Crowdfunding hacktivists and other irregulars. The Molerats have some new tools. Right-to-left override. Arrests in a cryptocurrency money-laundering case.
Dave Bittner: Diplomacy continues over the Russian threat to Ukraine. In the meantime, hacktivists and others are said to be receiving crowd funding through alt-coin remittances. The Molerats are back, and they have some new tools. Right-to-left override is being seen again in the wild. Vodafone Portugal is taken offline by a cyberattack. Joe Carrigan on Meta's $10 billion privacy hit. Our guest is Greg Otto from Intel 471 to discuss shifts in ransomware strains. And two arrests are made in a money-laundering case connected with the Bitfinex hack.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 8, 2022.
Dave Bittner: There have been no striking developments in reporting on the cyber aspects of Russia's hybrid war against Ukraine since Microsoft's descriptions of Actinium's cyberespionage campaign. But governments around the world remain on alert for a resumption of cyber war that could spill over outside the theater of operations. Diplomacy has taken center stage. But there are interesting signs of alt-coin remittances funding Ukrainian equipment, a prospective resistance and ongoing hacktivism.
Dave Bittner: French President Macron is in Kyiv today for talks with his Ukrainian counterpart, President Zelenskyy. He left Moscow yesterday, the AP reports, saying that he had received assurances from Russia's President Putin that Russia would neither escalate the conflict nor station troops permanently in Belarus. It's tempting to see the French and American governments as taking a good cop-bad cop approach to influencing Russia, with Mr. Biden cast as Starsky, Monsieur Macron as Hutch and Putin as the perp. But there's substantial agreement within NATO that Russian aggression against Ukraine needs to be, if not prevented, at least resisted.
Dave Bittner: German Chancellor Olaf Scholz said shortly before meeting U.S. President Biden yesterday that NATO's response to Russian aggression would be united and decisive. President Biden said that the Nord Stream 2 pipeline wouldn't be permitted to go through if Russia moved on Ukraine, The New York Times reports. Chancellor Scholz suggested that Nord Stream 2 could indeed be held at risk, but he counseled more strategic ambiguity over the pipeline. This presumably would not only serve deterrence, but might also lead to a face-saving formula that would help Russia back down from an untenable position without more humiliation than is necessary. The sanctions, under preparation of which an interruption of Nord Stream 2 would be apart, are expected to impose severe, painful costs on Russia's economy and society should they be imposed. One complication any Russian invasion of Ukraine would face, especially if Moscow's troops were to be there for the long haul, is the likelihood of a Ukrainian resistance movement. Kyiv has already begun to organize more than 100,000 civilians into a reserve militia capable, in principle at least, of functioning as irregular resistance forces.
Dave Bittner: Retired U.S. Admiral James Stavridis writes in a Bloomberg op-ed that a Ukrainian resistance is likely and merits Western support. Some of that support has been crowdfunded. The blockchain analysis and cryptocurrency compliance firm Elliptic says that alt-coin contributions to Ukrainian groups, official or unofficial, rose 900% in 2021, reaching a total of $500,000 for the year and continuing into 2022. Whatever alt-coin's debatable promise as an investment might be, its value in delivering difficult-to-trace remittances across borders has been clear for years. Some of the contributions have gone to hacktivist groups, like the Ukrainian Cyber Alliance. Elliptic notes that the donations have been going on at a small level since Russia's 2014 seizure of Ukraine and increasing dramatically with rising tension over the Donbas.
Dave Bittner: Quote, "shortly afterwards, Russia seized Crimea and triggered a war in the eastern Donbas region of Ukraine. After decades of corruption and neglect, the Ukrainian military could not cope, and, again, volunteer groups stepped in. They provided soldiers, weapons and medical supplies to fill the gap. These groups are funded by private donors who have used bank wires and payment apps to donate millions of dollars. Bitcoin has also emerged as an important alternative funding method, allowing international donors to bypass financial institutions that are blocking payments to these groups," end quote. It's not the only kind of funding, but it's increasingly popular. And it's not only non-governmental organizations who benefit. And it's not only private donors who can move funds in cryptocurrency. Quote, "for most of the fundraising campaigns examined in our investigation, cryptocurrencies represented a small proportion of the funds received. The majority of donations were received through traditional payment methods, such as bank wires and online payment services.
