Update on Russia’s hybrid threat to Ukraine. Vodafone Portugal continues its recovery. The FritzFrog peer-to-peer botnet is back. And there’s a new wrinkle in the old familiar Nigerian prince scam.
Dave Bittner: Hi, everybody. We're excited to let you know that we've added a great show to the CyberWire podcast network. Check out Relativity's "Security Sandbox," hosted by Amanda Fennell. Security Sandbox is a series of creatively driven conversations about what it takes to solve complex data problems securely. Hear new ideas and approaches tied to increasing an organization's cybersecurity posture with little fun in the process. A big welcome to Relativity.
Dave Bittner: An update on Russia’s hybrid threat to Ukraine. The FritzFrog peer-to-peer botnet is back. Caleb Barlow warns of attacks coming from inside your network. Our guest is Tom Boltman of Kovrr on the shift in the cyber insurance market due to ransomware. And there’s a new wrinkle in the old familiar Nigerian prince scam.
Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Friday, February 11, 2022.
Dave Bittner: Regarding Russia's hybrid war against Ukraine, there are no publicly known major cyberattacks in progress, but disinformation and influence operations continue. Russian media have seized upon a Buzzfeed story published earlier this week that described possible contingency plans for moving the U.S. embassy from Kyiv to a location in Western Ukraine, should an invasion and an attendant refugee crisis render Kyiv untenable. Those stories are being represented as a form of Anglo-American attempt to stoke fear and exacerbate the crisis. Such opportunistic amplification has become a staple of Russian disinformation, with Facebook in particular seeing tendentious posts that have their origin in distorted interpretations of Western governments' statements and media reports.
Dave Bittner: Global Trade outlines four major risks an escalation of Russian pressure on Ukraine would carry for international commerce - commodity prices and supply availability, firm-level export controls and sanctions, wider geopolitical instability and cybersecurity collateral damage.
Dave Bittner: That last one is worth some discussion here. Global Trade reviews the experience of NotPetya, in origin and intent an action against Ukraine, as an example of the digital wreckage Russian cyber operations can work globally. But the danger isn't limited to collateral damage, but rather the prospect of direct attack.
Dave Bittner: Global Trade writes, quote, "In 2017, the NotPetya attack on Ukrainian tax reporting software spread across the world in a matter of hours, disrupting ports, shutting down manufacturing plants and hindering the work of government agencies. The Federal Reserve Bank of New York estimated that victims of the attack, which included companies such as Maersk, Merck and FedEx, lost a combined $7.3 billion. This figure could pale in comparison to the global supply chain impact of a Russia-Ukraine military conflict, which would inevitably include a cyber element. Whether Russia would target its cyberwar playbook at the U.S. or EU targets in retaliation for any support to Ukraine remains hotly debated. But the Cybersecurity Infrastructure and Security Agency has been urging U.S. organizations to prepare for potential Russian cyberattacks, including data-wiping malware, illustrating how the private sector risks becoming collateral damage from geopolitical hostilities," end quote.
Dave Bittner: It seems that Russian cyber operators know how to avoid collateral damage if they wish to do so. The discriminating nature of the January cyberattacks against Ukraine suggests that this is so.
Dave Bittner: There's a great deal of talk about collateral damage circulating during the present crisis, and it seems worth offering a definition. The U.S. Department of Defense defines collateral damage as follows - "A form of collateral effect that causes unintentional or incidental injury or damage to persons or objects that would not be lawful military targets in the circumstances ruling at the time," end quote.
Dave Bittner: Operations often have multiple effects, and a secondary effect, if it's intended, isn't collateral damage. It might be a legitimate operation. Or if a prohibited target is affected, it might be a war crime. The gray area lies where effects are unintended but foreseeable. Continuing coverage of the crisis in Ukraine can be found on our CyberWire website.
Dave Bittner: Ars Technica reports that Vodafone Portugal has restored many but not all of its services. An attack that hit Monday evening took out the company's 4G and 5G networks. It also halted fixed voice, television, SMS and voice and digital answering services. The motive for the attack is unclear. Vodafone Portugal has said that the incident was a deliberate attack intended to disrupt services but that the company hasn't received an extortion demand. And so it doesn't appear to be ransomware.
