Espionage and counterespionage during the hybrid war. Assessing Russian cyberops. Conti's fate. Investigating cut Internet cables in France. Trends in “pig-butchering.”
Dave Bittner: Traditional espionage and counter-espionage during the hybrid war. Assessing Russian cyberattacks. Conti's fate and effects. Investigating cut internet cables in France. My conversation with AD Bryan Vorndran of the FBI's Cyber Division and Deputy Assistant Attorney General Adam Hickey on reverse web shell operation and Hafnium. Our guest is Tom Kellermann of VMware to discuss the findings of their "Modern Bank Heists" report. And finally, the dark online world of pig butchering.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 22, 2022.
Assessing Russian cyberattacks.
Dave Bittner: The U.S. continues to look for an explanation of why Russian cyberattacks in support of its war against Ukraine, while they've certainly been conducted, have so far fallen short of the devastating potential widely expected as the special military operation began. Deputy national security adviser for cyber Ann Neuberger reviewed the bidding Wednesday at the Aspen Security Forum. Defense News quotes her as saying, "with regard to the Russian use of cyber and our takeaways, there are any number of theories for what we saw and what, frankly, we didn't see. Some argue for the deterrence the U.S. has put in place." And in this, she was alluding to the discussions between President Biden and Putin after the Colonial Pipeline ransomware attack. She says, "some argue that it was the result of the extensive cybersecurity preparations Ukraine did, supported by allies and partners. And some argue that we don't quite know." Ukraine thinks defensive preparations made a contribution to blunting Russian cyberattacks. Ilya Vityuk, head of the cybersecurity department of the Ukrainian State Security Service, pointed to the weeks of preparatory Russian cyberattacks before the actual invasion. He said, as reported by CyberScoop, for us, it was like a full dress rehearsal. The Ukrainian services had an opportunity to assess the enemy's capabilities and to address their own vulnerabilities in advance of the onset of war. And he says they were able to make good use of the opportunity.
Traditional espionage and counterespionage during the hybrid war.
Dave Bittner: Traditional espionage run by intelligence officers working under diplomatic cover has grown somewhat more difficult for Russia during the present war. The Record quotes the head of Britain's MI6 as estimating that around half - roughly 400 in total - of the Russian intelligence officers operating in Europe have been expelled. Clearing compromised personnel from Ukrainian security and intelligence services is a more complex and difficult task. The Atlantic Council describes the challenges of expunging Russian sympathizers from the SBU Security Service and the Prosecutor General's Office. The heads of both agencies have been suspended, but reforming large agencies in wartime is like rebuilding a ship during a voyage. That said, Russian cyber-espionage attempts continue unabated. Palo Alto Networks Unit 42 early this week outlined evidence that Russia's SVR intelligence service had been actively abusing Google Drive to distribute malware in the service of cyber-espionage. TechCrunch observed that this isn't the first time the SVR has been observed making hostile use of legitimate web services. Mandiant had earlier seen the SVR using Dropbox for command and control.
Conti's fate and effects.
Dave Bittner: In the course of a discussion with advanced intelligence over the firm's study of Conti's attack against Costa Rican networks, Bleeping Computer offers a useful summary of what's happened to the gang. It's effectively rebranded through dispersal, its alumni now working for Quantum, Hive, AvosLocker, BlackCat and Hello Kitty gangs. Security Boulevard calls these splinter ransomware-as-a-service groups.
Investigating cut Internet cables in France.
Dave Bittner: Back on April 27, parties unknown severed backbone cables in three distinct locations around Paris. The actions were separated in space but closely coordinated in time. WIRED reports that almost three months later, who cut the cables and why they did so remains unknown. Michel Combot, the managing director of the French Telecoms Federation, told WIRED, the people knew what they were doing. Those were what we call backbone cables that were mostly connecting network service from Paris to other locations in France in three directions. That impacted the connectivity in several parts of France. The cables were severed in ways that made them difficult to repair. But there are no obvious suspects and no obvious motive.