Dave Bittner: However, cryptocurrency has proved to be a robust and increasingly popular alternative. In some cases, we found that financial institutions had closed accounts belonging to these fundraising campaigns. This cannot happen with a crypto wallet. Cryptocurrency is also particularly suited to cross-border donations, allowing easier access to wealthy overseas donors. Some of the Ukrainian volunteer groups and NGOs accepting crypto donations have very close links to the Ukrainian government, and this adds to a trend of nation-states turning to cryptocurrency as a means of raising funds. Iran is using bitcoin mining as a way to monetize its energy reserves, while North Korea is believed to be stealing cryptocurrency to support its missile development program," end quote. Should kinetic war turn irregular, watch the blockchains for insight into both sides' logistics.
Dave Bittner: Proofpoint this morning released a report on a Palestinian-aligned group that's using a new and, in this context, unusually complex attack chain. The researchers tracked the activity to the long-familiar Molerats threat group. The Molerats are using a new implant, NimbleMamba, for command and control and data exfiltration. NimbleMamba replaces LastConn, which itself was an evolved version of SharpStage. Quote, "Proofpoint assesses NimbleMamba is actively being developed, is well-maintained and designed for use in highly targeted intelligence collection campaigns," end quote. NimbleMamba executes with guardrails - that is, in a discriminating fashion - targeting systems only in Israel, Iran or Arabic-speaking countries in the Middle East and North Africa.
Dave Bittner: Right-to-left override is an old attack technique going back at least 20 years, but Vade has observed an increase in its use. At least 200 attacks using the tactic have been seen over the past two weeks. The technique uses a non-printing Unicode character to shift the order in which subsequent characters are read. It's employed to dupe users into executing files with hidden extensions.
Dave Bittner: Vodafone Portugal said this morning that it was hit last night by an unspecified attack that was intended to cause damage and disruption. Services are being restored. The company hasn't attributed the incident to ransomware, but The Record reports widespread internet rumors based apparently on a priori possibility and other recent incidents in Portugal that that's what the attack was. The Lapsus$ ransomware gang, which has been blamed for earlier attacks against media outlets Impresa and Cofina, hasn't claimed credit for the incident.
Dave Bittner: As we noted in the context of the crowd-funding of insurgencies and resistance movements, the difficulty of tracing cryptocurrency is movement. But difficult, of course, isn't the same thing as impossible, as two arrests in Manhattan demonstrate. The U.S. Department of Justice announced today that, quote, "two individuals were arrested this morning in Manhattan for an alleged conspiracy to launder cryptocurrency that was stolen during the 2016 hack of Bitfinex, a virtual currency exchange presently valued at approximately $4.5 billion."
Dave Bittner: The two accused - Ilya Lichtenstein and his wife, Heather Morgan - are both New Yorkers, and they're making their first appearance in court this afternoon. The complaint against them alleges that they used a variety of tools in their attempt to launder the money - some old-school, like passing funds through business accounts, others more 21st century, including the assumption of fictitious identities, automated transfers, chain hopping and passing of funds into and out of a variety of dark web accounts.
Dave Bittner: The Justice Department wants to make the point that altcoin is not only in principle traceable but recoverable as well. In the Binance case, for example, the announcement says, quote, "thus far, law enforcement has seized over $3.6 billion in cryptocurrency linked to that hack," end quote. A money laundering conspiracy beef, Justice says, carries a possible sentence of up to 20 years, but they caution the accused are entitled to the presumption of innocence until they're convicted beyond a reasonable doubt in a court of law.
Dave Bittner: The team at security firm Intel 471 recently published research tracking what they describe as a reset of ransomware. There's no sign of ransomware attacks slowing down, but there have been measurable shifts within the ecosystem of ransomware operators. Greg Otto is senior cybercrime reporter for Intel 471.
