DDoS attacks strike countries friendly to Ukraine. Predatory Sparrow's assault on Iran's steel industry. Callback phishing impersonates security companies. Anubis is back. BlackCat ups the ante.
Dave Bittner: More deniable DDoS attacks strike countries friendly to Ukraine. Predatory Sparrow's assault on Iran's steel industry. A callback phishing campaign impersonates security companies. The Anubis Network is back. Thomas Etheridge from CrowdStrike on the importance of outside threat hunting. Rick Howard weighs in on sentient AI. And a ransomware gang ups the ante.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 11, 2022.
More deniable DDoS attacks strike countries friendly to Ukraine.
Dave Bittner: Lithuania's state energy provider, Ignitis Group, sustained a large distributed denial-of-service attack over the weekend, LRT reports. The attacks had been intermittent over more than a week, peaking on Saturday. Ignitis said that it has now overcome the attacks and that its control systems were not affected. Tech Monitor says that Killnet claimed responsibility for the operation. Lithuania, like the other Baltic states, has strongly supported Ukraine during Russia's war. It has recently stopped imports of Russian natural gas and just this morning imposed further restrictions on Russian shipments to its discontinuous Kaliningrad territory.
Dave Bittner: Killnet also claimed responsibility for a DDoS attack against a website operated by the U.S. Congress, which experienced brief interruptions of public access between 9 and 11 a.m. Thursday. CyberScoop quotes the group's crowing over Telegram. They have money for weapons for the whole world, but not for their own defense.
Dave Bittner: The degree of control Russian intelligence services exercise over Killnet remains unclear, but the group makes no secret of its determination to support Russia in its war against Ukraine. Wired has a brief overview of the group's activities, which have affected targets in Lithuania, Italy, the United States, Romania and Norway. Killnet has declared war against these and other states who have been too sympathetic to Ukraine. For all of its online posturing, Killnet's activities haven't so far risen above a nuisance level. Flashpoint offers a suitably tepid appraisal of the group's work, saying while Killnet's threats are often grandiose and ambitious, the tangible effects of their recent DDoS attacks have so far appeared to be negligible.
Predatory Sparrow's assault on Iran's steel industry.
Dave Bittner: The BBC reports that Predatory Sparrow, a nominally hacktivist group opposed to Iran's regime, which claimed to have disrupted operations at Iran's Mobarakeh Steel Company on June 27, has posted videos of fires at the facility it claims were caused by its cyberattack. Mobarakeh Steel has minimized the effects of the attack, saying that its operations were not disrupted. CyberScoop reports that Predatory Sparrow has also dumped a set of documents it calls top secret and which it claims were taken from the Iranian facilities during the cyberattack. Those claims, as well as the authenticity of the documents themselves, remain unverified.
Dave Bittner: Given the long-running tension between Iran and Israel, there's been widespread speculation in the Israeli press that Predatory Sparrow, which presents itself as an Iranian dissident group, is operating in the interest of Israeli intelligence services. The Israeli government has begun an investigation into the source of the stories, which may or may not have derived from leaks.
Callback phishing campaign impersonates security companies.
Dave Bittner: CrowdStrike on Friday detected a callback phishing campaign that impersonates CrowdStrike and other security companies. The social engineering effort begins with an email that claims to have discovered a potential compromise on the recipient's network. The email provides a telephone number and invites the victim to call and arrange an audit of their workstations. It's unclear what might happen next, but the call will almost certainly invite the victim to install malware into their systems under the guise of a security update. CrowdStrike says
Dave Bittner: Historically, callback campaign operators attempt to persuade victims to install commercial RAT software to gain an initial foothold on the network. It's an old scam, and, while one might think it played out, people continue to fall for it. The impersonation of a security firm is thought to add additional plausibility to the imposture. CrowdStrike points out with the emphasis that CrowdStrike will never contact customers in this manner, nor, one might add, will any other reputable security company. It's also worth noting that the campaign is purely fraudulent and doesn't involve any compromise of a security firm's networks.
