The CyberWire Daily Podcast 6.1.22
Ep 1590 | 6.1.22

Costa Rica hit with another round of ransomware. Cyber phases of Russia’s hybrid war against Ukraine. CISOs and 3rd-party risk. Elasticsearch databases as extortion targets. And Razzlekhan!


Dave Bittner: Costa Rica's health care system comes under renewed ransomware attack. Cyber phases of the hybrid war. Charity fraud exploits sympathy for Ukraine. The U.S. FBI attributes last year's attack on Boston Children's Hospital to Iran. CISOs are surveyed on their challenges. Robert M. Lee joins us for the launch of the new "Control Loop" podcast. Josh Ray from Accenture looks at ransomware trends. And Razzlekhan and Dutch - a cryptocurrency love song.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday June 1, 2022. 

Costa Rica's healthcare system comes under renewed ransomware attack.

Dave Bittner: Costa Rica continues to struggle with its recovery from a ransomware attack by Conti and has now seen its health care system subjected to cyberattack. Reuters reports that the Costa Rican Social Security Fund (CCSS), the country's public health agency, has been forced to shut down its digital record-keeping system. This has affected about 1200 hospitals and clinics, with possible consequences for thousands of patients. At the time Reuters filed no group had claimed responsibility for the incident, but since then BleepingComputer has reported that the Hive ransomware operators were behind the attack. 

Dave Bittner: It has generally been thought that Conti's earlier attacks against Costa Rican targets represented a kind of misdirection intended to cover the group's reorganization and rebranding and to afford it an opportunity, KrebsOnSecurity noted, to figure out how better to evade the sanctions that were interfering with its receipts. And indeed, the gang's calls for insurrection were unusual. Conti does seem to be connected with Hive and with a range of other groups as well. In BleepingComputer's account, while Conti is now slowly shutting down operations, it has partnered with numerous well-known ransomware operations, including Hive and HelloKitty, AviosLocker, BlackCat, BlackByte and others. Its members have now splintered into smaller, semi-autonomous and autonomous groups that have infiltrated the other ransomware-as-a-service groups. They've also created independent groups focused on data exfiltration and not data encryption. 

Cyber phases of the hybrid war.

Dave Bittner: Ukraine, not a NATO member, of course, has nonetheless joined the Atlantic Alliance's NATO Cooperative Cyber Defense Centre of Excellence and is formalizing its membership to the group during meetings in Tallinn, Estonia. The Hill quotes Ukraine's National Security Agency on what Kyiv hopes to gain from the cooperation. They say, Ukraine's accession to the CCDCOE is a significant achievement for our country in terms of strengthening international cooperation in the field of cybersecurity and cyber defense, as well as an important step toward Ukraine's NATO membership. 

Dave Bittner: U.S. director NSA and Commander, Cyber Command, General Paul Nakasone was also in Tallinn this week and, while there, told Sky News that, quote, "we've conducted a series of operations across the full spectrum - offensive, defensive and information operations" in support of Ukraine. He understandably declined to say what those measures were, but stressed that they were all properly authorized, legal and conducted with appropriate civilian oversight. He said, my job is to provide a series of options to the secretary of defense and the president. And so that's what I do. German authorities have issued a fresh warning of the likelihood of Russian cyberattacks against infrastructure. Reuters reports that Berlin sees the financial sector as being particularly at risk.

Charity fraud exploits sympathy for Ukraine.

Dave Bittner: The U.S. FBI warns that scammers are trading on widespread sympathy for Ukraine as they frame their come-ons to prospective victims. The FBI says, criminal actors are taking advantage of the crisis in Ukraine by posing as Ukrainian entities needing humanitarian aid or developing fundraising efforts, including monetary and cryptocurrency donations. Unfortunately, this isn't new. As the Bureau points out, they say scammers similarly have used past crises as opportunities to target members of the public with fraudulent donation schemes. The Bureau would like anyone who's encountered one of these scams to let them know by filing a report with the FBI's Internet Crime Complaint Center at

US FBI attributes last year's attack on Boston Children's Hospital to Iran.

Dave Bittner: CNN reports that FBI Director Wray has publicly attributed a cyberattack on Boston Children's Hospital to a threat actor run by the Iranian government. It was, he said, one of the most despicable cyberattacks I've ever seen. And he used the occasion to point out that the attack, which was for the most part unsuccessful, should serve as a reminder that the Russian government isn't the only bad actor in cyberspace. Moscow, Tehran, Beijing and Pyongyang are the familiar four regimes given to hostile action in cyberspace. That said, Director Wray emphasized that the FBI is currently most concerned about Russia. Since the Russian invasion of Ukraine, the bureau has operated at combat tempo, he said. When it comes to Russia today, we're focused on acting as early - as far left of boom, as they say - as we can. We're watching for their cyber activities to become more destructive as the war keeps going poorly for them. 

