The CyberWire Daily Podcast 8.18.22
Ep 1644 | 8.18.22

BlackByte’s back, as BlackByte 2.0. Iranian cyber ops against Israel. Wipers and cyberespionage as tools in Russia’s hybrid war. Cyber war clauses coming to cyber insurance policies.


Dave Bittner: BlackByte is back. Iran is suspected of cyber operations against four Israeli sectors. A look at wipers as a tool in hybrid war. A Russian cyber ops scorecard. Josh Ray from Accenture on how dark web actors are focusing on VPNs. Our guest is Corey Nachreiner from WatchGuard with findings from their latest Internet Security Report. And cyberwar clauses are coming to cyber insurance policies. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 18, 2022.

BlackByte is back, and calling itself BlackByte 2.0.

Dave Bittner: BleepingComputer reports that BlackByte ransomware has reappeared and represents an enhanced double-extortion threat to personal data. The gang has launched a new data dumpsite with a focus on individual victims. BleepingComputer writes, the data leak site only includes one victim at this time but now has new extortion strategies that allow victims to pay to extend the publishing of their data by 24 hours for $5,000, download the data for $200,000 or destroy all the data at $300,000. These prices will likely change depending on the size and revenue of the victim. BlackByte hasn't been without problems of its own. In its earlier version, the gang's code had flaws that permitted white hat researchers to develop and distribute a free decryptor. BlackByte closed that particular hole, and it's unknown whether they're using that improved cryptor in BlackByte 2.0. This time around, payment seems to be a problem. The bitcoin and Monero addresses offered for victims to submit payment aren't correctly embedded, which for now, at least, will impede collection of ransom. BlackByte, by the way, cynically refers to its victims as customers. 

Iran suspected of cyber operations against four Israeli sectors.

Dave Bittner: Mandiant reports that UNC3890, a cluster of activity targeting Israeli shipping, government, energy and health care organizations via social engineering lures and a potential watering hole, is playing a role in the low-level naval conflict currently observed between Iran and Israel. The attribution of UNC3890 to Iran is in part circumstantial. But Mandiant applies that attribution with moderate confidence. The evidence falls into four categories. Linguistic - UNC3890 developers use Farsi words in their strings. Targeting - there's a focus on Israeli targets, which is consistent with Iranian interests. The program database, or PDB, path - this is the same as has been observed in activity by UNC2448, which is attributed to the Islamic Revolutionary Guard Corps. Also, the C2 framework - UNC3890 uses the NorthStar C2 framework, which has been an Iranian favorite. The threat actors' initial approach has typically been via social engineering. Its interests seem, so far, to have involved intelligence collection, but this could be used in subsequent operations that go beyond espionage. Mandiant says, while we believe this actor is focused on intelligence collection, the collected data may be leveraged to support various activities from hack-and-leak to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years. 

Wipers as a tool in hybrid war.

Dave Bittner: VentureBeat yesterday summarized expert opinion on the way in which wipers in particular have emerged as a disturbing class of malware during Russia's war against Ukraine. One of their sources, Fortinet's Global Threat Landscape Report for the first half of 2022, explained how this had come to be, describing wiper attacks as a distinctive feature of Russian hybrid warfare. The researchers write, security researchers believe, but have not always been able to attribute with confidence, that groups aligned with Russian military goals were behind many of the wiper attacks in Ukraine during the first half of 2022. The wiper attacks were not as discriminating as one would wish a proper weapon to be. Their effects spilled over into countries other than Ukraine, the intended target.  

Dave Bittner: AcidRain was particularly unconstrained. Wipers have been seen before, and Fortinet says that security teams can expect to see them again, writing, the attacks in Ukraine have shown how this malware can be used to degrade and disrupt critical infrastructure capabilities and services to support broader kinetic warfare goals. But that is not the only threat. Shamoon showed how wipers can be used as weapons of cyber sabotage, and other variants, such as NotPetya and GermanWiper from 2017, showed how adversaries can use wipers as fake ransomware to try and extort money from victims. 

A scorecard for Russian cyber ops during the special military operation.