The Anubis Network is back.
Dave Bittner: Security Affairs reports that the Anubis Network is back, providing command and control infrastructure for credential phishing that's targeting users in Portugal and Brazil. The initial contact is often by smishing, phishing with a text message, with a link to a bogus landing page designed to induce users to enter their credentials.
A ransomware gang ups the ante.
Dave Bittner: And finally, researchers at the firm Resecurity reported over the weekend that the BlackCat gang is upping its ransom demands. The gang, a competitor of both the once and future Conti and the clearly active Lockbit 3.0, is now asking its victims for $2.5 million in exchange for, well, stopping all the stuff it gets up to. While BlackCat is a major player in the ransomware-as-a-service subsector of the criminal-to-criminal market, it isn't simply engaged in double extortion, but in what Resecurity calls quadruple extortion.
Dave Bittner: The researchers explain that BlackCat's approach includes encrypting the victim's files - the first step, of course, in a classic ransomware attack. Victims are then offered a key to decrypt their files and restore access to their compromised data. The second aspect of BlackCat's attack involves data theft and the attendant threat of doxing, of releasing sensitive data. This is the now familiar double extortion. The third phase of a BlackCat attack is denial of service. The attackers conduct DDoS attacks to close down the victim's public websites. The DDoS, of course, will be called off when the victim pays. And the fourth and final phase of quadruple extortion is, according to Resecurity, harassment. The gang does reputational damage to the victim by calling customers, business partners, employees and media to tell them the organization was hacked. This, too, increases the pressure on the victim to pay.
Dave Bittner: Quadruple extortion is a noteworthy development in the C2C market. A number of ransomware operators have recently tended to concentrate on the second phase only, stealing data - or at least claiming to have stolen data - and then threatening to release the data if they're not paid off. It's easier than bothering with encryption. But BlackCat has gone in the opposite direction, opting for a more determined, more intense approach. In some respects, the larger ransom demands aren't surprising. The complexity and expense of quadruple extortion would seem to warrant a bigger ransom, if, that is, the hoods are going to realize any return on their investment.
Dave Bittner: Conti and Lockbit Don't think much of BlackCat, dismissing them as scammers, which seems cheeky coming as it does from a bunch of criminal rivals who are engaged in a form of scamming themselves. BlackCat may have connections with other criminal elements, notably DarkSide and BlackMatter. There's been some suspicion, in fact, that code overlaps apart, BlackCat may represent a rebranding of DarkSide after that gang's Colonial Pipeline hack drew more attention and heat than the old gang was comfortable with.
Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, always great to welcome you back.
Rick Howard: Hey, Dave.
Dave Bittner: So a few weeks ago, one of Google's AI researchers, a guy by the name of Blake Lemoine, he got his 15 minutes of fame by claiming that the AI he was working on, which goes by the name LaMDA, a language model designed to converse with people, he says that it became sentient.
Rick Howard: Yep.
Dave Bittner: And he claimed that LaMDA could pass the Turing test. Now, I know you are a huge fan of Alan Turing, the guy who wrote that original paper that described the test. So what's going on here, Rick? Help me understand.
Rick Howard: Well, you're right that my all-time favorite computer science hero is Alan Turing, all right? In addition to the work he did on artificial intelligence in the '40s and '50s, he also mathematically proved that the modern-day computer could be built as a machine, a Turing machine, he called it, back in the 1930s - not to be confused with the Turing test that we're talking about here, a Turing machine, right? So - and remember, we didn't have computers back then, but every computer we use today is a Turing machine, and we have him to thank for that. And let's not forget about his codebreaking efforts at Bletchley Park during World War II, breaking the German Enigma code. His efforts probably helped save - what? - 20 million lives and shorten the war by years. But the Turing test is one of the first test ever developed to determine if a machine can think.
Dave Bittner: You know, it reminds me of a segment from that great "movie, The Imitation Game"...
Rick Howard: Oh, yeah.
