The CyberWire Daily Podcast 11.30.21
Ep 1468 | 11.30.21

Cybercrime and the criminal-to-criminal markets that support it during the holiday shopping season. Shaming as a pressure tactic. Living large, even when living on the lam.


Dave Bittner: It's crime, crime all the time - cybercrime, the C2C underground market and the expansive holiday shopping season. Rebranding in gangland. How crooks exclude targets on the basis of language or geolocation. Shaming as a criminal pressure tactic. Bad apps in the Play Store. Andrea Little Limbago looks at internet blackouts. Carole Theriault wonders what the Metaverse really means. And living large while living on the lam.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Tuesday, November 30, 2021. 

Dave Bittner: There’s a fair bit to think about today with respect to cybercrime and the hoods, goons, molls, gunsels, cons, delinquents, skells, perps and goniffs who commit it. 

Dave Bittner: We’re in the midst of what's come to be called the holiday season, although the shopping season may be more apt. And of course, the C2C markets are as aware of this as anyone else. Phishing-as-a-service operations are rising in prominence in those criminal-to-criminal markets during the holiday season, security firm Egress warns. They've observed a surge in typosquatting associated with phishing kits, with Amazon in particular being an obvious favorite for impersonation. 

Dave Bittner: Egress writes, quote, "In the week before Black Friday, researchers uncovered 200 new phishing kits containing imitation Amazon emails available on dark and clear web forums, with some retailing for as little as $40. One listing offers multiple language support, the ability to obtain credentials for a range of email providers and the option to prompt victims to take and submit pictures of their credit cards. Some kits boast capabilities to avoid detection, with one listing offering automated IP address checks to prevent automated security tools from scanning the link," end quote. 

Dave Bittner: The effect of this is to commodify cybercriminal tools, and to lower the barriers to entry for aspiring crooks who lack the technical chops or perhaps just the patience to develop the phishing tackle themselves. 

Dave Bittner: While a great deal of the discussion of C2C markets and increased rates of online fraud has been associated with Black Friday, and since Black Friday is now four days in the temporal rearview mirror, one might think that the risk was subsiding, but in this case one would be wrong. Have you noticed that the pumpkinification of supermarkets and discount stores now begins some time in August, more than two months before Halloween? It’s season-creep. And season-creep has extended Black Friday, Cyber Monday and Giving Tuesday from their nominal days to real weeks. Expect the rate of cybercrime to remain high for the next month at least. 

Dave Bittner: Late yesterday security firm Mandiant released a report on Sabbath, which refers to itself by the leet numeronym 54BB47h - get it? - a ransomware shaming site that resurfaced on October 21. Sabbath isn't actually new. Mandiant researchers have determined, on the basis of the CobaltStrike BEACON infrastructure the group uses - and sadly persistent grammatical errors that it preserves from site to site - that Sabbath is in fact a rebranding of a ransomware affiliate operation that's earlier gone by the names of Eruption and, more recently, Arcane. Mandiant tracks the gang as UNC2190, and says it's made a specialty of targeting critical infrastructure including education, health and natural resources in the United States and Canada. 

Dave Bittner: UNC2190’s preferred strain of ransomware is called Rollcoast, which appears to be a non-Java cousin of Tycoon ransomware. Rollcoast has, as many other malware strains do, a list of excluded languages which the malware won't execute if it detects them on the system it infests. The usual languages, those spoken in Russia and the near abroad, are on the list. But in addition to these are some unusual exclusions - some of them are quite surprising - Croatian, Slovak, Albanian, Swedish, Latvian and many others. Not on the exclusion list, English, French and Spanish to mention just three. 

Dave Bittner: Why is it characterized as a shaming operation? Well, that's because it uses a mixture of direct contact with downstream victims and public exposure of stolen data to pressure its targets into paying. 

