yevgeniy Polyanin. The Justice Department said Polyanin has carried out 3,000 ransomware attacks. 

Dave Bittner: Europol also announced today the arrest of two suspected REvil operators in Romania. Europol stated, quote, "On 4 November, Romanian authorities arrested two individuals suspected of cyberattacks deploying the Sodinokibi/REvil ransomware. They are allegedly responsible for 5,000 infections, which in total pocketed half a million euros in ransom payments. Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to GandCrab. These are some of the results of operation GoldDust, which involved 17 countries, Europol, Eurojust and INTERPOL. All of these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by the Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab," end quote. 

Dave Bittner: Europol added, "In October, one affiliate was arrested in Europe. Additionally, in February, April and October 2021, authorities in South Korea arrested three affiliates involved in the GandCrab and Sodinokibi/REvil ransomware families, which had more than 1,500 victims. On 4 of November, Kuwaiti authorities arrested another GandGrab affiliate, meaning a total of seven suspects linked to the two ransomware families have been arrested since February 2021. They are suspected of attacking about 7,000 victims in total," end quote. 

Dave Bittner: China's Ministry of State Security, the MSS, says that an unnamed foreign intelligence service had accessed passenger travel records in 2020, the Record reports. The MSS said in a press release, quote, "After an in-depth investigation, it was confirmed that the attacks were carefully planned and secretly carried out by an overseas spy intelligence agency," end quote. 

Dave Bittner: A public statement by the MSS about a cyberespionage incident is unusual - naming and shaming haven't been Chinese practice. 

Dave Bittner: Naming and shaming represent, of course, a common Western practice, and over the weekend Palo Alto Networks' Unit 42 released a description of a targeted cyberespionage campaign against ManageEngine ADSelfService Plus. The vulnerability undergoing exploitation is the same one, Palo Alto says, that the Cybersecurity and Infrastructure Security warned against back on September 16, but the campaign itself is distinct from the efforts cited in CISA's alert. In the case Palo Alto describes, the payload installs a Godzilla webshell, and, in some cases, an NGLite backdoor. They also detected deployment of an uncommon credential stealer, KdcSponge. 

Dave Bittner: Unit 42 stated, quote, "As early as September 17, the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet. Subsequently, exploitation attempts began on September 22 and likely continued into early October. During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries," end quote. 

Dave Bittner: Attribution remains preliminary and circumstantial, but Palo Alto Networks thinks the tactics, techniques and procedures look a lot like those used by the Chinese espionage group Threat Group 3390 - also known as APt27 or Emissary Panda. 

Dave Bittner: The Conti gang, who stole and dumped personal information from the upscale London jeweler Graff, now says they're sorry - not sorry in general, just sorry for stealing Arab royalty's personal data. They still intend to expose what they refer to as the U.S.-U.K.-EU neoliberal plutocracy. But Conti says, according to Vice, that, quote, "Our team apologizes to His Royal Highness Prince Mohammed bin Salman and any other members of the royal families whose names were mentioned in the publication for any inconvenience," end quote. 

Dave Bittner: BleepingComputer reports that the FBI has issued a private industry notification warning of an uptick in ransomware attacks against tribal-owned casinos in the U.S. Some of the ransomware gangs behind these attacks were REvil/Sodinokibi, Bitpaymer, Ryuk, Conti, Snatch, and Cuba. The FBI also notes that ransomware attacks have targeted tribal governments, health care and emergency services providers and schools. BleepingComputer says the FBI cites "limited cyber investigative capabilities and law enforcement resources" as some of the reasons why these entities present attractive targets for ransomware actors. 

Dave Bittner: We speak frequently of the cyber kill chain originally developed by Lockheed Martin and widely used across the cybersecurity industry as an effective way to enhance visibility into an attack and enrich and analyst's understanding of an adversary's tactics, techniques and procedures. Now, a team at Optiv have used the cyber kill chain as inspiration to come up with their own cyber fraud kill chain. Jessica Hetrick is senior manager of cyber strategy at Optiv, and she joins us to explain what sets it apart. 

