The CyberWire Daily Podcast 11.30.22
Ep 1713 | 11.30.22

LockBit 3.0 and Punisher ransomware described. Leave that USB right in the parking lot where you found it. Killnet’s woofing. Lilac Wolverine’s big new BEC. And World Cup scams.


Dave Bittner: Has LockBit 3.0 been reverse-engineered? A COVID lure contains a Punisher hook. A Chinese cyberespionage campaign uses compromised USB drives. Lilac Wolverine exploits personal connections for BEC. Killnet claims to have counted coup against the White House. Tim Starks from The Washington Post has the FCC's Huawei restrictions and ponders what Congress might get done before the end of the year. Our guest is Tom Eston from Bishop Fox with a look inside the minds and methods of modern adversaries. And, of course, scams, hacks and other badness surrounding the World Cup.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 30, 2022. 

LockBit 3.0 reverse engineered. 

Dave Bittner: Sophos this morning reported on its reverse engineering of LockBit 3.0, also known as LockBit Black. It appears that the ransomware's operators are experimenting with making their malware wormable - that is, giving it functionality that would enable it to spread by itself through and across networks. Their research also offers some support to other security experts who have suspected a connection between LockBit and the BlackMatter ransomware family. They found a number of similarities which strongly suggest that LockBit 3.0 reuses code from BlackMatter, especially in its anti-debugging, obfuscation, API resolution, printer-attack and shadow-copy deletion features. There are other similarities as well, and Sophos points out that much of LockBit 3.0's tooling mimics what a legitimate penetration tester might use. 

A COVID lure contains a Punisher hook. 

Dave Bittner: In news concerning a different ransomware strain, researchers at Cyble have an account of an ongoing campaign to distribute the Punisher strain of ransomware. As is so often the case, it depends upon social engineering to gain access to its targets, which in the current outbreak are, for the most part, concentrated in Chile. 

Dave Bittner: The operators are using a phishing website that misrepresents itself as a COVID tracking application. Cyble explains that Punisher demands the equivalent of 1,000 U.S. dollars in bitcoin for decrypting files. This ransomware strain uses a common ransom note, which is downloaded from the remote server and then appends content to the ransom note to make it specific to each of its victims. Unlike many other ransomware operations, this one appears to target individuals as opposed to organizations. Victims might find it easier to recover their files from this attack than they would from other, more advanced forms of ransomware. Cyble points out that Punisher uses the AES-128 symmetric algorithm. 

Chinese cyberespionage campaign used compromised USB drives.

Dave Bittner: Mandiant reports that a cyberespionage campaign it associates with Chinese intelligence services is currently active against targets in Southeast Asia, particularly in the Philippines. The campaign uses compromised USB drives as a principal attack vector, thus counting on users delivering the malware across whatever protective air gaps may exist. The principal tools it's been seen using are MISTCLOAKBLUEHAZEDARKDEW and NCAT. The campaign may have been in progress since September 2021, and Mandiant reads it as an example of Chinese determination to establish and maintain persistence in targets of interest. 

Lilac Wolverine exploits personal connections for BEC. 

Dave Bittner: Abnormal Security describes a business email compromise gang dubbed Lilac Wolverine that's launching widespread campaigns asking for gift cards. The threat actor begins by compromising a personal email account and copying its contact list. The attackers then set up an email account with the same address as the compromised account, but on a different provider, usually Gmail, Hotmail or Outlook. They'll then use this account to send emails to the compromised account's contacts. If the recipient is reluctant to send the money, the attackers will explain that the fictional birthday friend also has cancer or just lost loved ones to COVID-19 or both. The researchers note that gift card requests are the most popular form of payment in BEC attacks, despite offering a lower payout per attack. 

Killnet claims to have counted coup against the White House.

