The CyberWire Daily Podcast 12.23.22
Ep 1730 | 12.23.22

PolyVice and Royal ransomware make nuisances of themselves. US warns that KillNet can be expected to go after the healthcare sector. CISA’s plans for stakeholder engagement.


Dave Bittner: The Vice Society may be upping its marketing game. Royal ransomware may have a connection to Conti. Royal delivers ransom notes by hacked printer. KillNet goes after health care. CISA's Stakeholder Engagement Strategic Plan. Adam Meyers from CrowdStrike looks at cyber-espionage. Giulia Porter from RoboKiller does not want to talk to you about your car's extended warranty. And holiday wishes to all.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 23, 2022. 

The Vice Society may be upping its marketing game.

Dave Bittner: Hello, everyone. It's great to have you with us here today. First, we look at some developments in the cybercriminal underworld. Cybersecurity firm SentinelOne discovered a new ransomware variant in use by the Vice Society group. It's custom-branded for the group, a first for these threat actors. Vice Society activity has been observed since June 2021 and was always seen utilizing third-party ransomware strains such as HelloKitty, Five Hands and Zeppelin, SentinelOne reports. The strain seen in a recent intrusion, which the firm's researchers have dubbed PolyVice, appends the file extension of encrypted files to .ViceSociety. The recent findings that the Zeppelin ransomware strain implemented weak encryption that allowed for decryption may have been a factor in the group's implementation of the new PolyVice variant. It is suspected that this ransomware is likely from a vendor, as Chilly ransomware and SunnyDay ransomware have identical functions, with variations only in campaign-specific details. 

Royal ransomware may have a connection to Conti.

Dave Bittner: Our second note from the underworld comes from researchers at Trend Micro, who have published a report on the relatively new ransomware strain that goes by the name Royal. It turns out that there are some signs of connection to an old familiar name, Conti. Royal attacks are being launched by a sophisticated gang that used to operate the now apparently defunct Conti ransomware. Royal ransomware first surfaced in September 2022, and the vast majority of its attacks have targeted entities in the U.S. and Brazil. The threat actor uses callback phishing, a social engineering technique in which the attacker poses as technical support and instructs the victim over the phone to install remote desktop software. The threat actors also exfiltrate data before executing the ransomware. Trend Micro predicts that the Royal ransomware operators will increase their activity in the coming months. 

Ransom note delivered by hacked printers.

Dave Bittner: Royal has made an appearance in Australia. The Queensland University of Technology, second-largest university in the state of Queensland, has apparently sustained a Royal ransomware attack, the Australian Broadcasting Corporation reports. Yesterday, printers in the university's network began spewing out ransomware notices in bulk, in some cases until they used up all the affected printer's paper. 

Dave Bittner: 7News gives some of the content of the extortionist's' message. After telling the recipients that they had been hit, the printouts read, most likely what happened was that you decided to save some money on your security. Alas, as a result, your critical data was not only encrypted but also copied. From there, it can be published online. Then anyone on the internet, from darknet and even your employees, will be able to see your internal documentation. Fortunately, we got you covered. 

Dave Bittner: Covered, that is, by promising to return your data once you pay the ransom. The university has shut down IT systems as it works on remediation. Australian authorities have grown fed up, positively testy, with the troubles cybercriminals have caused over the latter part of 2022. It will be interesting to see what response Royal draws from them. The gang is already in U.S. sights, and it's likely to receive some unwelcome attention from Australian authorities. We wish them good hunting. Go out and drop these chumps. 

KillNet goes after healthcare.

Dave Bittner: Turning to the cyber phases of Russia's hybrid war against Ukraine, KillNet, the hacktivist auxiliary that has been perhaps the most publicly prominent Russian actor in cyberspace over the past few months of the war, has turned its attention to health care. 

