The CyberWire Daily Podcast 9.28.22
Ep 1672 | 9.28.22

DDoS remains commonplace in Russia's hybrid war. Leaked LockBit 3.0 builder used by new gang. Meta takes down Russian disinfo networks. Lazarus Group goes spearphishing. Cloudy complexity.


Dave Bittner: DDoS remains the most characteristic mode of cyber ops in Russia's hybrid war against Ukraine. A leak to LockBit 3.0 builder is being used in ransomware attacks. Meta takes down Russian disinformation networks. The Lazarus Group is spear phishing with bogus job offers. Joe Carrigan looks at SNAP benefit scams. Our guest is Crane Hassold of Abnormal Security with the latest in advanced email attack trends. And the cloud - it's complicated.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 28, 2022. 

DDoS remains the most characteristic mode of cyber ops in Russia's hybrid war against Ukraine.

Dave Bittner: DDoS remains the go-to mode of cyber ops in Russia's hybrid war against Ukraine. Concerns about attacks against critical infrastructure may be rising, but other more commonplace cyberattacks remain typical in the hybrid war. NETSCOUT's DDoS Threat Intelligence Report for the first half of 2022 indicates that distributed denial-of-service attacks have remained the typical tactic Russian cyber operators have used against targets in Ukraine and especially against targets in countries sympathetic to Ukraine. It's also been one of the characteristic techniques employed against Russian sites. NETSCOUT's report reads in part, as Russian ground troops entered Ukraine in late February, there was a significant uptick in DDoS attacks targeting governmental departments, online media organizations, financial firms, hosting providers and cryptocurrency-related firms, as previously documented

Dave Bittner: However, the ripple effect resulting from the war had a dramatic impact on DDoS attacks in other countries. Some examples, the report points out, include the number of attacks against Ireland increased when it provided services to Ukrainian organizations. Following its abstention from the U.N. Security Council and General Assembly resolutions denouncing Russia's conduct in Ukraine, India noticed a discernible rise in DDoS attacks. Taiwan experienced its single-highest number of DDoS attacks on the same day as Belize after publicly endorsing Ukraine. When Finland announced that it will be applying for NATO membership, DDoS attacks increased by 258% year over year. DDoS attacks connected to Killnet - a gang of cyberattackers allied with Russia - were directed at Poland, Romania, Lithuania and Norway. Russia experienced a nearly three times increase in daily DDoS attacks since the conflict with Ukraine began and continued through the end of the reporting period, according to the report. 

Leaked LockBit 3.0 builder used in ransomware attacks. 

Dave Bittner: While the frequency and severity of DDoS attacks in North America remained relatively consistent, satellite telecommunications providers experienced an increase in high-impact DDoS attacks, especially after providing support for Ukraine's communications infrastructure. It's not all DDoS in the hybrid war, however, especially not where criminal interests intersect or coincide with combat support. There are also signs, for example, of increased ransomware attacks against Ukrainian targets. Researcher Vladyslav Radetsky reports that the Bl00dy gang has used the LockBit 3.0 builder leaked last week to deploy malicious code in that country. Bleeping Computer says that Bl00dy, a relatively new gang, doesn't seem to do much development of its own, preferring to repurpose tools leaked or abandoned by other groups. Those have included Babuk, Conti and now LockBit. 

Meta takes down Russian disinformation networks. 

Dave Bittner: Meta, the corporate parent of Facebook, Instagram and WhatsApp, announced yesterday that it had taken down two networks, one Russian, the other Chinese, for engaging in coordinated inauthenticity. The networks are unrelated. The Russian disinformation operation, Meta said, was unusually large, well-constructed and focused on disseminating Russian propaganda concerning the war against Ukraine. Meta stated, the Russian network, the largest of its kind we've disrupted since the war in Ukraine began, targeted primarily Germany, France, Italy, Ukraine and the U.K., with narratives focused on the war and its impact through a sprawling network of over 60 websites impersonating legitimate news organizations. 

