Notes from the cyber phases of the hybrid war against Ukraine. Conti retires its brand, and LockBit 2.0 is now tops in ransomware. Extortion skips the encryption. Cyber exercise in the financial sector.
Dave Bittner: Lithuania sustains a major DDoS attack. Lessons from NotPetya. Conti's brand appears to have gone into hiding. Online extortion now tends to skip the ransomware proper. Josh Ray from Accenture on how social engineering is evolving for underground threat actors. Rick Howard looks at Chaos Engineering. And U.S. financial institutions conduct a coordinated cybersecurity exercise.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 27, 2022.
Lithuania sustains a major DDoS attack.
Dave Bittner: Lithuania this morning announced that it has sustained a distributed denial-of-service attack. Reuters quotes Lithuania's National Cyber Security Centre to the effect that further attacks of this kind are expected. They say, it is very likely that attacks of similar or greater intensity will continue in the coming days, especially in the transportation, energy and financial sectors. The nominally hacktivist Russian group Killnet, responsible for earlier DDoS attacks against Italian targets, claimed responsibility for the incident. A group associated with Killnet, the Cyber Spetsnaz, last week threatened Lithuania with cyberattack should it persist in its policy of restricting rail delivery of embargoed goods to Russia's non-contiguous province Kaliningrad.
Lessons from NotPetya.
Dave Bittner: It's now been five years since the GRU hit Ukraine with NotPetya pseudoransomware in a campaign that was marked by a degree of indifference to the damage done to other countries in the course of the attacks. It moves one to the conclusion that the international consequences of the malware weren't so much collateral damage as a side benefit. CSO reviews some of the major lessons from NotPetya. The campaign showed that ransomware, and wiper malware representing itself as ransomware, could serve as an effective weapon, and the GRU was willing to use it as such. Adam Flatley, director of threat intelligence at Redacted, commented, it's interesting that the Russians are being a little more careful this time with their cyberattacks, but that's only constrained by their desire to be careful. The technology is still there for them to easily change the setting and let it loose if they wanted to.
Lessons from #OpRussia.
Dave Bittner: ComputerWeekly looks at the results Anonymous has obtained so far in its #OpRussia hacktivist campaign, and it finds that they've generally been more consequential than had been generally expected, although, of course, falling short of the devastation Anonymous customarily threatens. YourAnonNews tweeted, the Anonymous collective is officially in cyberwar against the Russian government. That was hours after the Russian invasion of Ukraine. The scope and sweep of the attacks, mostly defacement, doxing and DDoS, have been surprising, and potential targets of hacktivism elsewhere are considering how they might harden themselves against similar operations.
Conti's brand appears to have gone into occultation (maybe for real, this time).
Dave Bittner: Conti seems to have retired as a brand. BleepingComputer reports that the gang shut down its data leak and negotiation sites last Wednesday, and they seem to have remained down, at least for the rest of the week. Observers read this as the retirement of the brand, not the retirement - still less the reform - of the criminals behind it. BleepingComputer writes, some of the ransomware gangs known to now include old Conti members include Hive, AvosLocker, BlackCat, Hello Kitty, and the recently revitalized Quantum operation, BleepingComputer writes. "Other members have launched their own data extortion operations that do not encrypt data, such as Karakurt, BlackByte, and the Bazarcall collective.
Dave Bittner: The gang's ARMattack campaign last November and December - short, but intense - retrospectively looks like the brand's last big hurrah, except, of course, for its public declaration of adherence to Moscow's cause in Russia's war against Ukraine. Group-IB describes ARMattack as having hit some 40 organizations in the U.S. and elsewhere with noticeable effect.
Lockbit has now taken Conti's place as the biggest ransomware brand.
Dave Bittner: Assuming the Conti brand stays retired, the leading ransomware brand is now Lockbit 2.0. NCC Group's May ransomware report puts the leaderboard like this - Lockbit 2.0, Black Basta, a rising criminal star, Hive and the rump of a retiring Conti. BleepingComputer reports that AhnLab has noticed a trend in Lockbit 2.0's attack technique. The approach is still through phishing, but the phish bait has changed. The typical Lockbit come-on now consists of a bogus copyright infringement notice. To see the infringing material, the email says the recipient should open an attached file which carries the hook - the payload. It's not unique phish bait. The operators of both BazarLoader and Bumblebee have also used copyright infringement claims to induce their victims to bite.
Online extortion now tends to skip the ransomware proper.
Dave Bittner: The Register briefly describes a trend currently observed in ransomware attacks. Increasingly, they're skipping the ransomware; that is, they're not bothering to encrypt the victim's files. Instead, they're relying on the threat of doxxing, promising to release sensitive stolen data if the ransom isn't paid. So the trend toward double-extortion ransomware, encrypting data to hold them hostage but not before stealing it and then threatening to release it publicly, is now often skipping the encryption step. It used to be like kidnapping followed by blackmail. Now, more often than not, it's just blackmail.