Dave Bittner: The U.S. Department of Health and Human Services, through its Health Sector Cybersecurity Coordination Center, the HC3, has warned U.S. hospitals and other health care providers that they should expect to receive attention from KillNet. The HC3 Analyst Note says that KillNet has previously targeted or threatened to target organizations in the health care and public health sector. Much of its activity has represented a threat to data privacy. And it's worth noting that more has been threatened than has apparently materialized. For example, Killmilk, a senior member of the KillNet group, has threatened the U.S. Congress with the sale of the health and personal data of the American people because of the Ukraine policy of the U.S. Congress. In December 2022, the pro-Russian hacktivist group claimed the compromise of a U.S.-based health care organization that supports members of the U.S. military and claimed to possess a large amount of user data from that organization. 

Dave Bittner: In some cases, however, KillNet has threatened medical devices. The report says, in May 2022, a 23-year-old supposed KillNet member was arrested in connection with attacks on Romanian government websites. In response to the arrest, KillNet reportedly demanded his release and threatened to target lifesaving ventilators in British hospitals if their demands were not met. The member also threatened to target the U.K. Ministry of Health. 

Dave Bittner: HC3 says, with commendable realism, that KillNet does tend to do more woofing than biting, stating, it is worth taking any claims KillNet makes about its attacks or operations with a grain of salt. Given the group's tendency to exaggerate, it is possible some of these announced operations and developments may only be to garner attention both publicly and across the cybercrime underground. 

Dave Bittner: So as the proverb would have it, the group's eagle mouth does have a tendency to overload its parakeet backside. Nonetheless, HC3 suggests several steps health care organizations might take to protect themselves and their patients. So keep those shields up, Doctor. 

CISA publishes a stakeholder engagement plan.

Dave Bittner: Speaking of shields up, CISA, the U.S. Cybersecurity and Infrastructure Security Agency has published a "Strategic Plan for Stakeholder Engagement." The goals of the 2023 through 2025 plan, the first of its kind for CISA, are to first foster collaboration on stakeholder engagement and outreach across CISA divisions; second, gain a better understanding of stakeholders' security risks and needs; and third, effectively provide stakeholders' access to CISA's products, services, resources and information. Stakeholder outreach and cooperation are as important to CISA as they are to any U.S. federal agency, given the extent to which so much U.S. critical infrastructure is held by the private sector. And so it will be interesting to see how the agency executes its strategy over the next three years. 

Holiday greetings to all.

Dave Bittner: And finally, the CyberWire will publish on our winter holiday schedule beginning tomorrow and continuing through next week. It's not a hiatus. Instead, we'll depart from our regular daily and weekly podcasts and news briefings to bring you a selection of special coverage. Visit the CyberWire over the break for a discussion of some of the cybersecurity sector's most interesting topics and even some pieces offered for your entertainment. We will resume regular publication on January 3, the day after the US federal observance of New Year's Day. In the meantime, we hope you have a quiet, restful holiday season. It's been one heck of a year, full of good times and bad, joy and sadness. We're glad you chose to spend some of your time with us. And we look forward to more time together in the coming year. It means the world to us that you find value in what we do. On behalf of our amazing CyberWire team, I wish you a merry Christmas, happy holidays and a safe and joyous New Year and special wishes for peace on Earth and especially for a just peace in Ukraine. Be kind. Take care. We'll see you next year. 

Dave Bittner: Coming up after the break, Adam Meyers from CrowdStrike looks at cyber-espionage. Giulia Porter from RoboKiller does not want to talk to you about your car's extended warranty. Do stick around. 

Dave Bittner: Adam Meyers is Head of Threat Intelligence at CrowdStrike. And in his position, he's been front and center to some of the industry's most significant cyber investigations. I checked in with Adam Meyers for his insights on where we stand when it comes to cyberespionage. 

Adam Meyers: When we think about cyber operations, cyberespionage, it's really for countries - these entities are conducting these operations for sabotage. They're also using them to enable disruptive, destructive operations and espionage. And so the scope of these things ranges country to country. North Korea over the last couple of years has engaged in a lot of revenue generation, meaning that they're breaking into cryptocurrency platforms and financial institutions and financial technology companies in order to steal actual money to help that regime conduct, you know, nuclear building and some of the other stuff that they're engaged in. And, you know, that's consistent with what we've seen them do across some of the other spectrum of things that they may attempt to do, right? Counterfeiting would be - effectively human trafficking for labor purposes, criminal activity - all of these things are associated with behaviors of North Korea in order to generate revenue for the regime and also for the Kim family. 