Dave Bittner: The cyber auxiliaries of the nominally hacktivist group Killnet have claimed to have mounted successful distributed-denial-of-service attacks against Starlink, the White House and a variety of British websites, Trustwave's SpiderLabs researchers report. The attacks don't appear to have risen to even the level of a noticeable nuisance. Their coup-counting against the White House is instructive in what it suggests about the group's skids-of-the-world-unite persona, stating, 30 minutes of collective test attack on the White House was very successful. Of course, we wanted to take longer, but did not take into account the intensity of the request filtering system. But the White House was banged up in front of everyone. Nobody else seems to have noticed - not that much anyway. Trustwave's assessment concludes, we should expect to see more of these low-skill attacks from Killnet, targeting an ever-growing list of targets that it considers to be in opposition to Russian interests. However, it remains to be seen whether the group can graduate to attacks that cause damage, exfiltrate data or do more than take down a website for a short period of time. 

World Cup scams, hacks, and other badness.

Dave Bittner: And finally, perhaps you're one of the millions of futbol (ph) fans who have been watching the play in the World Cup. Security firm Group-IB is watching too, and they'd like to warn you that the scammers and other cybercriminals out there haven't overlooked the opportunity the FIFA championship offers them. The come-ons include bogus merchandise sites, offers of tickets, phony job offers allegedly connected with the games in Qatar and even simple scams by association, exploiting logos and likenesses from the World Cup. Where there's meat, there are also flies, as they say. Group-IB's sensible advice is to bring an added measure of common sense and skepticism to your fandom. When the barkers shout out, friends, step right up. Well, keep your hands in your pockets, and keep on walking. 

Dave Bittner: Coming up after the break, Tim Starks from The Washington Post has the FCC's Huawei restrictions and ponders what Congress might get done before the year-end. Our guest is Tom Eston from Bishop Fox with a look "Inside the Minds & Methods of Modern Adversaries." Stay with us. 

Dave Bittner: The team at offensive security and pen testing company Bishop Fox recently partnered with the SANS Technology Institute on a report titled, "Inside the Minds and Methods of Modern Adversaries." Tom Eston is vice president of consulting at Bishop Fox, and he joins us with insights from the report. 

Tom Eston: Social engineering and phishing were the top attack vectors that ethical hackers use to break into an organization. I mean, we see this in the news all the time with data breaches and attacker techniques. So it was really validation, I think, that, you know, this is the most popular way that attackers are using to break in, but also the way that ethical hackers also break in. So it's a little bit reassuring that, as ethical hackers, we are using the same types of attack vectors that our evil counterparts are. 

Dave Bittner: Hmm. What other things got your attention? 

Tom Eston: Other things include, you know, it doesn't necessarily have to do with the ethical hackers' skill sets or their background. We kind of found that pen testers and ethical hackers with varied skill sets are usually the most successful when conducting their attacks. So, you know, for example, if you have a pen tester that's very focused on application security, they may not be the best hacker to break into, say, an external network. But typically we found through the survey that those varied skills throughout somebody's career really helps them become better hackers ultimately. 

Dave Bittner: Yeah, that's an interesting insight. I mean, I suppose, really, when it comes down to it, a lot of this is creative problem-solving, right? 

Tom Eston: That's right. Yeah, absolutely. So it is kind of what I see even with our own consultants at Bishop Fox. We really try to look for individuals that have varied skill sets, have a lot of experience in different areas and not just necessarily that one particular discipline. But also, like you mentioned, Dave, about problem-solving skills, sometimes that really comes out from those nontechnical experiences as well. So varied backgrounds is a key to being a real successful, ethical hacker these days. 

Tom Eston: The one thing I would call out is around detection and response capabilities. You know, we found through our survey that many ethical hackers discover that they are not discovered, or they are not detected while they're conducting a penetration test. And that's still very alarming, given this day and age where, you know, we would think that most organizations have the capabilities now - either tools, technology and people and processes - to detect an attack. But we're still finding that a lot of organizations don't have those capabilities, and we remain undetected while we're doing a authorized penetration test. So it gives a little bit of concern when you're thinking about how many organizations are really ready not just for a pen test, but are they really ready for an attack on their organization? 

Dave Bittner: Yeah. Based on the information that you all gathered here then, what are your recommendations for organizations to best protect themselves? 

