The CyberWire Daily Podcast 10.19.22
Ep 1686 | 10.19.22

Dispatches from the hybrid war, as auxiliaries on both sides skirmish in cyberspace. An Azure vulnerability patched. Trends in ransomware. And Social Security phishbait.


Dave Bittner: Killnet explains its actions against Bulgaria's government. The National Republican Army claims successful attacks on Russian companies. The director of Germany's BSI is out. A vulnerability in Azure, disclosed and patched. Trends in ransomware. Carole Theriault has a fresh look at the ransomware question - to pay or not to pay? Tim Eades from the Cyber Mentor Fund considers cyber insurance for small and medium-sized businesses. And Social Security phishing.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 19, 2022. 

Killnet explains its actions against Bulgaria's government.

Dave Bittner: In its Telegram channel, Killnet, the Russian Auxiliary Threat group, woofed a justification for its recent run of desultory DDoS attacks against Bulgaria, stating, for betraying Russia and supplying weapons to Ukraine, the Bulgarian government is sentenced to network collapse and shame. The Record cites Bulgarian authorities who say they've identified the name and address of one of those who participated in the attacks. In so far as shame and network collapse are concerned, a few Bulgarian sites seem to be running a little slowly. But there's no real reason for anyone to feel ashamed, at least not in Bulgaria. 

The National Republican Army claims successful attacks on Russian companies.

Dave Bittner: The National Republican Army, or NRA, a group of uncertain size and influence, has told the Kyiv Post that they've successfully compromised large Russian companies engaged in support of Russia's war as defense contractors. The NRA showed the newspaper screenshots and data that appeared to confirm their claims, but it's too soon to tell if there's substance to them. In general, the National Republican Army is a poorly understood group, and its claims should be treated with caution. The material provided to the Kyiv Post in this case, however, seems to indicate that something happened. We'll be watching to see if the story has legs. 

The Director of Germany's BSI is out.

Dave Bittner: Arne Schonbohm has been relieved of his post as head of Germany's BSI, Der Spiegel reports. Under German labor law, the removal is formally a suspension, The Washington Post writes. But few expect Mr. Schonbohm to return to the BSI. An investigation into his connections with Russia via the Cybersecurity Council of Germany and his continued contact with the Council, a group he helped found, was controversial, The Post says, because of the foundation membership of Protelion, reported to be a rebranded German arm of the Russian cybersecurity firm Infotecs, founded by a former KGB agent. 

Dave Bittner: Herr Schonbohm, on Monday, asked for an investigation to clear his name. Reuters quotes the Interior Ministry as saying the dismissal was in response to news that had permanently damaged the necessary public confidence in the neutrality and impartiality of his conduct in his office as president of Germany's most important cybersecurity authority. So it appears to be, in the first instance, a matter of perception and of the German government's sensitivity to penetration by Russian intelligence services. 

A vulnerability in Azure, disclosed and patched.

Dave Bittner: Orca released a report today detailing a vulnerability they discovered in Azure Service Fabric Explorer. The vulnerability has been reported to Microsoft and the issue was designated CVE-2022-35829. A patch was released on Patch Tuesday earlier this month. The vulnerability known as FabriXss - and that's FabriXss with an X - was found in Azure Service Fabric Explorer. Microsoft Azure Service Fabric is described as a distributed systems platform for packaging, deploying and managing stateless and stateful distributed applications and containers on a large scale. And Service Fabric Explorer is a tool for inspecting and managing Azure Service Fabric clusters. 

Dave Bittner: It was determined that a class of user known as deployers, who have permissions to create new applications via the dashboard, can use this permission to create a malicious application name and abuse administrator access to perform a range of actions. Orca reports that this can include what's known as cluster node reset, which erases all custom settings such as passwords and security data, which can be overwritten by the malicious actor and give them the ability to gain full admin permissions. 

Dave Bittner: If you use Service Fabric Explorer version 8.1.316 or earlier, then in principle, you're vulnerable. You should apply Microsoft's October 2022 update and verify that the Service Fabric Explorer URL ends in index.html instead of old.html. And, of course, we say in full disclosure, Microsoft is a CyberWire partner. 

Trends in ransomware.

Dave Bittner: Digital Shadows has released its report on ransomware for the third quarter of 2022. The researchers found that ransomware decreased as a whole, despite notable attacks on high-profile targets. Overall, LockBit activity decreased this quarter, but the group's share of total activity - its criminal market share, if you will - increased over that same period from 32- to 35%. LockBit 3.0 has been a success for the group, despite skepticism from other competing threat actors. 

Dave Bittner: In September 2022, a leaked LockBit 3.0 builder was posted on Twitter that was alleged to come from a hacker, but LockBitSupp claimed the leak was a former developer. Whatever the case may be, it's a legitimate builder, and Digital Shadows says this could have consequences during the remainder of this year if other malicious actors get a hold of that builder and put it to use. There wouldn't be much the LockBit gang could do to stop this theft of its IP. What are they going to do - sue? 