Dave Bittner: The legitimate news organizations impersonated included Spiegel and Bild in Germany and The Guardian in the U.K. The impersonations were carefully and convincingly executed and were done so at apparently considerable expense. The stories carried in them to a considerable extent concentrated on disinformation, charging Ukraine with responsibility for Russian atrocities committed in Bucha and elsewhere. They were often amplified by Russian social media channels, including accounts belonging to Russian diplomatic missions. And they also engaged in pushing petitions designed as AstroTurf support for Russian interests. Given the amount of care, talent and expense devoted to establishing and maintaining the inauthentic networks, it's noteworthy that the stories they pushed lacked legs. They did not achieve widespread acceptance, and they were generally dismissed soon after publication as disinformation. That experience may suggest the limitations of coordinated inauthenticity. It tends to be less successful when it seeks to persuade than when it aims simply to confuse. 

Lazarus Group is spearphishing with bogus job offers. 

Dave Bittner: Researchers at SentinelOne warn that North Korea's Lazarus Group is using phony job offers to distribute Mac OS malware. The researchers aren't sure how the lures are being distributed, but they suspect the attackers are sending spearphishing messages on LinkedIn. SentinelOne notes that this campaign appears to be extending the targets from users of crypto exchange platforms to their employees in what may be a combined effort to conduct both espionage and cryptocurrency theft. So apparently, it's a twofer, combining espionage with financially motivated crime. This isn't Pyongyang's first use of bogus job offers as phishbait, and it's unlikely to be the last. 

It’s complicated…in the cloud.

Dave Bittner: And finally, what's the internet weather forecast? Cloudy with a high probability of complexity. A study by Venafi has found that 81% of organizations have sustained a cloud-related security incident within the past 12 months, while 45% experienced four incidents over the past year. The report says, the underlying issue for these security incidents is the dramatic increase in security and operational complexity connected with cloud deployments. And since the organizations in this study currently host two-fifths of their applications in the cloud but expect to increase to 57% over the next 18 months, this complexity will continue to increase. Kevin Bocek, Venafi's vice president of security strategy and threat intelligence stated, attackers are now on board with business' shift to cloud computing. The ripest target of attack in the cloud is identity management, especially machine identities. Each of these cloud services, containers, Kubernetes clusters and microservices needs an authenticated machine identity, such as a TLS certificate, to communicate securely. If any of these identities is compromised or misconfigured, it dramatically increases security and operational risks. 

Dave Bittner: Bocek added that part of the problem is a lack of consensus on who is responsible for the security of cloud-based applications - stating, security teams want to collaborate and share responsibility with the developers who are cloud experts, but all too often they are left out of cloud security decisions. Developers are making cloud native tooling and architecture decisions that decide approaches to security without involving security teams. And we can already see the results of that approach. Security incidents in the cloud are rapidly growing. 

Dave Bittner: Coming up after the break, Joe Carrigan looks at SNAP benefit scams. Our guest, Crane Hassold of Abnormal Security has the latest in advanced email attack trends. Stay with us.

Dave Bittner: The team at Abnormal Security recently released their H2 threat report detailing the latest advanced email attack trends, including increases in business email compromise, the evolution of financial supply chain compromise and the rise of brand impersonation in credential phishing attacks. Crane Hassold is director of threat intelligence at Abnormal Security. 

Crane Hassold: Yeah. So I think one of the big things that really caught my eye was the sort of - the more frequent use of social media brands in phishing attacks. And while, you know, social media, you know, using something like LinkedIn or Facebook or even Instagram and things like credential phishing attacks, you know, have been around for a number of years, what's really interesting is now we're starting to see the use of these brands in other types of attacks as well, things like just plain old BEC attacks, business email compromise attacks. What's really interesting, we've started to see some groups start injecting things like LinkedIn into their initial lures to make it look like they're trying to get a LinkedIn invoice paid for or something like that. And so we're starting to see this transition into using more robust or comprehensive pretexts within the initial emails that a lot of these cybercriminals are sending to their targets. 

Dave Bittner: And what do you suppose is driving this increase? I mean, is it fair to call it sophistication? 