Dave Bittner: Trustwave's SpiderLabs this morning offered an overview of Russian offensive cyber operations so far in the war against Ukraine. They associate distinct threat actors with the three principal Russian security and intelligence organizations - the SVR foreign intelligence service and the FSB security service, both daughter organizations of the old Soviet KGB and the GRU military intelligence service. 

Dave Bittner: The associations the researchers track are as follows - APT28, also known as Cozy Bear, or The Dukes, which has ties to the Russian Foreign Intelligence Service, the SVR. APT29, also known as Fancy Bear or Sofacy, was traced to the main directorate of the General Staff of the Armed Forces of the Russian Federation, which is former GRU Unit 26165. Sandworm, also known as BlackEnergy, was tied to the main directorate of the General Staff of the Armed Forces of the Russian Federation, the GRU, unit 74455. Dragonfly, also known as Energetic Bear or Crouching Yeti, was identified as the Russian Federal Security Service, the FSB, unit 71330. Gamaredon, also known as Primitive Bear or Armageddon, traced to the Russian Federal Security Service, the FSB, in November 2021. The security service of Ukraine successfully identified individuals behind Gamaredon confirming their ties with FSB. 

Dave Bittner: The study divides Russian cyber operations into two broad categories distinguished by their objectives. Some aim at destruction while others aim at collection or espionage. The destructive attacks began as hostilities opened on February 24, 2022, and continued into early April. Cyber-espionage began to intensify about a week into the war and has continued through the present. Interestingly, some of the cyber-espionage has been conducted by privateers, criminal gangs operating in the interest of the Russian state. SpiderLabs says without a doubt, sophisticated cyber weapons are key tools in the arsenal of a modern military, and the amount of global cyberwarfare will likely increase in the future. 

Cyber war clauses coming to cyber insurance policies.

Dave Bittner: And finally, Insurance Day reports that Lloyd's Marketing Association has mandated that all cyber insurance policies must, by March 31 of next year, contain an explicit clause excluding liability for losses arising from state-backed cyberattacks. That clause would be in addition to the typical war clauses that have long excluded coverage of losses caused by action in a conventional war. The requirement for an explicit exclusion of liability for state cyber action seems to recognize the growing risk of grey zone conflict. Insurance Day quotes Lloyd's as explaining, "it is important that Lloyd's can have confidence that syndicates are managing their exposures to liabilities arising from war and state-backed cyberattacks. Robust wordings also provide the parties with clarity of cover, means that risks can be properly priced and reduces the risk of dispute. The ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb." Read and heed, customers. As Mr. Tom Waits would say, the large print giveth, and the small print taketh away. 

Dave Bittner: Corey Nachreiner is chief technology officer at network security and intelligence firm WatchGuard. They recently released their Q1 2022 Internet Security Report. And Corey Nachreiner joins us with the details. 

Corey Nachreiner: Ransomware - I think everyone's sick of hearing it. I'm certainly sick of having to talk about it. We all probably know what ransomware is at this point. But what has been happening over the past three years is when ransomware started, it was a high-volume attack where threat actors were kind of ubiquitously spamming it to everyone. They didn't care if it was a grandma in Kansas, the executive of Coca-Cola or whoever. They just spammed it in high volume, hoping people would fall for it. And if they could infect even 0.01% of the folks they spam, that would be a way of them making ransom. And because they were spamming everyone, they would only ask for - I say only, it's still horrible - they'd ask for about $500 worth of cryptocurrency. But what happened over the past seven years is we've gotten pretty good at catching the basic ransomware as the industry, and people are more aware of it. 

Corey Nachreiner: So nowadays, ransomware has gone to what I call big game ransomware, where rather than just ubiquitously spamming it out, the bad guys kind of will find a certain type of target, a type of organization that really has high real time need for their data. So health care, if you don't have patient records, you can't do surgery. Manufacturing, if you can lock up the human interface devices that deal with the manufacturing network, you stop the manufacturing line. Governments and even service providers that have a lot of customers, they would target them. And they would do more manual sophisticated attacks to breach their network. And instead of just installing ransomware to one victim, once they broke into the network, they would spend time to position the ransomware everywhere and synchronize to turn it on all at once. And so that's why it's called big game. They're going after certain big companies. And when they infect you, it infects most of your computers, as many as they can get to in their earlier infiltration of your network. And that really locks up those organizations. 