Dave Bittner: The ransomware gang Conti appears to have closed up its operations in June 2022. Quarter 3 has seen the aftereffects of Conti's dissolution, which include competitions over Conti's market share and a surge in new ransomware groups. LockBit was the dominant ransomware family, but no clear family emerged to take Conti's position as No. 2. Black Basta, HiveLeaks and ALPHV account for 9-, 8- and 7% of all ransomware victims this quarter respectively. In all, the researchers found that 12 new ransomware data leak sites were created in the third quarter of this year. 

Dave Bittner: One distinction Digital Shadows makes in their report is that between ordinary criminals and politically motivated ransomware. It's getting harder to tell the difference, especially with the rise of privateering in Russia's hybrid war against Ukraine. The researchers cite the August 2022 ransomware attack on the Montenegrin government as an example of the challenge of identifying motives. Russia was initially blamed for the attack, but the use of Cuba ransomware lent the incident the coloration of ordinary criminal extortion. The cyberattacks on Albania's government systems, however, were attributed with high confidence to Iran's Ministry of Intelligence and Security. These were clearly political in nature, with no obvious attempt at monetization. 

Social Security phishing.

Dave Bittner: Finally, security firm INKY, this morning, put out a warning concerning some social engineering it's observed that involves impersonation of the U.S. Social Security Administration. In its broad outlines, it's a two-step campaign that moves from phishing to vishing. INKY states all of the SSA brand impersonation phishing emails INKY caught contained a PDF attachment that opened in the form of a letter with SSA-branded elements. As you can see in our example, the letter starts with one of SSA's widely used logos alongside a short tagline. It's an image that looks sharp and is readily available online. In the body of the letter, the sender claims that illegal and fraudulent activities have been associated with the recipient's Social Security number, and, as a result, their Social Security number will be suspended in 24 hours. A phone number is given to resolve this issue. The initial phishbait is commonplace enough. Your Social Security number will be discarded, disabled, canceled or terminated because it's been involved in fraudulent activity, is expiring or has come to attention as suspicious. 

Dave Bittner: Sad stuff - and connoisseurs of U.S. federal officialese (ph) won't be easily gulled by that PDF letter. Sure, the logo is pretty sharp and sweet, but the grammar and usage are off. Things are oddly centered, and it's signed by someone with an implausible title. Still, if you are elderly, worried about your finances and unaccustomed to the ways of the government, you might be tempted to bite. But please don't. If someone tells you that your Social Security number is about to be suspended and if they email you with the news, that's two strikes against them. The Social Security Administration doesn't suspend numbers like that, and they communicate with account holders by good old-fashioned U.S. mail, not these newfangled PDFs we keep hearing about from the kids. At any rate, stay safe out there. 

Dave Bittner: Coming up after the break, Carole Theriault has a fresh look at the ransomware question. Tim Eades from Cyber Mentor Fund considers cyber insurance for small and medium-sized businesses. Stay with us. 

Dave Bittner: Since ransomware became a thing, the question has been to pay or not to pay. Our CyberWire U.K. correspondent Carole Theriault takes a fresh look at that question. 

Carole Theriault: When it comes to ransomware, there is one big question that divides even those au fait with cybersecurity - to pay or not to pay? And there are so many things to consider. Will the ransomware baddies delete or return the data access and effectively be honorable people? Will customers, partners and press make a stink if we pay or don't pay? Or what data have they nabbed, and how vital is it to our business and its supporters? 

Carole Theriault: A recent report from Coveware had some interesting insights. So one, the median ransomware payment made by a victim decreased to $36,000 and change. And this is a 50% decrease from the previous quarter. That's huge. And it's going to be fascinating to see if this trend continues. I also wonder if ransomware is perhaps being affected by inflation, as in victims simply cannot afford the prices of yore to have their data returned. 

Carole Theriault: Two, second finding was that the ransomware report says that there is an encouraging trend amongst large organizations refusing to consider negotiations when ransomware groups demand impossibly high ransom amounts. 

Carole Theriault: And a third point is that we shouldn't trust these miscreants. During the second quarter of 2022, Coveware says that they continue to see evidence that threat actors do not honor their word as it relates to destroying exfiltrated data. So even though they promise they will, they are not. And they say, quote, "victims of data exfiltration continue to fuel the cyber extortion economy with these fruitless ransomware payments," unquote. 

Carole Theriault: To add to this, the U.K.'s National Cybersecurity Center and the Information Commissioner's Office issued a joint letter recently urging the legal community in the U.K. to closely evaluate the guidance provided to victims of data exfiltration extortion. In other words, paying up does not mean that everything returns to normal. 

Carole Theriault: And I can't help but wonder whether cyber insurance has a part to play here as well. I have heard from a number of experts that cyber insurance policies have changed dramatically in the last, say, five years. And maybe in early instances, where they promise to pay a ransom in order to get data back, there may be much more complicated wording to decrease the chances of them having to pay. All I'm saying is read your policy very carefully. 