Dave Bittner: The FritzFrog peer-to-peer botnet went quiet back in December, but it's now making a comeback. Researchers at security firm Akamai, who began tracking the botnet in August of 2020, say that FritzFrog is newly active and that it's increased its infection rate by an order of magnitude over the course of a month. Akamai says, quote, "The decentralized botnet targets any device that exposes an SSH server - cloud instances, data center servers, routers, etc. and is capable of running any malicious payload on infected nodes," end quote. It looks for exposed servers, cloud instances, servers or other devices, then goes on to brute force SSH credentials and goes on from there. It can be used to carry any number of malicious payloads. Akamai gives FritzFrog high technical marks, describing the botnet as constantly updating, aggressive, efficient and proprietary. Many of its infestations are in China, and Akamai thinks the operators may either be based in that country or would like people to think they are. Its targets have been, for the most part, government, health care or educational organizations.
Dave Bittner: And finally, hey, hey, everybody. Here's a brassy twist to that old Nigerian prince scam. An email is circulating that represents itself as coming from the United Nations. Dear email user, it begins, which seems a little impersonal, but maybe that's how they write their emails over in Turtle Bay. It goes on all business, like this. This is to inform you that we have been working towards the eradication of fraudsters and scam artists in Africa with the help of the Organization of African Unity, the International Monetary Fund and FBI. That's some credible alphabet soup to conjure with, hmm? We have been able to track down so many of this scam artist in various parts of African countries and Europe, which includes Nigeria, United Kingdom, Spain, Ghana, Cameroon and Senegal. And they are all in government custody now. They will appear at International Criminal Court, Hague, Netherlands, soon for criminal fraud and justice. All right. They're beginning to lose idiomatic control, as scammers tend to. So maybe dear email user is reluctantly moved to a twinge of skepticism at this point. During the course of our investigation, we have been able to recover so much money from these scam artists. But, well, maybe you, dear email user, have read about how the Feds clawed back all that alt-coin Razzlekhan and her sweetie are alleged to have tried to launder. Maybe it's something like that. But then they really lay it on thick. The United Nations Anti-Crime Commission and the International Monetary Fund have ordered that the money recovered from the scammers be shared among - wait for it, wait for it - 100 lucky people around the world for compensation. This email letter has been directed to you because your email address and country name was found in one of the scammer artist's files and computer hard disk during the investigation. Maybe you have been scammed. You are therefore being compensated with the sum of 850,000 euros, which you will get in the currency of your present location for easy accessibility to the money. And how would an international organization distribute funds? Well, through an ATM card, obviously. The issuing bank has converted the fund into ATM card and registered it with security company to deliver to you, according to the approval of your ATM card by the manager of the issuing bank. The maximum amount signed for you to be withdrawing is some of 5,000 euros only daily until you withdraw all your total fund credit on your ATM account. Just contact them with the information they've asked for, and 850,000 euros could be yours, dear email user, at the rate of 5,000 euros a day. In just 170 days, you, dear email user, will be on easy street. And it looks totally legit, only why would the U.N. be using some random dude's Gmail account? That's pretty weird. And it's all courtesy of the United Nations Funds Investigation Unit. We couldn't find the United Nations Funds Investigation Unit, which makes us wonder if it's not some made-up organization like Starfleet or the Illuminati or the Brotherhood of the Bell. The U.N. itself, alas, with almost palpable weariness, is raining on Dear Email User's parade. A fraud alert on the actual United Nations site says, quote, "the United Nations does not offer prizes, awards, funds, certificates, automated teller machine cards, compensation for internet fraud or scholarships or conduct lotteries." We think maybe they got the same email we did.
Dave Bittner: The rise of ransomware has triggered a shift in the cost and availability of cyber insurance and prompted many organizations to take a closer look at how they're calculating their own cyber risk. For insights on that, I spoke with Tom Boltman. He's VP of strategic initiatives at Kovrr, a provider of cyber risk model quantification.
Tom Boltman: Businesses are powered by technology. Their supply chains are powered by technology. In every way, in some way, shape or form, they're either directly dependent or indirectly dependent on technology and the service providers, you know, that power their business. And so the potential absence or interruption or disruption to those technology infrastructures or those supply chains, which are third-party service providers that are powering their business, is now - you know, it's something that people are very sensitive to.