Crane Hassold: I think it's sophistication. I think it's also adaptation. I think it is - you know, we see this constantly throughout the years where you see different threat actors trying new and sometimes really obscure things to see what will stick and what won't stick. But I think when you look at something like - when we see the emergence of trends like this sort of at a larger scale, when more and more actors start jumping on this bandwagon, we know that a lot of these cybercriminals will communicate with each other in underground networks. And so it seems to me that it has - sort of there's been a proven success rate to using some of these different pretexts in the initial attacks. And so when we see something like the emergence of an overarching trend like this, it sort of, you know, speaks to me that it seems to be working at least. And they're getting enough ROI to make it worth it for them to continue using it. 

Dave Bittner: So what are your recommendations, then, for folks to best protect themselves against this? 

Crane Hassold: Yeah. So, you know, whenever we're looking at cyberattacks today, you know, most people think of cyberattacks as these technically sophisticated things when in all reality, more and more commonly they're nothing more than behavioral exploitation. And we're seeing more and more of these attacks that are using nothing more than just basic text to try to persuade a target or an employee to do something they wouldn't otherwise do. So first and foremost, making sure that you have defenses in place that are able and equipped to defend against this sort of new age of cyberthreats that aren't technically sophisticated. They're not using, you know, malicious attachments. They aren't always using malicious links. It's just pure social engineering - so making sure that you have defenses in place that are equipped and able to defend against those attacks, and then also making sure that you have good processes in place to make sure that, you know, if a request does come in from someone who may be impersonating an internal employee or even an external third party, which we've been seeing more and more of recently, to make sure there's a process in place to validate those requests. 

Dave Bittner: And what kind of things are we talking about specifically? I mean, to what degree are there technical solutions? And to what degree, as you mention, you know, is this a matter of just putting procedures in place to make sure that, you know, for example, more than one set of eyes get put on something before a check is written? 

Crane Hassold: Yeah, absolutely. So from a technical perspective, it's all about sort of changing the way that we think about email defenses. You know, it used to be, you know, in the old days, about 20 years ago, when, you know, email defenses first started evolving, it was all about sort of using these static indicators of compromise to identify malicious artifacts. But now, because those don't really work based on this new age of cyberthreats, it's more about using things like machine learning and AI and behavioral analytics to sort of look at identities and relationships and language that's being used and sent from the sender to the receiver and making sure that those, you know, from - especially when we're talking about things like impersonation attacks, which are a majority of the attacks that we see today, those are the tactics and techniques that we can use to identify those malicious emails when they come in. The general public doesn't really know about those types of threats, even though they are easily the No. 1 cause of financial loss for businesses all over the world. And so we've been seeing this transition from, you know, technical attacks like malware-based attacks, ransomware that gets all of the news, to things like more pure social engineering attacks like social engineering. I think that's definitely going to continue becoming more and more of a problem over the next few years. 

Crane Hassold: But one of the things that we have started seeing, which I think is an interesting trend within BEC threat landscape, is we've started to see a transition away from the internal classic and executive impersonations towards more external third-party impersonations in these BEC attacks. That's something that we've seen really since the beginning of this year. Starting in January, more than half of all of the BEC attacks that we've seen have impersonated external third parties, which is really notable considering the fact that since its inception, BEC has essentially been known as CEO impersonation attack, CEO spoofing attacks. And to see these threat actors really start evolving into impersonating external entities obviously shows that they're likely making more money from those attacks. And it's also - sort of goes against the training that we tell people to look out for when it comes to things like BEC. Because most BEC training, security awareness training, focuses on lookout for that weird email from the CEO that's asking for gift cards. But now you have these more sophisticated attacks that are impersonating known vendors, that are compromising email accounts and using language that is totally normal, doesn't include those spelling and grammatical errors, makes them much more realistic and much more impactful when they are successful. 

Dave Bittner: That's Crane Hassold from Abnormal Security discussing their recently released H2 threat report. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting story came by. This is from the Baltimore Banner, and it's written by Brenna Smith. And it's about a woman who got almost $3,000 of her SNAP benefits, which is the modern version of food stamps. So these are... 

Joe Carrigan: Supplemental nutrition and payment. 

Dave Bittner: ...Sounds good. 

Joe Carrigan: Right. 

Dave Bittner: But yeah, I mean, basically it's for people who need a little help from the state. I think generally these are federal funds that get distributed to the states. And then these days, they get sent to people on basically what amounts to a debit card. 