Carole Theriault: And if you're listening to me talk here and you're thinking, yeah, yeah, I have had a policy for five years, and I read it when I got it, might I recommend that you ask to see the most recent version of the policy so that you can read it at your leisure and make sure that everything is up to scratch? Because it ain't great thinking you're covered for something and finding out that, in fact, you're not - especially when it comes to ransomware. This was Carole Theriault for the CyberWire. 

Dave Bittner: And I'm pleased to be joined once again by Tim Eades. He is the CEO at vArmour, also the co-founder of the Cyber Mentor Fund. Tim, always a pleasure to welcome you back. 

Tim Eades: Great to be here, Dave. 

Dave Bittner: I wanted to get your insights today on where we stand with cyber insurance. I mean, it's certainly been an area where we've seen some change over the past few years, I suspect it's safe to say. What are you seeing from your point of view? 

Tim Eades: Yeah. Cyber insurance market, particularly in the SMB side, is going to reach, like, 30 billion by 2030. I mean, just - it's a giant market. It's also going to be incredibly disruptive to the cyber industry. 

Tim Eades: But let's just walk through a scenario. Dave and Tim are going to start up a pizzeria, right? We're going to run a pizzeria, which sounds great. It's going to do great Italian pizzas. And what's going to happen is we have employees. And we're going to have worker's comp. You're going to have worker's comp. And you're going to have cyber insurance. They're going to come hand in hand. And it's not going to be an option. 

Tim Eades: And the deal - your policy will be set up. So you turn around and you'll go, OK, well, how do I get my policy for breach insurance and everything under control? Well, I need to have single sign-on turned on. I need to have an endpoint technology. I need to have, you know, authentication and a whole bunch of different stuff. And if you have that, I'll get a better policy. And Dave and Tim's Pizzeria will have a great, secure enterprise because it has been forced to adopt and forced to implement and tested that there has been implemented core technologies to lock down Dave and Tim's Pizzeria. And so what's going to happen is it's going to force, particularly at the SMB level, dramatic adoption and standardization of security technologies. 

Tim Eades: The challenge for it is, is that it will be - no one will care about the brand. They won't care whether it's Symantec or McAfee or anybody else on the consumer side or the SMB side. They will - it will be a tick in the box that says, OK, my insurance provider says I've got to have worker's comp. I've got to have worker's comp. I've also got to have cyber insurance. OK. I need these four or five technologies. And then I'm fine. I'd get a better policy, and I'll buy them. I won't care about the brand. But it will be mass adoption. 

Tim Eades: And so the people at the large insurance companies, whether Zurich or whatever, are looking at, you know, the growth of the overall insurance market and saying, OK, let's go put a bet into cyber insurance because it's the fastest growing category. It's a massive, massive opportunity which will make all these small businesses in particular way more secure, which is a great thing. But it will consolidate some of the technologies where they won't care about the brand so much. 

Dave Bittner: Now, I can't help wondering about the insurance companies and how they're going to position themselves, you know, particularly as we've seen with ransomware and the costs going up, you know. How are they going to run those numbers and make it so that it works for those small and medium-sized businesses to even be able to afford this stuff? 

Tim Eades: Volume. Volume. You know, I mean, when you turn around and you run an actuary table against not 100,000 businesses, not even 5 million business, I guess 50 million businesses, you can aggregate your price. And then you aggregate the risk, and then you bring the policy down. The volume in this market is staggering. 

Tim Eades: I mean, I'll give you an example. I think - I have a decent guess that in North America, there's about 25 million small businesses with under 30 employees. This is an enormous number. Then you go to India. I mean, the numbers here are staggering. And that's how, when you get volume, you get - and you also - you get competition in this market, those two things will drive a better price down for everybody. 

Dave Bittner: How do we make it so that those small and medium-sized business owners see the value in this? Or is it just destined to be a check box? 

Tim Eades: Well, I would love to say they see that value. I do think they will see some value because there will be some attacks that are prevented. It is a tick-box scenario. There is no doubt. And that's what it's going to drive it to be. I mean, these people are not highly sought-after targets, but it will be a tick-box scenario that - whether you're a small doctor, surgery or a small dentist, whatever it may be, or Dave and Tim's Pizzeria, you know, it's going to be a tick box. And I'm OK with that. You know, I'm OK with that. 

Tim Eades: Over the last 20 years I've been in cyber, you know, it's always been a better mousetrap. What I want to do now is get cyber insurance everywhere just as popular and just as adopted as worker's comp and get the technologies to secure it. And that's OK, right? Now, it's just - like you said earlier, like it's done competitively priced because the volume of the competition, I think, could be fine. 

Dave Bittner: And in the same way that you're - a commercial insurance person comes and takes a little walk around to make sure you've got sprinklers and fire extinguishers and you're not blocking the exit doors, somebody will be checking your multi-factor authentication. 

Tim Eades: Somebody will be checking your multi-factor authentication. They'd do a quick scan. Do you have multi-factor authentication turned on? Are you using an endpoint? All the normal stuff. And you go, yeah, yeah, yeah, you'll be fine. It's exactly the model you just described. 

Dave Bittner: All right. Well, interesting insights as always. Tim Eades, thanks for joining us. 

Tim Eades: Thanks, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.