Jessica Hetrick: So the cyber fraud kill chain is actually spawned out of the cyber kill chain. And most organizations call it fraud. And typically, most organizations will have a cyber team and a fraud team, but not necessarily focused on cyber fraud. Together, some of the more mature organizations that we're seeing do associate the two things together. And actually, fraud is equally as prevalent as ransomware. And the cyber fraud kill chain was originally developed by cyber incident responders who had to support basically the testing of an environment to understand the ways to potentially steal money from that organization. 

Jessica Hetrick: So think about it as - you know, as in pen testing, right? So the organization had asked us to test these different ways to determine exactly what types of TTPs - tactics, techniques and procedures - a organization would have to defend against. So when the incident responders started to work through the process, they realized that there's not really a significant change, necessarily, in the TPPs leading up to execution on objectives, but that - within a three-week period, almost 50 different ways of stealing money were identified through different various vectors right? 

Jessica Hetrick: So the cyber fraud kill chain was developed out of an understanding that adversaries use the same types of recon activities, you know, such as social engineering, phishing on the front end and gaining access to the environment. Then they will look to circumvent controls to actually bypass the security tooling to gain access to targeted accounts or victim networks. They will - you know, whether that's brute force or using different default passwords, a dictionary attack, you can pretty much name it, from circumventing controls to gain access to the environment, where they will try to do account takeover or account creation. Third-party application, exploitation - those types of activities before they execute and actually look to steal money. And so the cyber fraud kill chain developed out of the identification and understanding that while adversaries may still use similar tactics, techniques and procedures to the standard kill chain, there are also specific ones with specific motives. And so our goal in developing a cyber fraud kill chain was to not only understand how adversaries are executing fraud, but different ways that an organization could be at risk for fraud activities. 

Dave Bittner: Can you share with us some of the things that are specific to the cyber fraud kill chain? 

Jessica Hetrick: Sure. And some of those I have mentioned already. But I think some of the big ones - right? - are going to be account takeovers, account creation or API connections. We've also seen third-party applications as different access and objective-type activities. But then also there's going to be credit and debit approval. There could be home equity line loan grants, transfers. That's just examples, you know, obviously, in one specific industry. But the cyberfraud kill chain is meant to be a continuous, evolving cycle where different organizations and different industries will experience fraud in different ways. And so, I mean, in today's threat landscape, when you're talking about why fraud is so prevalent - right? - we're seeing COVID rapidly shift the needle on fraud and also the exposure that organizations can be exposed to. So in terms of the types of fraud, it's going to continuously evolve. I mean, e-commerce alone is shifting the needle on this drastically. And as - you know, as different people think their banking is trustworthy, banks become more at risk to their environment. There's a whole new dichotomy. So this will be ever-evolving. But our goal in the methodology that we set up is to span both proactive and reactive understandings of adversary activity against a specific client in a specific industry because they're going to see fraud in different ways to other organizations. 

Dave Bittner: You know, it strikes me that this could be an opportunity to kind of help bridge that gap between the security and fraud teams if you're - because the security team is going to be familiar with terminology like cyber kill chain, so you've already made them comfortable there. 

Jessica Hetrick: Yeah. And I think part of the reason why the cyberfraud kill chain is named that way is because it is still a kill chain, right? It still does follow the process of the adversary within an environment, the different steps that the adversary might take, whether that be, you know, TTPs or new ones. We still follow through what that kill chain might be from a cyber perspective, but with the intent of understanding the types of fraud that an environment might undertake. So our goal is to not just follow the adversary, but also help clients position themselves against that and reduce risk overall. 

Dave Bittner: That's Jessica Hetrick from Optiv. 

Dave Bittner: And I'm pleased to welcome back to the show, our CyberWire contributor, Caleb Barlow. Caleb, always great to have you back. Let's talk about documentation today. Security documentation is necessary, but is it fair to say it comes in various degrees of quality and completeness? 

Caleb Barlow: OK, Dave, you just said let's talk about security documentation. 

Dave Bittner: Yeah. 

Caleb Barlow: Most of the listeners just hit pause and said, all right, I'm done with this. OK, no... 

Dave Bittner: Skip, skip, skip. 

Caleb Barlow: Before you hit the skip button... 

Dave Bittner: (Laughter). 

Caleb Barlow: ...Let's have an honest conversation here and just call it the way it is. Your security documentation probably sucks. So let's just - let's just acknowledge it. 

Dave Bittner: OK. 

Caleb Barlow: OK? 