Dave Bittner: And finally, KrebsOnSecurity offers a depressing follow-up to warnings the FBI issued back in April about a criminal trend that's come to be known indelicately as pig butchering. It's a romance scam that lures its victims to fraudulent cryptocurrency sites and then fleeces or butchers them. Losses are said to have ranged in the hundreds of millions of dollars. Krebs on Security explains the term pig butchering refers to a time-tested, heavily scripted and human-intensive process of using fake profiles on dating apps and social media to lure people into investing in elaborate scams. In a more visceral sense, pig-butchering means fattening up a prey before the slaughter. The scammers offer to mentor their marks in crypto speculation and, in the course of that mentorship, siphon off large amounts of cash. There's apparently an uglier than usual side to this form of organized crime. Many of the operators are people who've been trafficked and forced into the internet scam, which seems to be mostly run from underused casinos in Cambodia.
Dave Bittner: KrebsOnSecurity notes four common elements of a pig-butchering caper. It often, but not always, begins with a dating app. According to Krebs, pig-butchering attempts are common on dating apps, but they can begin with almost any type of communication, including SMS text messages. From there, it moves to chatting over WhatsApp. There's no video used. The fraudsters always refuse to do a video call with their marks, and investment chitchat sets the hook. The scammers say they have inside knowledge of the cryptocurrency market, and they're eager to help their new friend make money. What follows can be easily imagined.
Dave Bittner: Cloud computing and virtualization technology company VMware recently released the fifth edition of their report, titled "Modern Bank Heists: Looking at the Cybercriminal Ecosystem and How Defenders Can Best Prepare for Future Attacks." Tom Kellermann is head of cybersecurity strategy at VMware.
Tom Kellerman: The genesis of this report was actually because of my work at the World Bank and the Treasury Security Team back in the early 2000s and the fact that we published the first ever book on the information security challenges facing the financial sector then. So it's always been my passion to understand what keeps the financial sector security leaders up at night. How are they changing their defensive strategies? And more importantly, how are the adversaries changing their modus operandi both from a cyberattack perspective but from an e-fraud perspective as well?
Dave Bittner: You know, I think if you say the phrase bank heist, I think a lot of us think of, you know, maybe an "Ocean's Eleven" kind of a scheme or, you know, an old Western Hollywood rendition of it. How do we define bank heists in this modern age?
Tom Kellerman: Well, in this modern age, if you look at just the cyberattack itself, the bank heist has really become a hostage situation. The adversary is more likely trying to hijack the digital transformation of the financial institution and use its network, its website, its mobile banking app, its APIs. It's built out for fintech to attack its customers. More importantly, the adversary is truly cognizant of what the crown jewels are for a financial institution. And those crown jewels are the nonpublic market information or the market strategies that the institution might leverage in the international markets, which is why the majority of institutions in this year's report noted that they saw evidence that the adversaries were targeting non-public market information and market strategies to enable to allow for digital front-running and digital insider trading.
Dave Bittner: Well, let's go through some of the key findings of the report together. What are some of the things that caught your eye?
Tom Kellerman: Well, specifically, you know, the attack vectors writ large have shifted. The primary attack vector into financial locations today is not spearphishing. I know that sounds like it's sacrilegious. Application attacks are the primary attack vector, followed by previously deployed RATs - remote access trojans - that exist within the environment because of Linux-based ransomware and RATs writ large. The majority of institutions suffer from one over two ransomware attacks, and the majority paid ransom. But what was most interesting to me from an attack perspective was that 94% of them suffered attacks against APIs they built out for fintech, and those APIs were used to hijack the environment itself.
Dave Bittner: How are the financial institutions doing in this kind of cat-and-mouse game here? I mean, is there a sense that they're ahead of the bad guys? Are they gaining ground? Where do we stand?
Tom Kellerman: I mean, they've definitely decreased dwell time and time to resolution. With that being said, the adversaries still exist within the environment for days. You have to accept that based on their revenues and based on what they spend on technology and cybersecurity, they're still spending less than 12% of their IT budgets on cybersecurity. But they intend on increasing that cybersecurity budget by, on average, 25% this coming year. So it really speaks to - this has become a matter of great importance for safety and soundness and sustainability of the brands.
Dave Bittner: And one of the things the report points out is that a majority are concerned with security on cryptocurrency exchanges. I'm curious. You know, to what degree does cryptocurrency enable these sort of heists?
