The CyberWire Daily Podcast 10.21.22
Ep 1688 | 10.21.22

Blackbyte's new exfiltration tool. Hijacking student accounts for BEC. Zhora calls Russia's cyber campaigns a failure. OldGremlin ransomware is an outlier.


Dave Bittner: Blackbyte's new exfiltration tool. Hijacking student accounts for BEC. Zhora calls Russia's cyber campaigns a failure. Caleb Barlow explores new thinking for incident response. Our guest is Jon Hencinski of Expel, tracking the latest threat trends. And OldGremlin ransomware seems to be an outlier.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 21, 2022. 

Blackbyte's new exfiltration tool.

Dave Bittner: Symantec warns that an affiliate of the Blackbyte ransomware-as-a-service operation is using a new data exfiltration tool called Exbyte. The researchers state, the Exbyte exfiltration tool is written in Go and designed to upload stolen files to the cloud storage service. On execution, Exbyte performs a series of checks for indicators that it may be running in a sandboxed environment. This is intended to make it more difficult for security researchers to analyze the malware. 

Dave Bittner: Symantec adds that the BlackByte operation has been steadily growing since the beginning of the year. The researchers say, BlackByte is a ransomware-as-a-service operation that is run by a cybercrime group Symantec calls Hecamede. The group sprang to public attention in February 2022, when the U.S. Federal Bureau of Investigation (FBI) issued an alert stating that BlackByte had been used to attack multiple entities in the U.S., including organizations in at least three critical infrastructure sectors. In recent months, BlackByte has become one of the most frequently used payloads in ransomware attacks. The researchers conclude that BlackByte is filling a gap left by the dissolution of other major ransomware offerings, and the fact that actors are now creating custom tools for use in BlackByte attacks suggests that it may be on the way to becoming one of the dominant ransomware threats. 

Hijacking student accounts for BEC.

Dave Bittner: Researchers at Avanan have observed a rise in attacks that compromise legitimate college student accounts in order to carry out business email compromise attacks. The report says, in this case, this same compromised account sent out numerous messages to a variety of organizations. The university, based in Arizona, is not an Avanan customer, and it's not clear how the compromise began. Regardless, this represents an effective tactic by hackers. Compromising a student account can be done quite efficiently. From there, leveraging the legitimacy of that email account, it's easy to send out multiple of the same messages to a variety of targets. That makes this an effective way for hackers to send out a wide spectrum of messages with just one compromise. 

Dave Bittner: The phishbait in this case is plausible and innocent-looking enough, with none of the more unusual appeals to fear and greed - no, the Martians have landed, and the man is out to get you; no, your secret to millions in the go-go cannabis market; not even, I'm your grandson, and I've just been arrested by aliens in the Lynchburg Police Department - none of that stuff. It's the kind of dullsville routine appeal we're accustomed to following. The phishing emails sent from the accounts appear to be support messages informing the user that several emails are being held for review. The user is directed to click a link in order to view the blocked emails. 

Dave Bittner: And while they may be dull enough to lull the mark into a false sense of compliance complacency, Avanan notes that there are still red flags in the emails for those who have eyes to see them. The tells include things like the destination the URL would take you to and, of course, the fact that a university email is unlikely to be used to send out this kind of support message. 

Zhora calls Russia's cyber campaigns a failure.

Dave Bittner: Ukrainian cybersecurity leader Viktor Zhora, formerly Deputy Chairman and Chief Digital Transformation Officer at the State Service of Special Communication and Information Protection, characterized Russia's efforts to achieve strategic results in cyberspace as a failure. Significantly, in Meritalk's account of remarks Zhora delivered this week at Mandiant's Worldwide Information Security Exchange in Washington, the cyberwar has been waged more or less continuously since Russia's invasion and occupation of Crimea in 2014. He credits preparation and lessons learned from eight years of cyber conflict with Ukraine's successful defense, stating, we worked on strengthening our capacities to counter these attacks. We were much more prepared in the beginning of 2022 instead of 2014. We took a lot of lessons from cyber aggression over the last eight years. That is one of the reasons why the adversary hasn't reached its strategic goals in the cyberwar against Ukraine. He also credited support from and collaboration with friendly international partners with playing an important part in Ukraine's success. That support seems likely to continue. Not only has Ukraine formed many enduring partners with friendly foreign agencies, but financial support also continues. 

OldGremlin ransomware is an outlier.

Dave Bittner: A report by Group-IB  indicates that OldGremlin ransomware remains an outlier. It's a rare Russophone gang that hits Russian targets along with other victims. BleepingComputer  quotes Group-IB's Ivan Pisarev as saying, OldGremlin has debunked the myth that ransomware groups are indifferent to Russian companies. According to our data, the gang's track record includes almost 20 attacks with multimillion ransom demands, with large companies becoming their preferred targets more often. 