Tom Eston: Well, for one, don't always rely on the hottest tools and, you know, blinky boxes - right? - that are going to solve all your problems. It kind of goes back to what we've always been saying in security is - it's a combination of people, process and technology and to really think about how you're defending your network. One thing that I like to always recommend is when you're having a pen test done, the best pen tests that I've seen are ones that are more purple team or tabletop type exercises where you're working with the penetration tester to test your controls, to test your detection, instead of just having the pen tester go in, you know, blind and let's see what we can find and maybe hope that we can get detected. But really, a pen test nowadays should really be combined with the blue team of an organization and really working to understand a detection and of course incident response. 

Dave Bittner: That's Tom Eston from Bishop Fox. 

Dave Bittner: And it is my pleasure to welcome back to the show Tim Starks. He is the author of The Cybersecurity 202 at The Washington Post. Tim, welcome back. 

Tim Starks: Hey, thanks. Great to be back. 

Dave Bittner: Couple interesting stories that you have shared over on the 202 this week - first off, the FCC has hit Huawei with some restrictions here. What's going on with that one? 

Tim Starks: Yeah, this is the latest step in a campaign that's - I don't know if you can date back to 2012 at this point, where you've seen the executive branch take a series of steps aimed at Huawei in particular but, you know, also some other Chinese companies as the - what the FCC did here shows, that are basically trying to isolate Huawei, keep it out of the U.S., but also, you know, part of a campaign that involves trying to convince Europe to turn them away as well. So this latest stop, more - it's about Huawei and ZTE, those are both - those are the two big Chinese telecommunications companies. There's also Hytera, which makes digital radios, and then Hikvision and Dahua - if I'm saying that right - that make video surveillance systems. The FCC has said we're going to ban U.S. sales and imports of Huawei - of these company's products because of national security concerns. Now, it's a little hard to parse in some ways what the significance of this is because it's - again, it's a little - it's not quite a revolutionary step. It's more incremental. 

Dave Bittner: Right. 

Tim Starks: If you listen to, you know, the members of the committee - the commission that is, they say this is a unprecedented thing. This is the first time - this is the words of Brendan Carr - the first time in FCC history that we have voted to prohibit the authorization of new equipment based on national security concerns because there's been this thing in the background about what you do with old equipment. And then, you know, if you - I talked to Dakota Carrie over at the Krebs Stamos Group who had said this also will allow them the ability to revoke previously authorized equipment. So that's potentially important. But again, because there have been so many steps that have been going down this process of isolating them, there - it's also important to note what it can't do, which is, you know, it's not going to keep these products out of America entirely. It's not going to keep it out of the hands of consumers or small business, for instance. 

Dave Bittner: I see. Another thing that caught my eye that you wrote about this week was Congress is run towards the end of the year in this lame-duck session and some of the potential cyber legislation that may or may not happen. Can you give us a little rundown there? 

Tim Starks: Yeah. You know, I've covered Congress long enough - you know, I started covering Congress close to full time back in 2003. And I've been more focused on cybersecurity as a topic, but I was at CQ for, gosh, 11 years, Congressional Quarterly. It's usually safe to bet, I found - and this is - I apologize if this sounds cynical, but it's also just experience. It's usually safe to bet that Congress won't do something. If you're having to make a decision between will Congress do something or will they not do something, I tend to err on the side of they probably won't. But there are a few things that they're going to get done here toward the end of this lame-duck session that looks like pretty solid chances that they're going to happen. You know, there's a State Department Bureau of Cyberspace and Digital Policy now. But if you follow the State Department's handling of this office, you know, there was an office in the Obama administration, then Trump got rid of it. Then Trump created his own new idea for it, and then he changed that, too. And then Biden came in with his own idea. So what Congress has been trying to do is cut out that back-and-forth process of, you know, we're constantly dealing with this office is being in transition all the time and not sure what it is, essentially codify the office now so that it doesn't keep changing between administration and administration, which is, you know, somewhat significant. 

