Cyber operations in the hybrid war. Karakurt extortion group warning. Clipminer is out in the wild. GootLoader expands its payloads and targeting. Leak brokers and booters shut down.
Dave Bittner: Russian government agencies are buying VPNs. CISA and its partners warn about the Karakurt extortion group. Clipminer is in the wild. GootLoader expands its payloads and targeting. Carole Theriault has the latest on fraudsters imitating law enforcement. Kevin Magee from Microsoft on security incentives by way of insurance. And leak brokers and booters shut down.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 2, 2022.
Cyber operations in the hybrid war.
Dave Bittner: U.S. Cyber Command head and director NSA General Paul Nakasone remarked earlier this week that the U.S. had provided operational cyber support to Ukraine. His comments, on which he declined to elaborate, attracted considerable attention. The White House yesterday said that the cyber operations General Nakasone alluded to marked neither a change in nor a deviation from U.S. declared policy of avoiding direct combat with Russia. That's generally one of the points General Nakasone made in his remarks. The White House statement seems to rely upon the ambiguity of cyber operations, which remain a grey zone in international conflict.
The state of Russia's cyber campaign.
Dave Bittner: The Washington Post reviews the ongoing controversy over how effective Russia's cyber operations have been in its hybrid war against Ukraine. The widespread catastrophic attacks against infrastructure many observers had expected haven't materialized, and that surprised many given Russia's dress rehearsals for attacks against the Ukrainian power grid in 2015 and 2016. Those were apparently successful proofs of concept, but they haven't been repeated in the present war.
Dave Bittner: The most significant cyber action was the successful disruption of ViaSat ground stations, but the effects of that attack were quickly made good. Some observers see Russian failure, others Russian restraint. Still others see a different choice of objectives by Russian strategists. ESET's most recent threat report sees a conflict marked by hacktivists and criminal activity and sees the immunity from cybercrime, especially that Russia has largely enjoyed, as having significantly eroded.
Dave Bittner: The Cyber Peace Institute this morning released a study of the conflict in cyberspace, concentrating on critical infrastructure in Ukraine and the Russian Federation essential for the survival of the civilian population and civilian objects, which are all protected under international humanitarian law, and targets outside of those two countries that have been impacted by cyberattacks as a result of the war and its associated economic and geopolitical context.
Dave Bittner: The researchers concluded that while cyberattacks aren't playing a major role in tactical advances of either side, cyberattacks are used as a means of destruction, disruption and data exfiltration. In addition to the widespread use of disinformation, they've led to the destabilization of cyberspace. They say the conflict has seen a number of cyberattacks on critical infrastructure, such as communications services and electric power stations, in violation of international humanitarian law.
Dave Bittner: They point out that so-called hacktivist collectives have played a significant role during this conflict but the primary type of attack undertaken by these actors being hack-and-leak style attacks by anti-Russian actors and denial of service attacks on Ukrainian allies by pro-Russian actors. Also, the energy, mining and financial sectors are seeing significant numbers of attacks both in Ukraine and Russia as governments across the world impose or increase sanctions. And beyond traditional means of propaganda, cyberattacks are being used to spread disinformation and control the flow of information relating to the war.
Who's interested in a VPN? Russian government agencies are.
Dave Bittner: Russia's government apparently is purchasing VPN services not to subvert them but rather for its own use. Top10VPN reports that since the invasion of Ukraine, 236 official contracts for VPN technology worth over $9.8 million have been made public since the invasion. State institutions and companies regulated by public procurement law based in Moscow spent more than any other region, totaling 196 million rubles. That's about $2.4 million. The users are either government agencies or established corporations, and they're purchasing VPN services to retain access to sources of information that Kremlin-imposed censorship has otherwise rendered inaccessible.
CISA and its partners warn about the Karakurt extortion group.
Dave Bittner: CISA, the FBI, the Department of Treasury and the Financial Crimes Enforcement Network have released a joint Cybersecurity Advisory on the Karakurt data extortion group, a gang that extorts its victims by threatening to dox them with stolen information. Karakurt is opportunistic and gives no appearance of favoring any particular sectors as it selects its victims. The gang is also a player in the C2C market, where it either purchases stolen login credentials, relies on the cooperation of criminal partners who have already compromised victims, or buys access from third-party intrusion broker networks. The data compromises Karakurt uses to threaten its victims are sometimes genuine but often smoke and mirrors, sometimes recycling data from old, known compromises. The payments Karakurt demands can be as high as $13 million, The Record reports. CISA and its partners advise against paying the ransom. Apart from the general good sense of avoiding feeding a bandit economy, in this case, CISA thinks Karakurt isn't close to being as good as its word. The gang seems to hang on to the information it steals and doesn't destroy the information as it promises.