Elasticsearch databases hit by extortionists.

Dave Bittner: Secureworks Counter Threat Unit reported today that they found that a threat actor has replaced data in 1,200 Elasticsearch databases with a ransom note and a contact email address. Four hundred and fifty individual ransom requests were found by researchers, and despite the wide span of this campaign, the ransom requests have been pretty low, averaging around $620. The money is payable to one of two bitcoin wallets, but as of the publication of the report, there are no transactions. Researchers say that while this campaign may be considered unsuccessful due to a lack of payments, this shows that the risk to companies and individuals with unsecured infrastructure is high. 

CISOs surveyed on their challenges (and they're particularly worried about exposure to 3rd-party risk).

Dave Bittner: AimPoint Group, CISOs Connect and W2 Communications have released a report detailing the vulnerabilities that CISOs face. Researchers found that CISOs view today's threat landscape as worse than a year ago and report that they find third parties, such as suppliers and partners, to be their biggest security threat. The report shows that many CISOs are prioritizing both the implementation of zero-trust models within the next year, as well as ease of use and simplicity in their security solutions. 

Razzlekhan and Dutch: a cryptocurrency love song.

Dave Bittner: And finally, hey, everybody, remember Razzlekhan, the Crocodile of Wall Street, and her husband, Dutch - or, as they're more formally known in court documents, Ms. Heather Morgan, age 32, and Mr. Ilya Lichtenstein, age 34? They're accused in connection with the laundering of a cool $4.5 billion cybercriminals ripped off from alt-coin exchange Bitfinex back in 2016. The two were to have appeared in U.S. federal court on Friday, but prosecutors have asked that their hearing be postponed until August 2, so they have a chance to review the evidence the feds have assembled in their case and therefore make an informed decision about what they'll plead. There's lots of evidence. The prosecutors who worked on this over the Memorial Day weekend mentioned voluminous financial records, and Reuters says there are some 1.1 gigabytes of data to consider. Dutch is being held without bond. Razzlekhan is presently under house arrest. This seems unfair in a way. Ms. Razzlekhan is also a rap artist, bringing her stylings to the New York Financial District, and the prospect of her posting more performances seems more worrisome than simply being a flight risk. Trust us, we've heard her rap. 

Dave Bittner: And it is my pleasure to welcome to the show Robert M. Lee. He is the CEO at Dragos. Rob, I am excited to say that we are heading off on a collaborative project here, the "Control Loop" podcast, sponsored by Dragos. And you all are, of course, heading up large parts of this effort. Let's start with some basics here. Why this? Why now? 

Robert M. Lee: Yeah, so good to collaborate with you. I feel like we've been in orbit with each other for a while, so it's good to put a ring on it, as Beyonce would say. When I look at why now, the reality is OT security has become such a main topic now. Like, it is truly a global up from executives on down to practitioners discussion. It's not just this little community that we've been - you know, at one - you know, a decade ago we could all sit around the fire literally at a conference and know everybody around us. Now it's much bigger, which is awesome. But with that comes a lot of information overload. And there is a lot of good guidance getting out there, and there is a lot of bad guidance. And there's also just too much information sometimes for anybody to reasonably consume when you're busy day to day. 

Robert M. Lee: So why now? - because there's that plethora of information we can synthesize down - here is the things that you need to be aware of. What we're hoping to accomplish with it is exactly that. I'd like to make the podcast kind of two things, and that's what you and I have talked about for a while. The first thing is kind of the news capturing of all the different stuff out there - of all the new papers, of all the new research, of all the news bites. What's your 15 minute or so digest of this - and just make this accessible to people. I mean, again, we're all overly busy - just be able to have audio for a commute or even just preparing around the house for the morning. To be able to synthesize all that information - that's a good service to provide to people. So that's part of it. 

Robert M. Lee: The second part is, we are welcoming in a significant increase of percentage of professionals into the OT community versus what's there today. In other words, you onboard 500 new people into infosec, then put a dent into the size of infosec. You on board 500 new people into OT security, that's a significant contribution to the percentage of the current state of the community. And so we need to have a forum of source to kind of, like, onboard them and make sure that they are getting some basic concepts and understandings. So the second half of the "Control Loop" podcast, if you will, is meant to just be a very educational, hey, here's how a control loop works. Hey, here's what a gas turbine is and where you might find them and what they do. Hey, here's why OT is different than IT, so just have the - kind of educational things. And I think as we've talked, the idea is to launch each episode in its full, but to take that second half of the episode and create a library of content for people that can come back and just up-level their knowledge about ICS security. 