Joe Carrigan: Right. 

Dave Bittner: So what's going on here? 

Joe Carrigan: It's called an EBT card, an electronic benefit transfer card. 

Dave Bittner: Yeah. 

Joe Carrigan: So the woman in the story is named Renee, and she's only using her first name. 

Dave Bittner: Yeah. 

Joe Carrigan: And she is a nursing assistant who has children and needs these SNAP benefits. By the way, SNAP stands for Supplemental Nutrition Assistance Program. 

Dave Bittner: OK. 

Joe Carrigan: It's, like you said, essentially food stamps, but we don't have stamps anymore. Now we have these EBT cards. 

Dave Bittner: Right. 

Joe Carrigan: She got her benefits turned off for some reason and had to reapply for them. And when she reapplied for them, they gave her back benefits, which resulted in a substantial balance on her card. 

Dave Bittner: OK. 

Joe Carrigan: Now, something that's interesting in this story is that she starts seeing news stories on her feed about people having their benefits scammed away from them or something. And there is a whole nother can of worms there that I want - why is she starting to see these things? How does... 

Dave Bittner: She's probably doing searches for it when she went through the process of it getting her money back. 

Joe Carrigan: It could be. 

Dave Bittner: Yeah. 

Joe Carrigan: But she goes and she checks her balance, and she finds out that she's missing about $3,000 in benefits - 2,700 bucks. 

Dave Bittner: Wow. 

Joe Carrigan: She calls the police. And the police - this is in Baltimore County, Md. - the police do not assign this to a police officer. They sign it to a person who's in the academy. 

Dave Bittner: OK. 

Joe Carrigan: A recruit, essentially. 

Dave Bittner: Yeah. 

Joe Carrigan: He is now a police officer. His name is Timothy Valis, and he's been assigned to investigate the case. But he was assigned back when he was in the academy. 

Dave Bittner: Yeah. 

Joe Carrigan: I think that's interesting. I don't know why that happens. And I would have questions for Baltimore County police as to why that happens. Is this a regular practice? Did you send it to this person as a training - I don't know. I want to know the answer to this. But Officer Valis now has not been very helpful in this case. And this woman took matters into her own hands and started finding out where the card was used, where the benefits were being spent, because the Department of Human Services in Maryland was saying, we're not seeing any fraud on this. 

Dave Bittner: OK. 

Joe Carrigan: Right? So she says, well, where are my benefits being spent? You have records of that. She has actually gotten in her car and driven to the stores and asked to be shown the security footage, even one time going to a local police department and saying, they won't show me the footage unless I bring a police officer in and that police officer - out of his jurisdiction. The crime occurred out of his jurisdiction - but he went, gave her a police escort and said, let's see the footage to the people at the CVS. And they showed her the footage. And in this footage, she sees people buying large amounts of Similac. Now, this all harkens back to my interview with Mallory Sofastaii from "Hacking Humans" episode 209, where we talk about these benefits scams and we talk about the Similac scams that are going on. 

Dave Bittner: Right. 

Joe Carrigan: So these people are probably quickly monetizing the money that they've stolen from this woman, the benefit money they'd stolen from her, by exploiting other people who are experiencing the Similac shortage or the formula shortage that was happening over the summer. 

Dave Bittner: Yeah. 

Joe Carrigan: These bad guys are making money coming and going. 

Dave Bittner: So I want to focus on an element of this in the time that we have here, which is that my understanding is that the cards that people get, the basically the equivalent of an ATM card or... 

Joe Carrigan: Yup. 

Dave Bittner: ...A debit card. The versions that, at least people in Maryland get, who are who are eligible for these benefits, do not have chips in them. 

Joe Carrigan: They don't have chips... 

Dave Bittner: They are just... 

Joe Carrigan: You are 100% correct. 

Dave Bittner: ...Magnetic strip cards, so it's the magnetic strip and a pin. And that is how this woman got her funds stolen. Someone had put a skimmer... 

Joe Carrigan: In a 7-Eleven. 

Dave Bittner: Yeah. 

Joe Carrigan: And that is something that Officer Valis found. 