Dave Bittner: Go on. Go on. 

Caleb Barlow: So what are we going to do about it? Well, the first thing we've got to do is recognize what I call the volcano test. If one of your critical people falls in a volcano, is your security documentation good enough that other people can recreate the environment? And my guess is that it's probably not. So start there. Look at your documentation later today, if you can find it, and let's kind of start that. Now, one of the first things we really want to recognize in security documentation is the difference between a policy and a procedure. A policy is, in simple terms, a high-level statement of management intent. So that might be something like, we are going to use multifactor authentication on everything. 

Dave Bittner: Right. 

Caleb Barlow: A procedure is how you do that, how you implement and configure, let's say, Okta or whatever tool you're using to manage multifactor. Separate your processes and procedures because the two things are very different. For one policy, you're going to have lots of procedures. 

Dave Bittner: I guess I'm imagining that security professional who is overworked and underbudgeted. And so this documentation is one of those things that is easy to put off. How do you raise its priority? 

Caleb Barlow: Oh, is it ever easy to put off. And the best way to raise its priority is to put ownership on it, right? So all of these procedures and policies need an owner. You know, an interesting thing happens when you give somebody ownership and the document is blank - right? - in that, hey, you better get something written down. And the good news here is there's lots of templates. There's - you know, there's consultants that can help you with this. But the reality is this isn't hard. What's hard is keeping it up to date, Dave. 

Dave Bittner: Yeah. It strikes me as that old notion about you're trying to change the oil while the engine is running. You know, things - we're in a fast-paced environment here, Caleb. How can I possibly keep up with this? 

Caleb Barlow: Well, and here's what's going to happen when you don't have good documentation. The first thing that's going to happen - and I've been brought into these cases where, you know, maybe it's a lawsuit or it's a regulatory instance. The first thing that's going to happen is, Dave, show me your documentation. And, you know, when you go dust it off from the bottom drawer in your desk and you show me the documentation, the first thing I'm going to look at before I read anything is I'm going to go look at what is the update schedule on it. And when I see it hasn't been updated in two years, I'm going to go back and go, yeah, you don't really use this, do you? And you're going to kind of go, yeah, no, I probably don't, right? 

Dave Bittner: Yeah. 

Caleb Barlow: So what - one of the big things you want to do is keep it up to date. Log every change you ever make. You know, any time you change anything, keep that log, because the difference is now when a regulator or when a lawsuit comes back and looks at and goes, holy cow; they're updating this stuff - oh, well, they changed the system. They updated it. Somebody changed - you know, there was a turnover of an employee. I see they've updated the new owner of the document. I see they had a breach. They learned something in the breach. They updated the document. Any regulator is going to look at that and go, oh, these guys have got their act together. This stuff is constantly kept fresh and updated, and I have confidence that this is actually what they're doing. 

Dave Bittner: Is this a situation where it's beneficial to have somebody to serve as that translation layer who can take those - you know, the technical changes and be able to put them into words that mere mortals can understand? 

Caleb Barlow: I think that's a part of it, but I also think there are some really good kind of frameworks and templates out there that can help people with this. One of my favorites - and, you know, people on this, on the CyberWire, have heard me say this a million times - I really like what people are doing with CMMC. Even if you're not a government supplier, the documentation requirements there are just super-crisp. And look; my engineering brain just loves that because it breaks it down into very logical chunks that anybody can understand, and you can start putting a template to it. 

Dave Bittner: Hmm. All right. Well, how do you get started here? What's your recommendation for folks to really get on top of this? 

Caleb Barlow: I think the simple recommendation is pick a policy - OK? - whatever that is - you know, multifactor authentication or, you know, maybe it's your policies on endpoint. And then say, OK, let's see all the procedures on that, and then just start the process of updating it. And just keep turning a crank. The best way to do this in my mind is a daily, agile scrum where you just scrum as a team. You work through your documentation. You pick one up. You got all the right people on the call. Tomorrow you go and review the updates, and you just keep working that documentation. And the next thing you know, it's a year later, and you're through it all. You've got nice, crisp documentation. And then guess what? It's time to start updating, and you just keep - it has got to be a nearly daily part of what you do. 

Dave Bittner: Yeah, make it a habit. 

Caleb Barlow: That's right. 

Dave Bittner: All right. Well, Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.