Dave Bittner: Is there a bit of fuzziness here? I mean, I guess when I think of espionage, I tend to think of the spy versus spy kind of stuff. But when you get into things like theft - as you mentioned, you know, North Korea stealing things, even the intellectual property that China is known to take - it seems like it crosses over into the - is it fair to say - I don't know - you know, gentlemanly spying on each other, reading each other's letters - right? - into theft. How do we deal with that fuzziness? 

Adam Meyers: Well, I think espionage is a dirty game that has to be played. And it always has had, you know, degrees of that, right? If you go back to the KGB and those days, you know, there was an entire line of technical collection that was established to steal secrets, right? Things like these - the Star Wars program back in the '80s was something that I think, you know, in part was designed to draw out those Russian KGB line X operators and some of the technical collection people in order to play that game - right? - with them. So it has always been this. And I think when we think about cyberespionage, cyber operations, COVID was a huge problem for espionage operators because, you know, if you think about that spy versus spy stuff that you alluded to - you know, trying to get across a border, trying to put human assets into a target country became very difficult during COVID, right? Borders were locked down. You had to submit to all kinds of different quarantines and things like that. So it became difficult to put human assets in places that weren't there and to service the human assets - right? - to be able to get information from them while they were undercover or, you know, in place. 

Adam Meyers: So cyber operations became a hugely important role for these different espionage operators. You know, I think we've seen that over the last two or three years, it's proliferated. We've added new nations as - what CrowdStrike tracks conducting cyber operations. One of the more prolific ones that we've been tracking pretty closely is Turkey. And so, you know, there is this increase in not just the number but also the - by number, I mean an increase in operations, not just in terms of the different agencies within the known countries doing it but new countries coming to light that are conducting these operations. 

Adam Meyers: And I think that they see this as very attractive. It's cheap. It's low risk, right? If an operation gets burned, you have some degree of deniability. And you can move on and do it again, right? It doesn't require setting up a whole bunch of infrastructure in country. It doesn't require moving humans around and building covers and legends and all of the things that you read about in spy movies or books. And, you know, it becomes really democratized. And certainly for lots of countries that want to engage in these operations, they really just need to find some people that have the know how and are willing to do it and then task them to do it. 

Dave Bittner: You know, I've seen what I think it's fair to say you can call a shift in the approach by some of the government agencies, you know, the three letter agencies, in that there's a lot more public-private partnership and I suppose an acknowledgement that they can't do it alone, the public can't do it alone, and they really need to come at this problem together, collaboratively. What is your take on that shift? Do you think that indeed is the case that's happening? 

Adam Meyers: Absolutely. And as I said before - right? - the, everybody that's doing, playing defense, whether it be at a small enterprise, a large enterprise, Fortune 500 or government agency, they have a role to play. They're on that front line. And through things like the JCDC, the Joint Cyber Defense Cooperative that was established by CISA, through some of the other efforts by different government agencies, not just here in the U.S., but across the globe, we've seen an increase in collaboration, two-way sharing - right? - which used to be very one way. And it was typically, you know, private sector sharing information to the government. And it became a black hole. And what we've seen over the last couple of years is that there's been a substantial effort by government agencies across the globe to increase their information sharing and partnership with the private sector. And I think that that's a recognition of the fact that we are the front line defenders. right? And so that being able to get those frontline defenders involved and to share information in a two-way capacity makes everybody safer. 

Dave Bittner: That's Adam Meyers from CrowdStrike. There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: As 2022 winds down, there's one thing I think it's safe to say that most of us, at least here in the U.S., have experienced - people trying to reach us about our car's extended warranty. Giulia Porter is vice president at Robokiller, one of the companies making apps that look to block these spammy and scammy phone calls and text messages. They recently published a report on the trends they're tracking and the annoyances they're blocking. So I checked in with Giulia Porter for the details. 