Corey Nachreiner: And it's turned ransomware into this situation where you hear about these big companies getting hit, and they're getting ransoms of 5 to $15 million. So the reason I say all that is in previous reports, ransomware has been going down. And every report before, Q1, you know, throughout 2020, our ransomware stats have been lowering quite a bit - in fact, drastically - because we think the high-volume ransomware has not been a big success for them. And they've moved to big game. But that is what changed in Q1. For the first time in quite a while, ransomware rose significantly. In fact, just in the first quarter of 2022, we've already seen 80% of the ransomware that we saw for the entire year of 2021. So the takeaway is ransomware is definitely picking up. We believe this is probably due to a few things, but one of them is just perhaps they're starting to go back to that ubiquitous spammed target. So this is likely not the big game. This is them spamming it out again. 

Dave Bittner: Was there anything in the report that you found particularly surprising or unexpected? 

Corey Nachreiner: I would say the ransomware definitely comes up. It's not surprising. That's one of the biggest things. I will say something I'm not surprised about, but I didn't really - I wasn't looking for it in this report was the return of Emotet. I don't know if your listeners have heard of Emotet, but Emotet was... 

Dave Bittner: Sure. 

Corey Nachreiner: ...Or is a well-known botnet. Of course, a botnet is a piece of malware that infects - bad guys try to infect a ton of computers with it and then control all of those computers together through a command-and-control channel. Emotet - and just about a year ago, the main group behind Emotet had their botnet taken down by the authorities globally. You know, I think it was the U.S. FBI and many others took down Emotet's infrastructure. And while that was fantastic, we were very happy about that, and that lowered Emotet for a while, we did release a blog post a month after, which is why this doesn't completely surprise me that, hey, fantastic that they took down this botnet, but don't think Emotet is gone. And the reason we say this is botnets tend to trade on the underground. 

Corey Nachreiner: You know, sometimes botnets have been evolving over a year. Sometimes source code of certain botnets have leaked and those turn into slightly new variants of botnets that share source. Even when a group like Emotet doesn't sell the source of their botnet, they often will actually sell the binaries in the platform for other attackers. So in our blog post about a year ago, we warned that, hey, it's great that they took this takedown, but at some point, another group is going to form, or maybe the ones that weren't caught will reform, and you should expect it to return but with slightly different variants. So while the return wasn't entirely surprising, I didn't expect it in Q1 that we actually saw Emotet all over our report again. So Emotet has definitely returned. We have a number of different top 10 lists, some based purely on volume, some based on how many different customers the malware touches, which we call widespread. And Emotet was in three of those - it was on those lists three different times, and each one was a slightly different variant. So just for your listeners, when we say there's - Emotet's returning, it could be three different groups with slightly different adjusted variants of Emotet. But the main takeaway is Emotet is back kind of as we expected a year ago. We love that the authorities - when they do take down these command-and-control channels, they often will catch and arrest some of the group members, too. That's a fantastic thing. But you should never expect the bot to go away just because of that. 

Corey Nachreiner: So what's the takeaway here? Well, the takeaway is to use more proactive malware detection. Obviously, WatchGuard has products I could talk about that have this, but there's others out there. But besides signatures, now there's more proactive detections. There's things like machine learning that has new ways to more proactively, even without a researcher, tell that a brand-new piece of malware is actually malware based on lots of, you know, big data indicators it's seen in previous infections. There's behavioral analysis, which is very hard for evasive malware to get past because malware can change the way it looks on a binary level, but it can't change what it does in order to do its bad stuff - so behavioral analysis, where we literally run it in a safe sandbox environment and look for the bad behaviors to catch it. So make sure you're using some sort of anti-malware protection, whether it's network- or endpoint-based, that has those more proactive detection techniques. And the final thing there is also EDR. In a lot of endpoint solutions - which, you know, a lot of people call it AV, but nowadays it's endpoint protection and endpoint detection and response - EDR is that endpoint detection and response. Besides just trying to prevent the malware from reaching the endpoint, endpoint detection response will actually pay attention to things that are happening on your computer as they happen. So if malware does start to run and maybe is trying to use malicious PowerShell or something like that to do something bad, EDR can quickly stop that from happening. So definitely look at, you know, anti-malware solutions that have proactive detection and consider EDR, endpoint detection and response, which comes with a lot of endpoint protection suites out there nowadays, including WatchGuard's. 