Tom Boltman: The question is, though, what do you do to ensure that you have business resilience, right? How do boards and CISOs and decision-makers ensure that they are prioritizing the right investments, making sure that they have the right risk transfer mechanism in place so that, should one of these events occur, they can make the right decision? So the challenge right now is, how do you make those decisions when you are not necessarily sure what your cyber exposure is in the first place?
Dave Bittner: And so how are they going about doing that? What are some of the best practices out there in terms of organizations assessing their cyber risk?
Tom Boltman: So today, you know, it's an evolving space. Obviously, you know, budgets are allocated on an annual basis. And security teams will invest in security controls and teams of people to make sure that, you know, they are building, you know, an appropriate level of security for their enterprises. In addition to that, you know, it's fairly typical that businesses will see some kind of insurance coverage, perhaps specifically cyber insurance coverage. And there, they're - you know, they are receiving input from - you know, from the brokers and from their carriers about, you know, what they, you know, may be exposed to.
Tom Boltman: The challenge, though, is that there is not necessarily an evolving view of that risk that is really tailored to the organization. So it's not necessarily sure, are we investing in the right place? What is the return on investment? Is our exposure reducing? Is this making an impact? You know, what is the likelihood of these events that could impact us in the first place? You know, and it's very hard to communicate between perhaps the CISO and the board and the board to the security teams and have a unified language which can help them, you know, really articulate in clear terms what that is. Part of the reason is because it is technical in nature, and so it can be challenging to talk in those technical terms to people who may or may not have a cyber background. They may not have a technology background.
Tom Boltman: And so what we're advocating is that if you're able to financially quantify each of those decisions, whether they relate to board reporting on the overall exposure, whether they relate to understanding and prioritizing security controls and the investments, you know, and those sorts of decisions - of course, risk transfer - you know, how much insurance should we have? And what should our risk transfer strategy be in the first place? Maybe - you know, maybe we can just insure the tail risk, those infrequent large events that, you know, could really do us serious damage and not necessarily, you know, the first offer that comes in. But have your own view of risk that you can assess in a more dynamic way as that risk evolves.
Dave Bittner: You know, it seems to me that one of the challenges that, you know, folks like yourself who are in the cyber risk business is that cybersecurity is so dynamic, and things are changing so quickly. You know, we see even changes in the insurance market, what they will and won't cover and prices and so on and so forth. Can you give us some insights into that - you know, how you adjust to those particular challenges?
Tom Boltman: Yeah. So, I mean, part of the trick here is having the cyber expertise on hand and having the technology that can interpret those changes in the field, right? So as I mentioned, understanding those changes in the threat intelligence landscape and how they could impact businesses in an evolving, continuous way is something that we believe is super important because ultimately, events do change and companies do change. And so you need the ability to have an on-demand way of knowing what has changed. But, of course, the wider market, especially around insurance, is evolving as well in reaction to all of this. And so, you know, we've seen, you know, across the board globally, you know, high deductibles, sublimits putting in exclusions around, you know, ransomware or certain types of events and attacks that may occur and ultimately with massively increased premiums as well.
Tom Boltman: So you're finding a situation now where it's actually harder to get coverage that you would like. And the terms of that are much more expensive. And so now what we're seeing is that boards have this additional challenge is because we're able to show them that there is a, say, an exposure, let's say, to ransomware. They recognize that, and they understand that. They understand that they could invest and they should invest perhaps more to try and mitigate and prevent it. But the risk transfer options which would ultimately, you know, in a previous world have helped them insure against potential losses may not be available to them.
Tom Boltman: So now they have this issue where they know that they can't ever 100% say we're never going to be attacked and, you know, have this situation occur and the business interruption and the ransom requests that come with it. So now we have a capital management problem as well, right? Because we now - we know that we have a potential liability or exposure to a, you know, potentially large amount. And we don't - we can't stop it 100%, and we can't necessarily get the insurance coverage that we would like that would satisfy, you know, as it did in previous times. So now we have to perhaps either set it aside or at least understand that this is something we may have to deal with in the year ahead.
Dave Bittner: That's Tom Boltman from Kovrr. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews.