Tim Starks: There are other things that they might do, like the - yeah, there was a bit of push to make sure that the director of CISA has a has a five-year term, which means that they would go across at least more than one presidential term. You know, the idea is to keep that office nonpartisan, which is how it's been. There are some other things that are harder to predict, and then there are some things that are just probably not going to happen. And if you look at the significance of the things that are not going to happen, those are some of the more big ideas - things like creating a list of the most important critical infrastructure we have in our country - that, if they were damaged or hurt or attacked in some way by cyberattacks, that it would cause this massive systemic harm to national security, the economy, public safety. Create a list of those things, and also give incentives to those companies to take better care of those systems, and at least explore the idea of giving them some kind of requirements that they must do these things. 

Tim Starks: That has gotten - as you might expect, gotten them into some trouble with business groups, industry groups, like the Chamber of Commerce and a variety of others, who just think that this is a bad idea. They also point out the fact that the administration has been working on at least the categorization of this infrastructure. But, you know, they also aren't - probably not so crazy about the idea that they might be forced to do something. 

Dave Bittner: Is it safe to say that, you know, cybersecurity remains one of those rare things that sees bipartisan support, that people seem to be in on from both sides? 

Tim Starks: Yeah, it's feeling less and less like that to me over time. It's certainly an area that is more agreeable to both parties than, say, you know, immigration or some of the other big topics that - health care, what - you name it. 

Dave Bittner: Right. 

Tim Starks: I think that cyber is still less partisan than those things, but I think it's getting more partisan. I think you can see the roots of that that started a little after the last big presidential race in 2016. Obviously, 2020 happened. But I'm talking about where there was an actual cybersecurity ramification to that election. You know, we started seeing a breakdown of things on partisan lines about what kind of protections we should be offering for election security. And then, I think because the Biden administration has pushed a more regulatory approach than any prior administration, that has caused some heartburn with Republicans who tend to not like regulation... 

Dave Bittner: Yeah. 

Tim Starks: ...In situations that are economic. And Democrats have tried to push some of those things on the Hill, too, to make things just a little bit more mandatory or regulatory. You know, we did get a significant piece of legislation this year, perhaps the most significant piece of legislation Congress has ever passed, that does require critical infrastructure owners to report when they've suffered a major incident. They must report that to CISA. That'll be a few years before that becomes implemented. And they must report when they give ransomware - when they make ransomware payments. That's significant. That is a pretty big deal. 

Dave Bittner: Yeah. 

Tim Starks: But if you look at what - the way this started and how strict that was when Democrats were first proposing it and how it ended up, just in terms of what the enforcement mechanisms would be, I think they're significantly weaker than the enforcement mechanisms that everybody had in mind originally. It got watered down, I would say, it's fair to say. It's still significant. It just still points to the fact that while there was a bipartisan agreement on the final bill, it required Democrats conceding an awful lot. 

Dave Bittner: Yeah. I think it's safe to say that your cynicism when it comes to Congress is evidence-based, right? 


Tim Starks: I try not to be cynical. 

Dave Bittner: I know... 

Tim Starks: I'm always impressed when they do get stuff done, right? 

Dave Bittner: I am the - yeah. 

Tim Starks: Like, I'm always like, good job, Congress. I feel like I'm... 

Dave Bittner: I am the same - yeah. Pat them on the head, right (laughter)? 

Tim Starks: Yeah. It's like I feel like I'm - it's a little infantilizing them, I guess, but (laughter)... 

Dave Bittner: Yeah. 

Tim Starks: But I'm still - it's impressive when things get done because it is difficult to get things done, right? 

Dave Bittner: Yeah, absolutely. 

Tim Starks: I mean, it's very difficult. It's - the founders set up our country to be that way to a certain degree. And then, certain things we've done have made that worse. So, you know, whether you - however you feel about democracy, I'm just, you know, predicting things here, like - predict that it probably won't happen; you'll be on safe ground. Predict that it will happen; you might be disappointed. 

Dave Bittner: That's right. When all else fails, lower your standards, and you won't be disappointed. 

Tim Starks: (Laughter). 

Dave Bittner: All right. Tim Starks is the author of the Cybersecurity 202 at The Washington Post. Tim, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.