Dave Bittner: Active since March of 2020 and also known as TinyScout, OldGremlin has recently deployed a Linux variant of its ransomware. Why it's willing to hit the Russian targets other ransomware gangs normally exclude is unclear. It may have an arrangement with the Russian official organs. Those organs may be losing their grip, or OldGremlin may simply be rolling the dice in the hope of big paydays. Or - and this is good to bear in mind - Russian-speaking doesn't necessarily mean Russian. There's a Russian diaspora, after all, and there are plenty of non-Russians who speak the language. We hear from Mr. Putin, for example, that all those Ukrainian guys are really just Russians. Sure. HIMARS and President Zelenskyy say otherwise. But when it comes to cybercrime, well, there ain't no disputing that old Vlad Putin. 

Dave Bittner: After the break, Caleb Barlow explores new thinking for incident response. Our guest is Jon Hencinski of Expel tracking the latest threat trends. Stay with us. 

Dave Bittner: Jon Hencinski is vice president of security operations at security firm Expel. They recently released their quarterly threat report, and I checked in with Jon Hencinski for the highlights. 

Jon Hencinski: I think the biggest call-out is identity is the new endpoint. One of the biggest takeaways from our report is identity-based attacks - and what I mean by that is credential theft, financial abuse or even compromise like long-term access keys - accounted for 56% of all incidents identified by our SOC. So things like business email compromise are a really, really big threat. And also, access into business applications - specifically, you know, application data - accounted for 51% of all incidents. The bottom line here is identity is the new endpoint. An effective detection or response strategy is more than endpoint detection and response. 

Dave Bittner: And what sort of techniques are you seeing the bad actors use here? 

Jon Hencinski: Yeah. One thing to call out is, you know, we're starting to see this concept of MFA fatigue attacks come to light more and more. Like, this was mentioned in the details about the Uber incident where, you know, attacker just submitted MFA push requests to a victim to gain initial access. So one of the interesting data points that we saw in a report was 14% of identity attacks against cloud identity providers satisfied the multifactor authentication requirement by continuously sending push notifications. So to break that down a little bit, an attacker's able to compromise a username and password combination, but to get past that second factor - push notifications - they're just continuously sending those MFA push requests until they get accepted by the victim. 

Dave Bittner: And what are your recommendations for that? I mean, is a hardware key the answer, user education? What do you recommend? 

Jon Hencinski: I think it's a great question. I, personally - Fast ID online factors provide the best protection, but if FIDO only factors for MFA are unrealistic for your organization, what we typically recommend is disable email, SMS, voice and time-based one-time passwords. Instead, opt for push notifications, but with a little bit of caveat there. 

Jon Hencinski: The one thing that you're definitely going to want to do is consider limiting push notifications to one per minute to reduce the likelihood of brute forcing. But then what you're also going to likely want to do is configure MFA or identity provider policies to restrict access to manage devices only as an added layer of security. So if FIDO factors are unrealistic, opt for push notifications. But, you know, set it up and configure it in a way where it's not susceptible to brute forcing, and then only managed devices can be added as an additional security layer. 

Dave Bittner: What about the human side of this? I mean, I'm thinking of that employee who's just getting, you know, peppered with those requests and eventually, in exasperation, just, you know, hands it over to make it stop. 

Jon Hencinski: Yeah. It's a really interesting point because when you think about it, it's like, when I'm continuously sending a target those push notifications, they, you know, they're going to do one or two things - hit yes to make it go away or continue to hit no. I think the biggest call-out here is just there's probably a component of employee education and awareness training. But again, I kind of default back to, like, the software and configuration that we can do to make these things not susceptible. That's why I called out if you can look at your identity provider and limit the amount of notifications or push notifications they can see but can receive within a given time frame, maybe that's one way to reduce the likelihood here as well. 

Jon Hencinski: The other thing that these identity providers can do is also make it easier to report - hey, we're seeing some fraud here; I'm going to report this. So one of the things that we see in our data is sometimes if a victim or target feels as though they're being targeted, identity providers like Duo make it really easy to say, hey, this is suspicious, and report it. And so the next thing you're going to want to consider is when an employee reports suspicious push notification activity, what does the response process look like? Is IT following up? Do you have a SOC, or a security operations center, that knows how to reach out the contact or do a quick investigation to make sure that nothing's amiss? 

Dave Bittner: And, I suppose, making it so that those reports from employees can be as frictionless as possible. 