Dave Bittner: And I'm pleased to be joined once again by Carla Barlow. Caleb, it is always great to have you back on the show. I want to touch on a specific scenario here and get your take on this. As opposed to a company being hit by a data breach, let's imagine that someone has gotten into my organization's network and they're using my infrastructure to do the things that they want to do. How should I be coming about that? What is your take on that scenario?
Caleb Barlow: Well, I think, Dave, this is something we're seeing more and more routinely not only from nation-state adversaries, but also organized crime. It's something that's not really thought through in most runbooks. And the response oftentimes is a little bit disingenuous because, you know, of the 52 different breach disclosure laws we have in the United States, they almost all focus on the idea of data exfiltration, not the bad guys using my infrastructure.
Caleb Barlow: So I think one of the first things we've got to recognize when we think about building a runbook for an adversary leveraging our infrastructure, especially if we provide services for other people, maybe we're a cloud provider, maybe we are an application provider, is, what is the extent of the damage? What are they doing? And the first inclination people have is just to go shut things off, and that's usually the wrong answer, because then you have no idea what they're doing or what they're going to do next.
Dave Bittner: So is the play to observe them for a while, figure out what they're up to?
Caleb Barlow: Well, sometimes it can be. And, of course, you know, this is where you really got to have good tentacles with law enforcement, with legal, and more importantly, have these things thought out ahead of time. I mean, I've seen countless times scenarios where the adversary is on someone's infrastructure, the reaction is to shut it off or rapidly deploy a set of security tools that the adversary is going to become made aware of. And then what happens is the adversary goes and hides on that infrastructure in a place where they can't find them, right?
Caleb Barlow: So you've got to really pay attention here and figure out, what are they doing there? What is their motivation? How much do they own in your environment? Because the other thing to remember is that classic iceberg scenario. Wherever you found them, that's probably the tip of the iceberg of where they are in your organization. And you need to make sure that you don't lose that investigative thread to find the rest of that iceberg so when you eradicate it, you can eradicate the whole thing.
Dave Bittner: What's the ultimate end game here? I mean, it seems to me like, on first thought, it sounds obvious, but I'm guessing there's probably some nuance.
Caleb Barlow: Well, I'll tell you the big place there's nuance to is what do you communicate? Because, you know, if they're - if you haven't lost data, what you typically see in these scenarios is the company, you know, kind of putting out - maybe they've got to put out some sort of press release or notification. They'll say things like, well, we have no signs that any of our infrastructure was impacted. OK, that's great. But what about all your customers' infrastructure? Or was this used as a beachhead or a trusted party to get into other infrastructure? That's oftentimes not discussed. So part of what you've got to do - also, if you're kind of the downstream in this - maybe you're the customer of somebody whose infrastructure was breached - you've also got to know what questions to ask. You know, do you have logging of where the adversary was? Can you demonstrate where they were not? And, you know, oftentimes you start asking those questions and people really don't know the answers. So it's really key to be able to watch the adversary enough to know where they are and what they're doing so that you know when you eradicate them, they're actually gone.
Dave Bittner: You know, one of the things that I think of with this is who takes the lead in something like this? And specifically, I'm thinking, first of all, making that decision before you're in the heat of it. But I could very easily imagine different folks, you know, the legal team, the (laughter) C-suite, you know, wanting to be in charge of things here, and in the heat of battle, that could really get in the way of doing the things you need to do.
Caleb Barlow: It can. So again, you've got to have these things thought out. But also, you've got to think of the downstream implications. So we've seen examples of this, where let's say a cloud provider is implicated in that bad guys used their infrastructure. Well, they may not have a regulatory issue, but their customers downstream - let's say they're providing services to a health care entity that falls under HIPAA as an example. Well, that downstream customer has a responsibility to disclose and a whole set of regulatory pressure that's going to be on top of them. So, you know, figuring out, like, who's going to do the disclosure? Who's on first? How does this information flow? How do you coordinate? That is very difficult to figure out in the heat of the moment with lots of lawyers involved. You really want that stuff thought through well ahead of time.
Dave Bittner: Yeah. All right. Well, good advice, as always. Caleb Barlow, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: If you're looking for something to do this weekend - and honestly, who isn't? - check out "Research Saturday" and my conversation with Avigayil Mechtinger and Ryan Robinson from Intezer. We're discussing the SysJoker backdoor that targets Windows, Linux and Mac OS. That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.