Dave Bittner: Right. 

Joe Carrigan: He said we found a skimmer at this 7-Eleven. Did you shop at this 7-Eleven? She goes, I did, but I don't remember when, and I don't remember what I spent. And he says, well, that's where we found the skimmer. So these guys found the skimmer - or put a skimmer in 7-Eleven, skimmed the benefits card information, and then they moved down to - or they may have been down in Prince George's County, Md., which is a little bit further south. And that's where they bought the Similac. 

Dave Bittner: Yeah. 

Joe Carrigan: Now, what's interesting about this is, I don't know what a chip costs to put on a credit card, but every single credit card I get in the mail now has a chip, and every single debit card I get has a chip. 

Dave Bittner: Right. 

Joe Carrigan: But for some reason, the state of Maryland is not putting these chips in the benefit cards, and people are losing money. Because skimming doesn't work on the chip cards anymore, so who are the bad guys going to target? They're going to target the people who received benefits on these cards with no chips on them. 

Dave Bittner: Yeah. 

Joe Carrigan: And it's hurting the most vulnerable population - people that need to eat. And it's - this is unconscionable, Dave. As a taxpayer in Maryland, I'm upset about this. 

Dave Bittner: I don't understand it either. And I suppose the easy explanation would be that it probably costs a few cents less, or maybe a few bucks less, per card, to not have the chips in it. My thought is why are there even cards available... 

Joe Carrigan: Without chips. 

Dave Bittner: ...That don't have chips in them? I mean... 

Joe Carrigan: Yeah, that's an excellent question. 

Dave Bittner: It should - I just think it should be a regulatory thing that those have been deprecated, and you shouldn't be able to make new ones. 

Joe Carrigan: Right. 

Dave Bittner: Because... 

Joe Carrigan: You shouldn't be using old technology for benefit cards. 

Dave Bittner: Right. Why don't poor people get the benefits of the security elements that the rest of us get as a regular part of doing our business with banks, and so on and so forth? If a bank provided me with a card that didn't have some sort of chip in it, I'd be like, what is this? 

Joe Carrigan: Yeah, I'm not doing business with you. 

Dave Bittner: Right. 

Joe Carrigan: Right. 

Dave Bittner: But folks who are in need, they don't have that... 

Joe Carrigan: They don't have a choice. 

Dave Bittner: ...Option. 

Joe Carrigan: Right. 

Dave Bittner: And so in this case, they're not being looked out for. I'm with you. I find this very troubling, and... 

Joe Carrigan: I find it troubling for a number of reasons. One, you're hurting people, right? 

Dave Bittner: Yeah. 

Joe Carrigan: You're - their benefits are getting stolen from them. Two, you're enriching criminals. That's all that the state is doing with these chip-less cards. 

Dave Bittner: Yeah. 

Joe Carrigan: Somewhere to the tune of a couple hundred thousand dollars... 

Dave Bittner: Right. 

Joe Carrigan: ...So far. And that is only going to go up. That's not going down. 

Dave Bittner: And in Maryland, they don't reimburse folks who've had their funds stolen. There are some states that evidently do that. 

Joe Carrigan: Right. 

Dave Bittner: But our state does not. 

Joe Carrigan: Our state is saying that because the funds are federally provided, we can't use federal funds to reimburse stolen funds. 

Dave Bittner: Yeah. 

Joe Carrigan: Other states are reimbursing stolen funds with state money. 

Dave Bittner: Yeah. 

Joe Carrigan: I think California is doing that. But Maryland is not going to do that. 

Dave Bittner: Seems to me like there are many, many areas here where we could do better, not the least of which is, you know, providing people with the basic security that most people enjoy. I am left scratching my head... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Why that's not happening. 

Joe Carrigan: Yeah. 

Dave Bittner: It just doesn't... 

Joe Carrigan: I'm sure... 

Dave Bittner: ...Seem right to me. 

Joe Carrigan: ...It would cost less than the couple hundred thousands of dollars of benefits that have already been stolen. 

Dave Bittner: Yeah. 

Joe Carrigan: And the coming storm of benefit theft is going to be huge. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: This is only going to get bigger. 

Dave Bittner: Yeah. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.