Greg Otto: 2021 was a pretty banner year for ransomware. Obviously, the big tentpole moment was - I would even say moments plural - the Colonial Pipeline attack and the attack on JBS as well. And we saw afterwards that the groups responsible for that said that they were going to go dark. And the underground forums where a lot of these actors operate had a shift where they decided that they weren't going to let ransomware actors advertise on their platforms. So over a period in the third quarter of 2021, what we looked at were the ransomware attacks that we could witness and measure. And we found that the most prevalent variants from July to September 2021 were LockBit 2.0, Conti, BlackMatter and Hive. And they made up 60% of the attacks that we measured. One in particular, particularly LockBit 2.0, they were responsible for one-third of the observed attacks that we ended up measuring. And to be clear, we're not talking about 30 or 40 attacks here. We witnessed over 600 attacks in the time span from July 2021 to September 2021. So, you know, you're talking 33% of 600. You're talking about ballpark 200, 210 attacks that LockBit 2.0 themselves were responsible for.
Dave Bittner: Can we go through and kind of compare and contrast these groups? I mean, you mentioned LockBit 2.0, Conti, Black Matter and Hive. What do they have in common? And how do they set themselves apart from each other?
Greg Otto: So I think what they have in common is they really do follow what we really saw as a trend in 2021 and maybe even going back even further back is that, you know, these ransomware as a service crews do not operate in a silo. And in order to pull off a ransomware attack, there are a lot of other things in an attack structure that need to happen. And each of them almost has their, like, separate sub business almost. You're talking about a lot of people that operate on the cybercrime underground forums, forums that I'm sure people are familiar with - like Exploit and XSS, those are two examples, but there are a couple of others - where everybody will advertise their wares.
Greg Otto: If you're into these forums, you know, you advertise your services, whether - it's any part of a ransomware attack, whether it's access brokers selling access to companies that have - crypter services, encryption services that can allow for attacks to be carried out, escrow services where money can change hands to make sure that, you know, there's a guarantee that everybody is keeping their end of the bargain, so to speak, when it comes to ransomware attacks. A lot of these groups that we're talking about follow that protocol when it comes to these ransomware attacks.
Greg Otto: And then also once the attacks have taken hold, you'll see a lot of the same operational tactics in terms of, like, what we call, like, double extortion attacks where it's, OK, not only have we locked everything up inside an organization, we've stolen some data and we're going to dump this data on our hack and leak blogs. We've seen that with a lot of these crews where, OK, if a organization that has been ransomed isn't going to play ball, OK, we're going to take the data that we exfilled and we're going to put it up on these, quote, "name and shame blogs" where it's, hey, OK, if you don't want to play ball with us, we're going to take all of this data and dump it out onto the internet. Maybe your competitors are going to see it. Maybe your stock price gets shorted. We're going to cause you some damage elsewhere outside of just, you know, locking up your business operations.
Greg Otto: And then we've even seen some of them go to what we call now a triple extortion, where, on top of the two things that I mentioned there, we now have where these crews will harass either customers or harass other people inside the business, where they might actually pick up the phone and say, hey, if you don't pay, we're going to make your lives a living hell, where it's actually to the point where we're talking about physical threats or, you know, you're talking about scaring third parties that a business does business with, you know, from a B2B standpoint. And if they threaten, OK, well, you know, if Company X isn't playing ball, you know, we have your contact information, Company Y. Maybe you're next - and trying to, basically, through all of these extortion schemes scare the first company or organization that was attacked into paying the ransoms. So we're seeing this consistently throughout ransomware as a service where they are going above and beyond to try to do whatever they can in order to see these organizations that are hit pay up.
Dave Bittner: That's Greg Otto from Intel 471.
Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: You know, one of the things that we track over on "Hacking Humans" is social media, and one of the big social media companies has had not a great week (laughter) or a great time lately. What's going on here, Joe?
Joe Carrigan: It depends on how you define a great time.
Dave Bittner: OK.
Joe Carrigan: Facebook released earnings recently, and their big complaint is that they stand to lose $10 billion this year due to a change that Apple made on the iPhone. So back in April of 2021, Apple enabled iPhone users to choose which apps get to track their behavior by requiring that users opt in to sharing their Apple Ad ID. So when this came out, Facebook said, oh, this is really going to be detrimental to the Facebook experience, which I guess means the experience of of getting revenue because I don't see how this actually impacts the Facebook experience itself.