US financial institutions conduct a coordinated cybersecurity exercise.
Dave Bittner: And finally, major U.S. financial institutions, motivated in part by the possibilities of cyberattack that Russia's war against Ukraine raises and at the urging of the U.S. Department of Treasury, have recently conducted a coordinated exercise designed to help them refine their defenses and their plans for coping with a cyberattack. Bloomberg reports that the exercise included JPMorgan Chase, Bank of America and Morgan Stanley. Bloomberg explains it ran through five hypothetical threat levels, ranging from minor assaults to a full-scale onslaught on multiple banks and critical payment systems. The exercise is regarded as showing an unusual degree of cooperation and information sharing among competitors.
Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, always great to welcome you back.
Rick Howard: Hey, Dave.
Dave Bittner: So I was reading the call sheets and rundowns for our discussion this morning, and I noticed that this week's "CSO Perspectives" episode is the end of Season 9. Man, this year going by fast.
Rick Howard: God, I know what you mean. And we covered a lot of ground this season, too. We did a little infosec history. We covered the current state and future of software building materials. We did some identity stuff about single sign-on and two-factor authentication and software-defined perimeter, and we talked about the current state of intelligence sharing today. And at the end, the last episode we did was a cyber sand table exercise for the Colonial Pipeline attacks of 2019. And, oh, my goodness, that's a lot of stuff.
Dave Bittner: I think you should take the rest of the year off. Rick.
Rick Howard: OK. I'll bring that up with my boss.
Dave Bittner: So what do you have in store for us in your season finale here?
Rick Howard: So have you ever heard of a resilience program called Chaos Monkey?
Dave Bittner: Yes. Yes, I have. That is Netflix - right? - where they...
Rick Howard: Yeah.
Dave Bittner: ...Sort of - it's exactly what it sounds like. They randomly go in and, like, blow things up and - to test their resilience, to make sure that their engineers have engineered in enough resilience so that basically, no matter what happens, customers won't notice that things have happened. Am I on the right track there?
Rick Howard: Yeah. You know, and that's what I thought, too, until I did a deep dive here. And - but it turns out, as with most things in cybersecurity, it's a lot more nuanced than that. Netflix and other big Silicon Valley companies like LinkedIn and Google and Microsoft and a bunch of others invented this thing called chaos engineering as an advanced resilience discipline designed to discover potential systemic weaknesses in their deployed architecture that they didn't know about before.
Dave Bittner: OK.
Rick Howard: So chaos engineering emerged because in the last 15 years, these organizations find themselves running gigantic systems of systems with thousands of dependencies that no human can keep track of in their heads. So chaos engineering is a response to that situation, where they can run carefully controlled experiments on production systems - I mean, they are blowing stuff up here, but they want to figure out all the unknown areas of weakness that they haven't discovered before. So in this last episode of "CSO Perspectives" of the season, we do a deep dive on chaos engineering to discuss how, for the right organization, it might be a useful tactic for your resilience strategy.
Dave Bittner: I would like to see a book or an article or something about the times when chaos engineering went horribly wrong. Wouldn't you? Wouldn't you?
Rick Howard: And you know they happen. They just don't talk about them.
Dave Bittner: No, no. They're probably, you know, traded in dark, shadowed corners at industry events. You know...
Rick Howard: Oh, I'm sure.
Dave Bittner: ...The folks who know, know. But the rest of us, it's too dark a secret to spread around.
Rick Howard: That's very true.
Dave Bittner: Well, listen, before I go, what is the cybersecurity term that you're covering over on the "Word Notes" podcast this week?
Rick Howard: So this week we're talking about identity and access management, or IAM for short. And, you know, Dave, I'm a little bit of a nerd, and I like to throw little pop culture references into the discussion, mostly to entertain myself. It's not for the audience. It's mostly for me.
Dave Bittner: (Laughter) Let's be clear, Rick. It's only to entertain yourself. But go on.
Rick Howard: So - but I got to tell you, this week I have outdone myself. I found a way to connect my favorite "Star Trek" movie of all time - the 1982 movie, "The Wrath of Khan" - directly to IAM. How great is that?
Dave Bittner: That is great. And I concur with your excellent taste in "Star Trek" movies.
Rick Howard: I think we're going to get lots of cards and letters about that one. But I'm up for the challenge.
Dave Bittner: Well, I think it's a defensible position, not exactly a Kobayashi Maru, but we'll live with it there.