Dave Bittner: Who's the target audience here? I mean, obviously, we want folks within OT security to listen, but it strikes me like there's a lot here for folks who are outside of that specific community as well. 

Robert M. Lee: Yeah. I think the first half will be kind of an everybody thing. And I hate to say it that way, but it really is. There's nobody out there that's not interested in what's happening in our infrastructure security and kind of being up to date with the news. And if you're trying to keep up to date with everything, you can't, but a 15- to 30-minute digest of here's the stuff you need to know - literally, you'll have not only CSOs and executives and practitioners and all that, but you're going to have bankers and financial analysts and market analysts and everybody else trying to keep up to date. So I think it's going to be a lot wider than people realize in that first part. That second part will be more practitioner-focused. That will be where you've got the - maybe the CSO who's trying to get more familiar with what programs are about to roll out, but definitely IT security professionals trying to onboard into operations. Like, I think that'll be the core segment - or core audience for that portion of the show. 

Dave Bittner: All right. Well, excited to launch the new show. It's called "Control Loop." Robert M. Lee from Dragos, thanks for joining us. 

Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He is managing director and global cyber defense lead at Accenture Security. Josh, it is always great to welcome you back to the show. I want to touch base with you on some of the trends that you and your colleagues are tracking there at Accenture when it comes to ransomware. 

Josh Ray: Thanks, Dave. I appreciate you having me back. The team has done, you know, some continued research on this dating back to 2021, to, really, the beginning of 2022. Yeah, and I think we've got some pretty interesting things to share with the listenership, especially things that have taken place in the previous months. One of the things that, you know, I think is heightened and a trend that I want to kind of foot stomp is that threat actors are moving quickly to kind of extortion, and then sometimes they're just not even encrypting a lot of the data. We've seen, you know, even through a general lack of transparency from some companies, about 48 large companies that we were able to kind of pick up in open source that have been affected. And these are companies, you know, roughly around the - you know, over 1 billion in value. These companies, about 11 have reported that they've been - you know, actually paid the ransom. 

Josh Ray: And this notion of paying the ransoms, I think, is a - kind of a key trend as well. So companies are actually paying ransoms less than they have in previous years. And we think this is due in part to the visibility of some of these particular threats, but also that some of these security mitigations that people are putting in place are, actually seem to be working. Additionally, I think, you know, the threat actors are becoming much more astute with regards to the actual amount of the ransomware demanded based on the target's value and the ability for them to pay. And as I said before, this notion of kind of skipping the stolen data encryption step and go straight to extortion seems, you know, very much like an important trend. And I think, you know, lastly, speaking more broadly, the threat is demonstrating a significant amount of business acumen by reinvesting a lot of the funds from the folks that are paying these ransoms into enhancing their own operations and capabilities. So threat actors are actively integrating new data exfiltration capabilities, encryption features into their malware and creating high-end exploit development and social engineering service offerings. 

Dave Bittner: You know, we're seeing a lot of volatility in the cryptocurrency world. Is that having any effect on ransomware operators, or do we expect that it could, you know, either way? 

Josh Ray: Yeah. You know, so what we've seen is, you know, approximately, you know, one-fourth to a third of victims that that pay the ransom actually face much higher, hidden costs. In some cases that ranges from, you know, 50 to $100 million. And after the initial attack, they're still subject to follow-on targeting. For example, you know, many victims who pay a ransom often retrieve, you know, corrupted data or incomplete data and still remain vulnerable to these attacks. And this repeat targeting is something that we're seeing typically about a couple of weeks after the initial payment. So companies pay the ransom, and then they're often extorted for more money not to leak the data. 

Dave Bittner: So who do you see being targeted here? Are there any particular verticals that they seem to have in the crosshairs? 

Josh Ray: Yeah. I think, you know, the top three really are manufacturing, public sector and professional services, I think are probably among the hardest hit sectors. Manufacturing is high on the list because, you know, downtime for this particular sector is just not, you know, not an option, right? They can't afford not to be in business. And they're usually some smaller companies with small budgets for cybersecurity. And they're not necessarily as highly regulated as some of the other industries, like financial services. Professional services, also top target, because, you know, as we spoke of before, it's the ecosystem that they serve. It enables, you know, a lot of these supply chain types of attacks on clients of the professional services company. And they, of course, have some very, you know, intimate information that can be used for follow-on social engineering purposes as well. 

Dave Bittner: All right. Well, Josh Ray, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfman, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.