Dave Bittner: Sabbath had its coming out party with an attack on a U.S. school district. Mandiant says, quote, "Sabbath first came to light in October 2021, when the group publicly shamed and extorted a U.S. school district on Reddit and from a now-suspended Twitter account. During this recent extortion, the threat actor demanded a multimillion-dollar payment after deploying ransomware. Media reporting indicated that the group took the unusually aggressive step of emailing staff, parents and even students directly to further apply public pressure on the school district," end quote. Sabbath is, in all probability, another ransomware-as-a-service operation, an affiliate program in which the top-level operators get a cut of the actual perps' - that is, their criminal affiliates' - take. 

Dave Bittner: Threatpost offers an update on the Tardigrade malware that's being deployed against targets in the biomedical sector. The update confirms Tardigrade's unusual and dangerous ability to change its components - both Smoke Loader and Cobalt Strike have been reported - morphing in ways that make it unusually evasive. 

Dave Bittner: Supernus Pharmaceuticals filed an 8-K with the U.S. Securities and Exchange Commission Friday, disclosing that it sustained a ransomware attack that began in mid-November. The company is cautiously optimistic, saying that it contained the damage without disruption to its operations and isn't paying the ransom but that it can't rule out reattacks or malicious use of stolen data. SecurityWeek says that the Hive ransomware gang claimed responsibility on Thanksgiving, anticipating the 8-K by a day, and pointing out that the victim hadn't yet filed that 8-K, which itself was probably intended to apply some pressure. 

Dave Bittner: Mobile security firm ThreatFabric has described how criminals are introducing banking Trojans into apps offered in Google's Play Store. While Mountain View regularly purges its store of malicious apps, the recent wave of malware that's posed variously as QR scanners, PDF scanners or cryptocurrency wallets has been somewhat more difficult to detect because of the deliberately small malicious footprint they display and which they've adopted to help them evade the permission restrictions Google Play enforces. The malware also pays close attention to geographical location before installing, the better to evade places and jurisdictions where scrutiny may be more rigorous. ThreatFabric has identified a dozen malicious apps that, in aggregate, have been downloaded some 300,000 times. 

Dave Bittner: And finally, we turn to the Daily Mail for a snapshot of what the civilized world is up against when it tries to prosecute Russian cybercriminals. The Mail's unusually detailed screamer reads, "REvil Super-hacker Wanted by FBI for Using Ransomware to Fleece Millions of Dollars From Americans is Unmasked by in His Plush Hideout in Siberia as Kremlin Turns Blind Eye." The tabloid's talking about Mr. Yevgeniy Polyanin, a Russian national, 28 years young, whom we've heard of before as being wanted by U.S. authorities for his alleged role in the REvil gang. The Mail's newshounds have tracked him to, quote, "a $38,0000 home in the Siberian city of Barnual, where his wife, Sofia, openly runs a social media baking business," end quote. 

Dave Bittner: The Mail adds that Mr. Polyanin has been seen in Barnaul driving a $74,000 Toyota Land Cruiser and that he owns another car worth maybe a cool $108,000. This lifestyle sounds more provincial upper-middle class than big-time crime lord, maybe upper-upper-middle class, given that he's living in Siberia. And it's certainly a far cry from living on a yacht in the Black Sea and collecting gold chains and exotic cats. But the Mail is absolutely on point when it says it'll be a hot winter in Chelyabinsk before Mr. Polyanin or his colleagues are extradited to face American law. We do have one question. What exactly is a social media baking business? 

Carole Theriault: Facebook CEO Mark Zuckerberg recently announced that he's changing his company's name to Meta Platforms, Inc., or Meta for short. And this is because he's chucking a load of his eggs into his vision of the futuristic-sounding metaverse. Now, the idea of the metaverse is nebulous at best. It involves virtual reality, instant communications, instant broadcasting and a whole host of other technologies. I've heard people describe it in the media as the internet brought to life. Zuckerberg himself has described it as a virtual environment you can go inside of, like a magical portal that allows you to step inside of the world rather than gaze at it from the other side of a screen like an outsider. You know, this could give a whole new meaning to the horror genre. Just imagine a digital monster literally snapping at your tail. 