Dave Bittner: ...Which had Benedict Cumberbatch, more recently known as Doctor Strange. But in this movie, he was playing Alan Turing. Is that what we're talking about here?
Rick Howard: Oh, my goodness, yes. This is a fantastic movie. And I'm so glad that you brought that scene up. I've been telling people for years that the scene is the best explanation I've ever heard that describes the Turing test and what we thought artificial intelligence meant back in the 1940s. Let's listen to a piece of it.
(SOUNDBITE OF FILM, "THE IMITATION GAME")
Benedict Cumberbatch: (As Alan Turing) Of course, machines can't think as people do. Machine is different. The interesting question is, just because something thinks differently from you, does that mean it's not thinking? No. We allow for humans to have such divergences from one another. You like strawberries. I hate ice skating. You cry at sad films. I am allergic to pollen. What is the point of different tastes, different preferences if not to say that our brains work differently, that we think differently? And if we could say that about one another, then why can't we say the same thing for brains built of copper and wire, steel?
Dave Bittner: Wow, Cumberbatch is so good in that scene and a great movie overall, but this scene in particular, really good stuff.
Rick Howard: Yeah, you know, I'm so with you on that. And if our listeners haven't seen that movie yet, stop what you're doing, do not pass go and consume that story. It's fabulous. But when Turing described in that scene the Turing test from his paper "Computing Machinery and Intelligence" published in the '50s, is what this Google engineer is talking about. He claims that his LaMDA could pass the Turing test.
Dave Bittner: Now, Rick, I have been a fan of this kind of thing since the first time I played with ELIZA on an old Apple II.
Rick Howard: Right.
Dave Bittner: Like, I was hooked from that point on, which is, like, 80 lines of code or something. And, I mean, it convinced me, 13-year-old me.
Rick Howard: Sure. Yeah (laughter). Me too. Well, you know, 40-year-old me, it convinced me (laughter).
Dave Bittner: So what does this mean? I mean, are we just years away from, you know, Skynet becoming self-aware and destroying the world?
Rick Howard: Yeah (laughter) well, yeah, we might be a few years away from that event, all right. You know, since Turing's work, the AI research community has developed more robust definitions for determining if machines can think. You know, some optimistic forecasters say that the singularity, that moment when a software wakes up and can fend for itself, is, like, 25 years away. More pessimistic forecasts are saying it's at least 100 years away. Still, if the Google engineers assertion is true that LaMDA can pass the Turing test, that's a pretty significant milestone. I mean, we've been circling this moment for about five years or so. I mean, when you close your eyes and squint a little bit and try not to be too critical, you could say that voice assistants like Alexa come pretty close. You know, they're not there yet, but you can see it's right around the corner.
Dave Bittner: I can't help thinking if part of our natural impulse as humans is to keep moving the goalposts. You know, this reminds me of, you know, way back when they would say, well, the humans are the only species that uses tools. And since then, we found all kinds of animals use tools, right? So we had to find different ways to define humanity. And I wonder if we're going down that same path here. But it's going to be fascinating to follow for sure.
Rick Howard: Well, I've been criticized about this before, right? You know, and I'm not an artificial intelligence researcher by any means. And I'm sure there's a better test than the Turing test, right? But if I'm conversing with a voice assistant, and I can't tell if it's a human or not, that's pretty close to me. And it's probably more in line what Alan Turing had when he was researching this stuff back, you know...
Dave Bittner: Right.
Rick Howard: ...A hundred years ago. Yeah.
Dave Bittner: And does it matter if you can't tell the difference?
Rick Howard: Does it matter? That's it. That's the key, I think (laughter). It doesn't matter, really, that much.
Dave Bittner: Right. All right. Well, listen, before I let you go, you have just added four new members to the CyberWire's Hash Table group this week. Real quick, tell us what the Hash Table is and then who's coming on board?