Dave Bittner: All right. Well, you can find all of this stuff over on our website thecyberwire.com, where you can learn about CyberWire Pro. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And joining me once again is Josh Ray. He is managing director and global cyber defense lead at Accenture Security. Josh, it's always great to have you back. You know, I know you and your team spend a good amount of time tracking some of the threats that are going on in sort of that criminal underground. And I wanted to touch today, particularly on social engineering and some of the things that you all are seeing evolving there.
Josh Ray: Yeah. Thanks, Dave, again for having me back. We are continuing to see the professionalization of cybercrime in the underground and specifically around highly specialized areas. And we spend a lot of time talking about things like technical exploit creation as a service. But really over the last three years, and more increasingly over the past six months or so, our CTI team has observed the increased availability of these social-engineering-as-a-service offerings on the underground.
Josh Ray: And this significantly magnifies threat actor capabilities and really ensures that this threat actor has maximum impact. And you know me, Dave. I'm normally pretty even keel when I hear about these types of shifts after, you know, being in the industry for a while. But, you know, after speaking to my team about this, I really believe that this change will not only significantly improve threat actor capabilities but will be problematic for security practitioners and threat defenders.
Dave Bittner: Well, can you give us some specific examples here? I mean, you know, social engineering certainly isn't new. So what's the approach that has you concerned?
Josh Ray: Yeah, no. You're exactly right. And I think it speaks specifically kind of to the adversary tactics and what they're doing. So threat actors, you know, are leveraging this service across the skills gambit. And what we're seeing is that lower-skilled actors, this obviously provides them a new, enhanced set of capabilities that they wouldn't otherwise have access to. And they're investing in this as well. So for the big groups, like a Conti or LAPSUS$, they have a dedicated department for this. And they don't just have one individual. They have a team with a dedicated lead that's really responsible just for social engineering. So they're very well organized around this particular piece.
Josh Ray: We're also seeing the threat-making more realistic, you know, socially engineered emails, really kind of looking at the user awareness training, I think, and pivoting their tactics as such. It's very well written, whether it's in English or French or German or Italian, because you used to be able to spot the broken English or something like that, and that was a dead giveaway. But the threat has definitely kind of caught up with this and these tells that humans use to spot the suspicious email.
Dave Bittner: Now, I've heard that they're getting their way into systems and taking advantage of people's - like, even their calendaring systems?
Josh Ray: Yeah. No, this is actually fascinating and slightly scary. I mean - and this speaks specifically to the timeliness of when they launch the attacks. So they will buy access through one of the many darknet cookie markets, you know, facilitating access to an Outlook calendar. And now they have this internal visibility. So, for instance, we've seen actors buy the credentials to an email account through these markets. And instead of just spoofing an email, they send the phishing email from an internal email address. This is, you know, social engineering from a genuine corporate account, which is a much more effective strategy, coupled with the visibility component where you can send it when somebody is on PTO or getting ready to attend a conference or has a, you know, important business meeting come up. And, you know, this has been one of the things that we've used to, you know, educate our user base. And we see that the threat is, you know, continuing to - you know, to pivot to counter these user awareness trainings.
Dave Bittner: Are they getting better with, you know, being able to use the lingo of individual organizations? Or have they upped their game there?
Josh Ray: Yeah. That's actually one of the most fascinating things, and it really complicates matters further. I mean, we've observed they've actually started to employ industry subject matter experts so that they can speak the jargon and understand the nuance of the business operations. And I like to draw the comparison, like, much like we - you know, as Accenture would kind of tout our industry expertise, you know, they actually have the ability now to do that in a way that increases the effectiveness of the attack. So now you have a threat that can leverage a highly specialized, sophisticated service, employing proper grammar across multiple languages, and then through the use of, you know, dedicated reconnaissance, they can target key personnel at the proper time based on their internal visibility, and with their increased industry knowledge, they make their emails much more realistic, and they can send them from a valid internal account now.
Dave Bittner: Well, let's talk about that. I mean, given this new reality and how much they've stepped up, what are you recommending to people to best protect themselves?
Josh Ray: Well, you got to be great at doing the basics, as always. And we've talked a lot about a lot of the technical controls, you know, such as pushing for, you know, MFA. And once again, you know, people are being targeted as the weakest link in that chain. And more specifically, you know, high-level executives and employees that have access to key internal business operations are top targets. What they post on social media and what their extended circle and family members may post on social media can be easily weaponized. So not only staying, you know, vigilant and increasing monitoring on your own enterprise, now you have to think about how do you extend that user awareness training to that trusted circle.
Josh Ray: And we've begun to, you know, help clients think about things like, you know, monitoring in the darknet, not only to get the intelligence on these available threats and capabilities, but how do you think about executive cyber protection for your key and highly visible employees as well, too? So those are things that we're going to have to do to really extend that intelligence gathering and visibility in conjunction with those technical controls, I think, to continue to mitigate this threat.
Dave Bittner: All right. Well, Josh Ray, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.