Jon Hencinski: Absolutely. Absolutely. Make it easy to report, but also follow up with the employee - hey, we saw some interesting, weird activity; you reported something suspicious here. Is everything okay here? And then there can be some additional investigation. But bottom line - you're right. Make it easy to report, but also thinking about - you know, for the mobile developers behind these identity providers - really good UI/UX to make it obvious and easy to report that suspicious activity is going to be key. 

Dave Bittner: Was there anything in this version of the report that was unexpected or surprising for you? 

Jon Hencinski: There's one really good call-out on the ransomware side of the house when - where, you know, we're talking about identity-based attacks. We're dealing a lot with cloud and any providers and applications, Microsoft 365. One of the interesting data points that we found was that ransomware threat groups and their affiliates all but abandoned the use of Visual Basic for application macros and Excel 4.0 macros to gain initial entry to Windows-based environments. So to give some perspective, in Q1 2022, in macro-enabled Word document or Excel 4.0 macro was the initial attack vector in about 55% of all pre-ransomware incidents. In Q2, what we found was that number fell to 9%, a decrease of 46 percentage points. 

Jon Hencinski: Now, the reason we think that happened in terms of what was the cause, what was the reason behind that shift, is, well, we believe that that change is likely in response to Microsoft's announcement that they would block macros by default in Microsoft applications. So really, Microsoft made a big announcement - we're going to stop; we're going to make it harder; we're going to stop this particular attack vector. What we saw is those ransomware threat groups and affiliates acknowledge that and start shifting their focus and efforts using a different techniques for initial access. 

Dave Bittner: So based on the information that you all have gathered here, what are your recommendations for folks to better protect themselves? 

Jon Hencinski: Yeah. I think a couple of things. Multifactor authentication, if you're not doing it, it's - MFA everywhere. And if you can't - if FIDO factors aren't realistic, push notifications with the right configuration are key. If you're really worried about ransomware attacks, what our data show is attackers are shifting from using macros for initial access and are instead opting to use things like disk image files, shortcut LNK files and HTML application HTA files to gain initial entry. At a super high level, without going too much into the weeds, think about the self-installation attack surface within your environment, particularly on the Windows operating system. Think about zipped executables and things that can just be double-clicked by your employees. And then think about the preventive controls and the protection controls that you have in place. And also, there is employee awareness and education as well. 

Dave Bittner: That's Jon Hencinski from Expel. 

Dave Bittner: And it is always my pleasure to welcome back to the show Caleb Barlow. He is the CEO at Cylete. Caleb, welcome back. I want to touch today on incident response. I know this is something you've been focused on lately and some interesting ideas you want to share. 

Caleb Barlow: Well, first of all, it's great to be back, Dave. What I want to talk about is this new concept. You know, if we think about how we respond to incidents today, it's really scenario-based management, right? We build our run books. They might be around everything from, you know, ransomware to an insider threat to a malware incident. And, you know, at the end of the day, those run books are often kind of a checklist of procedures and actions that guide our response effort. And this approach comes from the fact that, up until recently, most of the common threats an organization would encounter could be, well, predicted, you know. I mean, if you think back even before cyber, it's fire, flood, labor issue or, you know, maybe some form of a natural disaster, right? 

Caleb Barlow: And our response to cybersecurity incidents has been similar, but it's a little bit different in that, you know, the reality is we're up against a human adversary that can pivot and jog. And these are, you know, what the folks at Harvard University call novel risks, right? Meaning that they're an unpredicted crisis. And cyber, by its very nature, is a novel risk. So what I want to talk about is starting to kind of the advanced class here of moving from scenario basis to capacity basis and how we think about incident response. 

Dave Bittner: All right. Well, let's dig in here. What do you mean by capacity? 

Caleb Barlow: Well, so run books are obviously still important, right? And I don't want to diminish the need for them. But more advanced teams are morphing towards this capacity-based model to handle crisis, even events they've never imagined. So unlike a scenario-based model that's, you know, typically this sequential checklist - right? - for a predictable threat, a capacity-based approach is really about emphasizing key capacities you need to respond and maintain resiliency. And those really break down into four key areas. 

Caleb Barlow: So the first, of course, is incident response skills. Big surprise, right, Dave? The second one, though, is crisis communications. And crisis communications is totally different than corporate communications - knowing what to say, how to say it, who to inform both internally and externally as you move through that crisis. And having that ability, that capacity, whether it's an internal resource or an external resource, to be able to do it on demand - right? - that knows you, that knows how to talk about what's going on, even if you don't totally understand it yet. The third piece of this, of course, is cyber legal, which is different than, you know, your in-house counsel, folks that understand the 52 different breach disclosure laws across the U.S. and even more internationally. And the last - and this is kind of the new kid to the party - is business resiliency skills. You know, functions like, how do we switch to remote work? How do we manage downtime at the plant or the data center and keep the business running? So if we build capacity in those four areas, not only do we have the ability to move through our traditional kind of scenario-based run books better, but we also have the ability to handle the unknown. 