Rick Howard: That's right. As you know, we have a roster of experts who regularly visit the CyberWire Hash Table to discuss, you know, important issues of the day. Really, the secret is they're mostly there to keep me honest when I go off on strange tangents, as I'm like to do. All right. So you can see who they all are on the CyberWire web page. We have over 30 of them. And the new folks include Etay Maor. He's the senior director of security strategy at Cato Networks, and he's a recent CSO from IntSights. That's a Rapid7 company. We have Vikrant Arora. He's the new CISO at the Hospital for Special Surgery in New York. That's going to be interesting, a little extra commentary on that part of the world. All right.
Dave Bittner: Yeah.
Rick Howard: We have Kurt John, the recently announced global cso at the Expedia Group, but he's the former CISO for Siemens in the Americas. So we'll get that industrial control system expertise on the table. That's great. And then last but not least, William MacMillan, also recently announced SVP of security product and program management at Salesforce. But he's just recently stepped down as the CISO for the CIA. So we're bringing in all kinds of expertise here to the CyberWire.
Dave Bittner: Those are some big guns there.
Rick Howard: Yes, we have...
Dave Bittner: Some big guns.
Rick Howard: They don't know what they're in for.
Dave Bittner: That's right. That's right. Well, you can find out more about all of that over on our website, thecyberwire.com. It is part of CyberWire Pro. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And I'm pleased to be joined once again by Thomas Etheridge. He's senior vice president of services at CrowdStrike. Thomas, it's great to have you back. I want to touch base with you today on threat hunting. I know this is something you and your team focus on there at CrowdStrike. What sort of things can you share with us today?
Thomas Etheridge: Yeah, absolutely. Threat hunting is something that, you know, we focus in on to be able to provide capabilities to look for a needle in a stack of needles. And that really is what threat hunting is all about. We've seen threat actors take advantage of operating system capabilities and the ability to remain stealthy within an environment, bypass old traditional EDR controls and remain persistent in an environment in order to carry out their tradecraft. The best way to defend against those types of tactics is through capability in threat hunting.
Dave Bittner: What are some of the specifics here in terms of, you know, things people should be implementing?
Thomas Etheridge: A couple of things. Smaller organizations that maybe have a smaller security organization and that don't have the ability to perform threat hunting exercises on their own should really consider outsourced or third-party threat hunting organizations. Or at least ask your managed service provider if that is a service that's provided with the offering that they deliver. Larger organizations can take advantage of threat hunting and outsource threat hunting as well because many organizations, when they perform threat hunts, will do so during normal business hours, Monday to Friday. They might run a threat hunt or two every month or every quarter. Outsourced threat hunting capabilities may be able to provide differentiated threat hunting 24/7, 365 around the clock, which is typically when threat actors are most active, in off-business hours.
Dave Bittner: Yeah, that's a really interesting point there. You know, I wonder for folks who are kind of standing on the sideline here and haven't really engaged with threat hunting, what's your message to them?
Thomas Etheridge: Outsourced threat hunting is really meant to complement your existing security team and organization. They can be integrated in critical areas of the business, look across the telemetry that we have within your own environment but also compare that to telemetry that they might be seeing in other parts, other services that they're offering to other customers that maybe are in the same vertical or geography that your organization is. So doing threat hunting on a broad scale really provides additional benefits and advantages that are - go beyond what you might be able to provide with your own team.
Dave Bittner: So looking at some of the basics here, I mean, can we start at the beginning? Why do threat hunting at all?
Thomas Etheridge: Dave, I think the answer is pretty straightforward. We've seen a 45% increase in interactive, hands-on keyboard intrusion activity in the telemetry that we collect in our platform over the last year. Threat actors are very adept at using stolen credentials. They move quickly. We've seen breakout time down in the 98-minute timeframe for e-crime threat actors that we track in our - with our intelligence organization. The increase in the use of malware-free attacks allows organizations - allows threat actors, I should say, to remain stealthy and persistent and be able to go undetected with traditional security tools. So threat hunting is a huge differentiator in understanding and getting that visibility and being able to remediate and respond to incidents when they happen.
Dave Bittner: All right. Well, Thomas Etheridge, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.