Clipminer is out in the wild.
Dave Bittner: Symantec's threat hunter team, a part of Broadcom Software, has released a blog post detailing their discovery of a cybercriminal operation utilizing malware tracked as Trojan.Clipminer. The threat actors behind this operation have made an illicit profit of at least $1.7 million from the use of this malware in cryptocurrency mining and theft via clipboard hijacking. The malware is believed to spread through Trojanized downloads of cracked or pirated software. Researchers suggest that ClipMiner may be a copycat or evolution of another crypto-mining Trojan called KryptoCibule, as there are many similarities between the two.
GootLoader expands its payloads and targeting.
Dave Bittner: eSentire this morning published an update on GootLoader, a malware loader whose operators use search engine optimization poisoning to distribute IcedID malware as its payload. GootLoader is offered as malware as a service, and it's being adapted to handle other payloads. A law firm, eSentire says, has been among the recent victims.
Leak brokers and booters shut down.
Dave Bittner: And finally, the U.S. FBI, the Belgian Federal Police and the Netherlands National Police Corps seized and shut down three criminal sites - weleakinfo.to, ipstress.in and ovh-booter.com. WeLeakInfo billed itself as a search engine that could be hired to sift through illegally obtained and dumped data. The other two were DDoS-for-hire services. Good riddance to all three of them, and bravo for some good cyber police work.
Dave Bittner: Cybercriminals and fraudsters are known for their brashness. Carole Theriault files this report about a disturbing trend of baddies imitating law enforcement.
Carole Theriault: Well, there seems to be no end in sight of people wanting to make a quick buck by considering to scam some innocent person into handing over their life savings. We have seen romance scams and targeted phishing scams. We've seen disaster recovery scams and health scare scams and business email compromise scams. But I have recently seen a number of scams involving fake police. So say a police officer calls you, identifies themselves, and then explains that they think you were targeted in a financial fraud campaign. While they're talking, you might even look up their name and find out that they do indeed exist. Problem is that the person on the phone has stolen the real officer's identity in order to con you, the victim, into parting with your hard-earned cash.
Carole Theriault: I mean, on the very week that I record this, I see that Albuquerque police issued a warning of a scammer pretending to be a legit officer of the force, that Thailand warned people to beware of deepfake police video calls, the U.K. Yorkshire County had a fake detective calling residents and that even in my home country of Canada, a perp decided to take the identity of a bona fide RCMP officer in order to convince people they were a person of interest. Or - and this happened last year in the U.K. - an elderly woman gets instructions to take cash and iPhones to locations around Gloucester and leave them there. The perps, pretending to be cops, told her the cash and phones were needed for a police investigation and would be collected by officers.
Carole Theriault: Now, this seems to be too far-fetched to be true to me and probably to you, listeners of the CyberWire. But the thing is is they often target people who are vulnerable, less informed, or perhaps older people who have a smaller social circle of connected individuals who have cash reserves and a deep desire to do the right thing, which includes assisting the authorities upon request. The so-called cop reels off high-level information stuff, typically gathered from a public record, just to establish authority and credibility with the victim. And this approach is insidious to me. Targeting the more vulnerable in our society by swooping in to grab their nest egg leaves the victim where exactly? Upset, afraid, and don't forget, with no financial reserves. And like, listen. I work in tech, and I can barely keep up with all the plethora of scams. So how is your typical everybody supposed to be vigilant, especially if they're in their golden years, trying to enjoy themselves? Scams like this make my blood boil because they just feel rotten.
Carole Theriault: So, dear listeners, may I ask that you look after your elders, particularly those that like to dabble online, maybe share too much on the socials, have really easy to crack passwords, and especially those that assume that everyone out there is a super-kind soul? Because it turns out there are a few tiny rotten apples out there and they're looking for someone exactly as I've just described. This was Carole Theriault for the CyberWire.