Carole Theriault: But right now, we have a number of virtual reality worlds, right? Gaming is a big one. And the idea of the Metaverse is, as we create more of these virtual worlds, we will need to somehow interconnect all of these disparate virtual communities into a playground where people can meet and game, or meet and work, or meet and hang out, shop, watch a movie or attend a theater, a conference, a circus. So you would be in your living room or on a beach or wherever with your virtual reality headset or augmented reality glasses or whatever else they come up with to entice us more deeply into this digital realm. But the idea is that you would be mentally engaged in a digital world but not have to be physically present. 

Carole Theriault: I mean, think about it. You wouldn't be looking at your colleague or friend on a screen, but hanging out in this virtual coffee shop together or a pub or a meeting room or on a beach. According to NPR Victoria Petrock - she's an analyst who takes the pulse on emerging tech. She said it's the next evolution of connectivity where all of those things start to come together in a seamless doppelganger universe. So you are living your virtual world the same way you're living your physical life. I don't know. I find it really hard to wrap my head around. But then I'm not a tech visionary. 

Carole Theriault: There is no doubt, though, in my mind, that the pandemic has put this concept of the Metaverse on steroids. Literally, billions of us were trapped at home at the same time. And somehow, a huge number of us were still able to keep working, learning and communing with people in our individual worlds. So Metaverse sounds fabulously sci-fi. And in a way, it is because we're still in that idea phase. What is interesting is that Mr. Zuckerberg is doing his best to secure a serious foothold in the concept of this Metaverse world, including rebranding Facebook to Meta Corporation. I mean, what do you think? Do you think this is a smart move on Facebook's part, a cheeky move, a desperate move to remain a player? 

Carole Theriault: One other thing to note is that Facebook are not alone, tap dancing on the Metaverse stage. You have Epic Games, of course, the makers of Fortnite. Earlier this year, they announced a $1 billion funding round to support Epic's long-term vision for the Metaverse. Nvidia have told the world that they are busy creating the Omniverse, a platform for connecting 3D worlds into a shared virtual universe. Sounds a lot like the Metaverse, doesn't it? And that's the question. Are they exactly the same? Are they utterly different? And the thing is for any Metaverse, Omniverse to manifest itself, it needs experts and money across industries, cultures and technologies in order to work. In other words, competitors need to cooperate in order to win. 

Carole Theriault: But one thing is for sure - this move suggests that technology leaps are not going to slow down. The digital world is here to stay, and it is going to entrench itself more and more into our lives. And the tech is going to be thrown at us with even greater precision. You want to be careful what you let into your lives 'cause it's really hard to get rid of once you get used to it. This was Carole Theriault for the CyberWire. 

Dave Bittner: And joining me once again is Andrea Little Limbago. She's vice president of research and analysis at Interos. Andrea, it's always great to have you back. You know, you and I have spoken in the past about - I believe you introduced me to the term the splinternet of, you know, nations sort of, you know, putting a fence around their own access to the internet. And I know something you've been tracking is that there have been nations that have been blacking out their internet for their citizens for a variety of reasons. What do we need to know about this? 

Andrea Little Limbago: Yeah, I think it - you know, it really does. And I like that framing 'cause it is part of the broader government attempts to control information within their borders. And so some strategies are more on the data privacy side or data access. Some are on the data localization and the storage. In this case, it's really on stopping access to the internet. And so it kind of goes across the whole gamut and the whole spectrum of that. We're seeing just a continued growth in internet blackouts. And what that basically refers to - and you can - that also can be a spectrum from just blocking certain sites all the way to full-out having an internet blackout. 