Dave Bittner: That's Corey Nachreiner from WatchGuard. 

Dave Bittner: And joining me once again is Josh Ray. He is the managing director and global cyberdefense lead at Accenture. Josh, always great to welcome you back. 

Josh Ray: Dave, thanks so much for having me. 

Dave Bittner: You and your colleagues have been looking at some activity on the dark web and some particular things that those folks are focusing on. What can you share with us today? 

Josh Ray: Yeah, Dave, this is, I think, going to be interesting for folks across all industries and especially those security companies that are producing VPN security products. And what we've seen is really a significant increase and kind of upward trend of targeting VPN-type of vulnerabilities as the primary target. And while this is not necessarily, you know, completely new, it's a significant uptick because of, really, the demand for these VPN exploits has really increased. We've seen the demand increase in 2021, which has obviously just led to, here in 2022, actors developing much more - many more exploits for those vulnerabilities. 

Dave Bittner: Why do you suppose we're seeing, you know, VPNs, and why now? Why do they have the crosshairs on them? 

Josh Ray: Yeah. I mean, I think as folks know, you know, once you have VPN access, you're basically trusted inside the network. And I think, you know, the demand is obviously starting to drive this. And just about a month ago, I was talking to Paul Mansfield, who looks at this quite a bit. And he saw that one particular user offered up a half a million dollars for a VPN exploit. And that is not insignificant money when you're talking about trying to gain access to a particular type of technology and end target. 

Dave Bittner: What is your advice to folks out there who are making good use of VPNs in terms of just making sure they're on top of this? 

Josh Ray: Well, I think obviously having visibility into this space to understand, you know, what is being targeted, you know, is first and foremost. But I was talking to one of our folks that does, you know, our adversaries simulations. And, you know, he was kind of walking me through, you know, an example or a hypothetical, you know, where you come up against a particular target and maybe they have their perimeter really locked down. And then you start to kind of think about different ways - and this is how a threat actor would also think - to target a subsidiary. And again, we've talked a lot about third-party risk together, but again, it kind of brings it to light here. 

Josh Ray: By targeting a subsidiary, you can then very easily piggyback on that VPN connection to the end target or the mothership. And this is a really, you know, very pragmatic example of how, you know, threat actors are doing. And one of the things that we recommend to clients quite a bit is micro segmentation, because even our own adversary team, when they come up against a segmented network that really has some very strong ACLs in place, it makes it really difficult for the threat to move laterally. So that would be, I think, one specific thing that I think that net defenders could do to help defend against this type of threat, along with the increased visibility into what the threat actors are looking to do and the wares that they're trying to sell. 

Dave Bittner: Can we just quickly just address VPNs in general? I mean, I think it's one of those categories that, while folks recognize the necessity of it in many situations, because there are operators out there who aren't the best, it also - VPNs can suffer from that reputation as well. 

Josh Ray: Yeah, that's correct. I mean, you know, the product security component is obviously very important, right? But I think also, when you're talking about, you know, doing the kind of the care and feeding and the hygiene, but just to know that, you know, there are threat actors out there that are willing to pay top dollar now for exploits to particular types of vulnerabilities. And we've seen it, again, across all product suites. So no vendor is really immune from this. And they're using this as a means to target organizations across all industries. So I think it's definitely something that, you know, really warrants continued focus and attention from the net defense community. 

Dave Bittner: Are there particular questions that folks should be addressing with their VPNs suppliers? 

Josh Ray: Well, first and foremost, I think, you know, that the whole thing around software bill of materials - and we've talked about that - understanding kind of what their continuous, you know, patch cycles are, making sure that, you know, they've got a very close relationship with their VPN providers and asking them questions like, hey, are you looking at some of these emerging threats in the darknet? And what are you doing to help, you know, take (inaudible) measures to defend against it? 

Dave Bittner: All right. Well, Josh Ray, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. 

Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.