Tom Kellerman: OK. So there's two parts to that question. First of all, we have to accept the fact that, you know, financial institutions of today are trying to become technology companies. And in doing so, they're trying to reach out to the modern generation space retail customer base by providing access to virtual currencies and storage of virtual currencies as well. And in the majority of those cases, they partner with smaller fintech firms. And the first step in that process is building out an API. And this is why you're seeing this surge of API attacks into these institutions. This is compounded by the fact that the majority are paying ransom when they're ransomed on average, you know, roughly two times a year. And that's highly problematic because they're feeding the beast. But what I would point out here is not all virtual currencies and exchanges are equal in terms of how they pay attention to security, their investment in security or their desire to align with the principles of FATF, the Financial Action Task Force.
Dave Bittner: So based on the information that you all have gathered here, what are your recommendations?
Tom Kellerman: Well, we need to really understand that the adversary is already within the environment. So given the fact that the adversary is in the environment, at some point, there's no way to be 100% preventative vis-a-vis. You've got nation-state adversaries working with cybercrime cartels to offset economic sanctions. They will get in. But when they get in, can you defend from within? And I think defending from within is all about making sure that you can achieve intrusion suppression. So can you detect, deceive, divert, contain and hunt an adversary, unbeknownst to the adversary? Because you don't want an escalation to a destructive attack, which are increasing dramatically. So you have to integrate your network detection response capabilities with your endpoint detection response capabilities. You have to apply micro-segmentation. You should automate vulnerability management, particularly for outward-facing critical vulnerabilities as defined by CISA. I do believe in the use of deception and decoy technologies. Along attack paths that can't be hardened, you should activate application control and high enforcement. Conduct weekly threat hunting that extends to the C-level, that extends to the administrative assistance of the sea level, even though that sounds taboo, and use that as justification for prioritization for cybersecurity investments, and really, really focus on DevSecOps and API security. And finally, ensuring that your backups are immutable and viable and periodic in nature will be quintessentially important given the fact that most financial institutions suffered a destructive cyberattack this past year.
Dave Bittner: That's Tom Kellerman from VMware. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro, and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
Dave Bittner: And joining me once again is Bryan Vorndran. He's assistant director from the FBI's Cyber Division. And we're also joined by Deputy Assistant Attorney General Adam Hickey. Gentlemen, welcome to the CyberWire.
Bryan Vorndran: Thanks, Dave.
Adam Hickey: Good to be here.
Dave Bittner: Bryan, let me start off with you here. I know you and your colleagues have been doing some work lately regarding reverse webshells, Hafnium. Can you bring us up to date? What's going on?
Bryan Vorndran: Sure, Dave, and thanks for the opportunity to join with you today. You know, back in 2020, there was a broad vulnerability identified in the Microsoft Exchange server. It really came to light at the end of 2020 but really received its first public disclosure in early January of 2021. And essentially, the Chinese state-sponsored group known as Hafnium had installed tens of thousands of PowerShells in computers and servers here in the United States that posed a huge vector for potential attack - very interesting tradecraft by the adversary that exposed a lot of computers and servers and put us in a position not only with Microsoft, but with our partners at CISA and NSA, to take some unique action. Looking forward to talking about that with you today.
Dave Bittner: Well, let's dig right in, then. What are some of the actions that you all took there?
Bryan Vorndran: First disclosure of the vulnerability was really identified by Microsoft on approximately January 2 of 2021. Moving into early March of that year, March 3 to be specific, Microsoft published another advisory. And they actually credited the vulnerability - the location of the vulnerability to DEVCORE. But then on March 10, the FBI and CISA published a joint cybersecurity advisory titled "The Compromise of the Microsoft Exchange Server," which really highlighted the vulnerability and how to mitigate that vulnerability.
Bryan Vorndran: So I think when we have these types of opportunities, we very much look at it to move from least intrusive to most intrusive in terms of investigative or operational techniques that we can deploy to essentially mitigate the attack surface that the adversary has access to. So in this case, Microsoft disclosed their vulnerability. Then the cybersecurity advisory that was joint between the FBI and CISA further allowed owners of those computers or affected servers to take mitigation steps. But then on the backside of that, the FBI conducted thousands of victim notifications to try and reduce that attack surface even further. So between the Microsoft disclosure in early January of that year, the cybersecurity advisory and the thousands of victim notifications, the FBI essentially was able to work with CISA and others to reduce the attack surfaces through those PowerShells by about 90 to 95%, but that left still between 5 and 10% of the attack surface available to the adversary.