Andrea Little Limbago: India holds the record for the longest democracy with an internet blackout in the Kashmir region. And that still is, you know, almost on and off several times. And by one estimate, it costs them almost $3 billion in 2020 by doing that. And so there are big business and financial repercussions for this. So on top of the, you know, societal implications of it, as far as the populations not having access to communication, not having access to - I mean, just think about how everything that you do through the internet right now - to your finance, to transportation, to ordering food - like, everything. So that's obviously the enormous human cost. For companies, they should care about this because it really is a financial cost as well for anyone doing business, perhaps, in that area. 

Andrea Little Limbago: And where we're seeing it really is focused on a couple of core areas. One is around election time in many countries. And so that, you know, should be concerning to folks who care about democracy. We see it around times of protests. Like, in Iran was a good example of that. It's going on in Sudan right now. The blackouts continue as we're talking right now, and that's been going on for a while. But, you know, in Myanmar, in the Tigray region in Ethiopia, like, if you were to start looking at where protests are across the globe or various kinds of conflict, we're almost always increasingly seeing some level of internet blackout by the folks in power. 

Dave Bittner: As technologies come online - I'm thinking about, you know, more practical satellite internet, things like that - is it becoming easier for citizens to work around these things? 

Andrea Little Limbago: You know, it depends, you know, because you have to think about - in many cases, either are already occurring in areas that may not be where some of the most developed internet, you know, capacity is. And so I think in some areas - so, like, Hong Kong would be a good example where, you know, many people in that area are figuring out how to work around some of these blackouts. But that's when the - you know, the Chinese government will then leverage a different tool, such as their security regulation. In many of these other areas, there just isn't that level yet of, I guess, digital awareness, I would say, because in many cases, the internet is still fairly new compared to other areas of the globe or just isn't... 

Dave Bittner: Right. 

Andrea Little Limbago: Or there just isn't the training capacity to understand that. So I think there may increasingly be ways to work around that depending on where you are in the globe. But at the same time, for so many of these cases that are - especially in some of the already most impoverished areas of the globe, the capacity just isn't there yet. 

Dave Bittner: And do you suspect this is an effective tool that governments have, so we should expect to see this continue? 

Andrea Little Limbago: I do. And I think about - you know, there's the statistics that, you know, over the last decade, there have been about 850 different internet shutdowns across the globe, and about 790 have been since 2016. So almost a majority have been in the last five years, and it does continue over the last couple of years just to remain at fairly high levels. And it's not just in one country. There were over 20 different countries in this year alone that have been deploying internet blackouts. 

Andrea Little Limbago: And so if it was just one of those cases where it was, OK, it's just here in Iran; some cases are in Russia, like, sort of the usual suspects - but when you're getting into over 20 different countries - readers look at what each other are doing, and they learn from that. And so when they see that, oh, it was very successful; it's a Washington protest over there, they're going to try it as well. And so there is, you know, the learning effect and seeing how it affects and how successful it is elsewhere. And it's - you know, it's relatively inexpensive - right? - for the government to deploy. 

Dave Bittner: Have there been any pushes for nations to say that this is a fundamental human right, that, you know, we shall not interrupt this? 

Andrea Little Limbago: Yeah, it's a great question. There has been. And that's what I think is actually interesting, where I think that there is some growing visibility on this now that we're seeing the U.N. has come out and said that, you know, digital rights are a human right and having access to the internet is part of that. The World Economic Forum has started talking about this a bit. 

Andrea Little Limbago: And so when we start seeing, you know, sort of the non-usual - you know, outside of the cybersecurity community and the sort of the tech publications, we start seeing the - you know, those, like, nonprofits and those in focus - economic development focusing on it. Access Now does a really great job tracking internet blackouts. And, you know, their nonprofit focuses on basically just the impact that it has across all of society. And within the framing of it, it's a human right at this point. 

Dave Bittner: All right. Well, it'll be interesting to track, for sure. Andrea Little Limbago, thanks for joining us. 

Andrea Little Limbago: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brendon Karp, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.