Dave Bittner: And I'm pleased to be joined once again by Kevin Magee. He is the chief security officer at Microsoft Canada. Kevin, it's always great to have you back on the show. One of the things I think it's safe to say here in 2022 is that there has been a lot of movement in the cyber insurance world. Some of it's been reactive. Some of it's been proactive. I just want to check in with you on some of the things that you've been tracking with the folks that you interact with.
Kevin Magee: Thanks for having me back, Dave. One of my predictions on Rick Howard's "CSO Perspectives" podcast for this year was that cyber insurance rates would start to go up, and that that would be a catalyst for positive societal change in addressing overall cybersecurity risk. And I think we're starting to see that. One, there's ample evidence that cybersecurity rates are going up as we're starting to normalize and understand what the risks associated with cyberattacks are. But two, that it's starting to catalyst - be a catalyst for change. What I mean by that is when insurance companies started penalizing people for bad behavior driving, and they started rewarding people for avoiding accidents, of not getting speeding tickets or whatnot, this became an incentive for real road safety.
Kevin Magee: Vendors started building safety features into the cars and trucks. Consumers started to begin to evaluate their purchase decisions on how safe the product was, but also on how easy it was for the vehicle to insure or how much it would cost to insure that vehicle. So we're starting to see, I believe, cyber insurance rates not only normalize to our industry - because there's not those decades of data like the car industry - but also be that quantifiable amount that we can communicate to the business that's always really wanted us to put a dollar amount on risk and we've never been able to do.
Dave Bittner: So are we headed into a time where we are able to do that?
Kevin Magee: I think so. I think we're getting there. And it's just a year over year accumulation of data. So we're seeing as ransomware is becoming much more rampant, we're seeing the double tap where there's extortion really driving the amounts that security insurance companies are paying out increase. So in 2021, U.S. insurance carriers are reported to have increased direct written premiums by 92%, according to The Wall Street Journal last week. So that's up over - considerably over the 65% from the previous year and 47% in 2019. So these premiums are starting to be raised. We're also seeing that the insurers are covering less and less. So you have to maybe have two or three different policies to cover what you had previously before.
Kevin Magee: So what this is driving is greater discussions between the security teams in the business. It's filing that callus to really have a CFO-level, board-level discussion about enterprise risk and what the true value of that risk is. And, again, I feel it's starting to put a number on what the cost of doing or not doing things within your organization to be cybersecure are.
Kevin Magee: And a great example of that is a lot of insurance companies are asking that basic security controls be put into place, such as multi-factor authentication. This is driving real-world action. I'm seeing more and more uptake in multi-factor authentication not because it's the right thing to do or it's something we should do, but the catalyst for that movement is we have to get compliant in terms of our application for cybersecure insurance. So in that case, I think it's a good thing for our industry and just the cyber risk landscape that we're seeing globally as well.
Dave Bittner: Do you think there's a danger that some areas may not be insurable? You know, I think about flood insurance, you know, which the private sector has gotten out of. And, you know, the backstop we have is the federal government, where the - where really all that's available is not-very-good insurance that's expensive, but it's the only option you have. Is there a possibility with, you know, the ever-increasing rates of ransomware that we could be headed in that direction?
Kevin Magee: I really worry about that as well because we're starting to see now litigation play out in court where it's being decided. You know, what is going to be covered? What is an act of war in the cybersecurity world? What will be covered? So we're going to see a lag because of the legal process that it takes to really sort these things out of two or three years, in many cases, that will decide whether some industries are insurable or not going forward based on the results.
Kevin Magee: I think at this time, with just all the geopolitical conflict, some of the challenges we're seeing with nation-states attacks and whatnot, there's got to be a backlog in the legal system of trying to interpret and decide, you know, what is an act of war? Who is the threat actor? What if it's a proxy, not a nation-state? How does that play out? Is it a criminal element? Is it not?
Kevin Magee: We're going to see, I think, an incredible amount of thought put into this over the next couple of years by legal minds, which will then translate into real-world action in a lot of cases. And I fear many of the same things that you just mentioned - that some areas of the economy just may not be insurable for a short period of time or maybe a long period of time and require government intervention in order to maintain their services.
Dave Bittner: All right. Well, Kevin Magee, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.