Dave Bittner: The experience of having targeted ads right in front of you, right (laughter)?
Joe Carrigan: Right. I mean, because, really, Facebook gets to track everything you do on their platform, right? There's nothing Apple can do to stop that from happening. When Facebook doesn't have access to this ID, they can't get access to your other behaviors, right? And that's what Facebook is upset about. And they say it's going to cost them $10 billion in revenue; so top line of the income statements, right?
Dave Bittner: Well, that sounds like a lot of money to me.
Joe Carrigan: Sure does.
Dave Bittner: Ten billion dollars - we're talking about real money.
Joe Carrigan: You know, their annual revenue was - I was looking at the report. It was, like, almost 118 million - billion dollars - almost $118 billion in revenue. And because of this one change in privacy, they're standing to lose about $10 billion. Now, I'm not a Facebook shareholder. I also don't work at Facebook. I don't own anything. I have no vested interest in Facebook, but I think this is worth $10 billion. The privacy of Apple users is well worth $10 billion in Facebook's revenue.
Dave Bittner: And, you know, Facebook's stock price certainly took a huge hit.
Joe Carrigan: They did.
Dave Bittner: I've seen people saying it was the biggest hit in stock market history, the biggest loss in value of any company in stock market history and this could affect their...
Joe Carrigan: In one day or - because I think...
Dave Bittner: Yeah, yeah.
Joe Carrigan: OK.
Dave Bittner: There's, like, $213 billion, something like that, they lost in value. It was big.
Joe Carrigan: Well, markets tend to run on fear and greed. And when fear comes into play, stock prices crash. And that might be irrational. So, I mean, I'm not giving out investment advice. So read into that what you think.
Dave Bittner: Yeah. Well - but I think what I've seen some folks pointing out is that Facebook is so reliant on advertising for their revenue...
Joe Carrigan: Right.
Dave Bittner: ...That perhaps some investors are seeing a lack of revenue diversity on their part. And the fact - combine that with the fact that Facebook is not growing - this was the first quarter, I believe, where they did not have growth of users of the platform - that those combinations led to some skepticism from the investors and a big hit on their stock price.
Joe Carrigan: Absolutely. Absolutely. I don't know - you know, their growth looking forward, they definitely want to get into other products. They - this whole idea of the Metaverse, you know, the virtual environment, you know, I have absolutely no interest in participating in that with Facebook. I would love to participate in that with other companies that might be able to build it, like maybe Steam or Valve Software is building something like that that is similar and has other virtual reality things. But I was - you know, when Facebook bought Oculus, I thought, you know, there goes my wanting an Oculus. I don't want that anymore. I would much rather do this with a company who has other interests rather than targeting me with ads.
Dave Bittner: Yeah, it's an interesting thing - isn't it? - that how much investors are able to overlook when it comes to criticism of a company as long as that company is still printing money quarter after quarter, right?
Joe Carrigan: Right.
Dave Bittner: And then when the money, you know, slows down or the growth slows down, all of a sudden there's more of an emphasis on the actual operational foundation, the values of the company. And I guess not surprising, perhaps a little disappointing, but that may be what's playing out here.
Joe Carrigan: Yeah, it may be. It may be.
Dave Bittner: Yeah.
Joe Carrigan: Take a look at the stock price. It did take a big hit. You know, I have never been a Facebook shareholder because I've had concerns about it. I just can't bring myself to buy that company.
Dave Bittner: (Laughter) And that's fine, you know?
Joe Carrigan: Right.
Dave Bittner: Say, hey, you know, yeah, invest in companies you believe in. I think that should be part of the equation. This episode of financial advice from Joe and Dave...
Joe Carrigan: Right, two completely unqualified...
Dave Bittner: ...Two people who know nothing about finance.
Joe Carrigan: Do not take our advice on finance.
Dave Bittner: (Laughter) That's right. That's right. All right. Well, Joe Carrigan, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.