Dave Bittner: What's keeping people from using this already? I mean, does capacity cost more? 

Caleb Barlow: No. What's keeping people from doing this, honestly, Dave, is most people aren't even practicing their run books, right? They - you know, I love reading run books. You know, your listeners have heard this before. It's just a - I just - I find them fascinating. And the first thing I look at is I flip to the very end and look at the update schedule. And 99% of the time, the run book has never been updated in 10 years since it was written. 

Dave Bittner: (Laughter) Right. Right. 

Caleb Barlow: And it was probably written by a consultant. And what that says to me is this is useless. This hasn't been used. It hasn't been exercised. So I think the thing people have to realize in this is this is, you know, this is very analogous to learning how to swim. You can read all the books you want. You can write down your steps of how to swim. You know, jump in the pool. Start moving your arms and legs. But unless you practice it, you're going to drown. And the same is true for a cybersecurity incident. We've got to move past the traditional run books into building this kind of muscled capacity. 

Caleb Barlow: So think of this. You know, I'll use a bad sports team analogy, right? You know, think of an American football team and kind of that defensive line. They probably have watched the film and understand all the plays of their, you know, that they're going to see from the offense. But if the offense throws something new into the mix, they have the capacity because they've practiced as a team to know how they need to move differently and change things up immediately when they see something new. And that's kind of the same thing we've got to realize here with cybersecurity is we've got to build that capacity. 

Dave Bittner: Who ultimately has ownership of this? 

Caleb Barlow: Well, let's put it this way. I don't think we - you know, in some cases, you have a business resiliency officer, and you're starting to see that appear at large corporations. But I think at the end of the day, the chief information security officer now has a seat, you know, in the boardroom. And part of having that stripe means that, you know, you don't get to just kind of focus as a security wonk on the IOCs or what's going on in the SOC. You've got to start to stretch out to your peers and start talking about business resiliency. If you know that the data center in Topeka is vulnerable and you know that data center could go down pretty easily and you also know that if you saw a major incident, you're going to shut it off - you know, you're going to disconnect it - then, man, you better be working with that business team to understand how you maintain resiliency. Where do you fail over? 

Caleb Barlow: You know, a great example would be in a hospital, right? If a hospital loses access to the electronic medical record system, can they operate on paper? And how long can they operate on paper? And have they tried it? You know, those are the types of things where that CISO has got to start stretching their legs in the boardroom and realize their ultimate job isn't just to protect the company. It's to keep the company running. 

Dave Bittner: Let me push back a little bit on that because a lot of the CISOs I talk to will say that they are a member of the C-suite in name only, that yeah, there's a C at the beginning of their title, but the board really does not consider them at the level of the other folks. I mean, if they're taking this level of responsibility, is this perhaps an opportunity for them to say, look - look at these responsibilities? You know, you need to elevate my position. 

Caleb Barlow: Well, I think it's exactly right. It is an opportunity. And let's be, you know, a little bit overly direct and blunt. If they're not stepping up to this, if all they're doing is staying in the security swim lane and things are running well, and they keep, you know, the information secure, well, they probably don't belong in the boardroom because they don't understand the inner workings of the business, what's moving next, where the business is vulnerable, what key things have to happen. I mean, you've got to start to participate in those board meetings. And, you know, here's a key test, right? When it's time for the CFO to review the finances of what's going on in the organization, which, of course, is a topic in every boardroom meeting, you know, and every kind of quarterly business review, is the CISO asleep or, you know, looking at their email? Or are they paying attention and asking questions? As long as we start to act more like the latter and we start to understand how we maintain business resiliency, then that CISO deserves the C in their title. 

Dave Bittner: All right. Well, Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Before we close today, a quick thanks to everyone who came out to our Women in Cybersecurity reception Thursday night at the International Spy Museum in Washington, D.C. It was thrilling to see so many of you in person and to witness women in every stage of their cyber careers reuniting with old friends and making new ones. A special shout-out to our senior producer Jennifer Eiben for planning and coordinating the event. And we hope to see all of you again next year. Be sure to check out this weekend's "Research Saturday" and my conversation with Dick O'Brien from Symantec's Threat Hunter Team. We're discussing their research titled "Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East." That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson. Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.