Dave Bittner: We're joined by Deputy Assistant Attorney General Adam Hickey. Adam, what part does the DOJ have to play in an effort like this?
Adam Hickey: So around the time that Bryan's talking, there's going to be constant communication between the FBI Cyber Division and the relevant component of the Justice Department, where the lawyers are going to provide legal advice. And that, in this case, was the National Security Division. And we're going to be monitoring the threat reporting along with them. We're going to be monitoring the advisories that go out and the impact that has on the public and where we stand at a certain moment in time. And the FBI is going to ask us, what more can we do? Is there more we can do? And we're going to ask them, do you have a capability? And we're going to look at the capability they develop. And we're going to look at the law and what the law requires. And if there's a match, we may be in a position to take action that fully remediated or more fully remediate the problem.
Dave Bittner: Can you walk us through this particular example, you know, both of you? How does this one play out, and where do we stand today?
Bryan Vorndran: Sure. Dave, it's Bryan. And I'll start with that. You know, as we were left with between 5% and 10% of the attack surface left, we really come to a question of, do we have the authorities and the technical capability to mitigate the rest of the vulnerable computers or servers that are being used or could be used by the adversary, in this case, China? And the answer to that in this case was, yes, we have the authority through Rule 41, and we have the capabilities through some really, really good technical skills we have in our field offices and here at headquarters.
Bryan Vorndran: And so in this particular scenario, we leverage our Rule 41 authority and a technical operation to essentially seek a court order, a standard warrant, to remove the remaining web shells. And in this case, what we did is we copied the web shell so that we were able to maintain it for evidentiary purposes. And then we essentially deleted the web shell. And by deleting the web shell, we essentially broke the communication or the vector of attack that was available between the actor - the Chinese government - and the computers they had installed the powershell on. So just really good work by the FBI and by DOJ finding the authority to do this work and then developing a very, very advanced technical tool to actually deliver the result. But I think it would be worth, Adam, talking briefly about Rule 41 and our authorities and how they apply to this type of operation.
Adam Hickey: Sure. And I think to do that, I think we have to also add a third element to this operation, which is a source that was able to help us out with identifying the file paths of the web shells on the victims' computers. And that is probably one - this gets at one of the reasons why public notification wasn't sufficient in this case. Every one of the web shells had a unique file path as a dynamic address, if you will, such that we couldn't put out a standard one-size-fits-all advisory to the public that says, look here; look in this folder look for this particular sequence of characters. That's how you'll find the web shell.
Adam Hickey: Instead, we were fortunate that we had information from a source that advised us what those file paths were. And that allowed us to go to the court and say, look, we have probable cause to believe that this evidence and also instrumentality of a crime is located on these victims' systems and ask the court for a warrant, as we wouldn't in another comparable case in the physical world, allowing us to seize, effectively, the web shell, to search it, to copy it and then to delete it.
Dave Bittner: And, Bryan, are you satisfied, as you look back on this activity, that the things played out the way that you hoped that they would?
Bryan Vorndran: Yeah, we really are. I think it's a great opportunity for the department and for the FBI to really leverage the unique authorities we have in the cyber ecosystem within the intelligence community and the interagency and the overlap with private sector. And you couple that with just great work by some of our agents and computer scientists in the field at headquarters to develop the technical capability to do this work, knowing we were left with this attack surface and owing to the American public a responsibility to behave in their best interest, not only within the policies and procedures and laws that we operate within to protect the American public's rights, but also to eliminate an attack vector from a very, very sophisticated adversary. We're very, very happy with the results because we feel we completely eliminated that threat at that time.
Dave Bittner: All right. Well, assistant director Bryan Vorndran from the FBI's Cyber Division and Adam Hickey, deputy assistant attorney general at the Department of Justice, thank you for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Rob Pandazopoulos from Secureworks. We're discussing their work, "REvil Development Adds Confidence About GOLD SOUTHFIELD Reemergence." That's Research Saturday. Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.