Giulia Porter: So unfortunately, Americans are now more spammed than ever as of 2022. In past years, you know, we've been very much focused on robocall trends, which have continued to increase year over year. Unfortunately, we do have a new problem that's emerging at great scale, which is robo texts. Just in the first half of 2022, it's estimated that Americans received 66 billion robo texts, which is quite a lot. And at this point it's now outpacing robo calls, where Americans received about only - only, I mean - 40 billion estimated spam calls in the same time period. So at this point now, one of the biggest trends and concerns, frankly, for us is that, you know, and we can talk about this in a bit, but the industry is very focused right now on combating robocalls. And scammers know this. And they seem to be getting one step ahead of us in pivoting to this new technology, which is robo texts. 

Dave Bittner: And I mean, is that really what it comes down to, is that as organizations like yourselves are helping people get on top of robo calls, is this just a pivot on the part of the bad guys? 

Giulia Porter: It's actually a pivot at the industry level. Robokiller has been blocking spam texts for many years now. And we have been first to market in solutions to protect consumers. But what does - we believe this is a result of and the trend lines up with this timing quite closely, is if you've been following this, the government efforts on the robocall side with a new technological framework called STIR/SHAKEN. STIR/SHAKEN was a technology that was released last year that all telecommunications providers in the U.S. had to adopt and comply with, which was essentially a technological framework for caller ID verification and authentication. And what that was designed to do was create a universal standard for understanding whether or not a phone call that was being placed was being spoofed. 

Giulia Porter: A lot of times, scammers, robo callers in particular, are using caller ID spoofing to mask their caller ID. And normally, that's on the backside of a phone scam more than it is a legitimate call. And so the industry has been very, very focused on adopting this framework, complying with new regulations. And we are seeing improvements as a result. But unfortunately, scammers know this as well and were prepared for this and are responding in just a whole new medium, unfortunately. 

Dave Bittner: Yeah, it really seems like a game of cat and mouse here, and as you say, very frustrating for consumers. I mean, what are some of the other statistics that you're tracking here? 

Giulia Porter: So the FTC reports has a - reports on the reports that they receive for consumers who come to the FTC and report losses to phone scams. We believe, based on the traffic that we're seeing, that these reports that - represent millions and millions of dollars of consumer losses are only a small piece of the actual losses in the United States. For 2022, we are projecting that we are - that consumers are going to lose about $28 billion to robo texts. Where that kind of nets out is about a thousand in losses per robo text scam. And unfortunately, again, going back to that point of being more spammed than ever, people are also losing money to robo calls. And we believe that actually - that number for robo calls is going to reach about 60 billion by the end of 2022. And so you can imagine that this is a huge problem for consumers that we're seeing and nationwide. And, of course, you know, that just kind of takes it a step further. Not only are these calls and texts really annoying, but for some, they can be quite catastrophic financially. 

Dave Bittner: In terms of the actual scams themselves, are there certain ones that are more popular? 

Giulia Porter: Yes. We, you know, it's kind of sad and funny at the same time. I think if you've kind of been on social media, you might have seen some people talking about the car warranty robo call. Based on Robokiller's data, we estimate that it's statistically possible that every American with a smartphone has received that robo call more than four times this year at least. 

Dave Bittner: I know I have (laughter). 

Giulia Porter: I guess it's something we all have in common. What's interesting with the car warranty robo call is we're actually seeing a large decrease - a significant decrease, actually - in the last couple of months for that robo call specifically, actually thanks to an effort from the FCC. The FCC tracked down some known robo callers that were suspected to be behind this car warranty robo call. And they actually put out an announcement that allowed all carriers to block any traffic from where they had identified they think - they thought this the scam was coming from. And what we've seen since that announcement in July of this year is that car warranty robocalls, according to Robokiller, have gone from about 15% of total robo calls to less than 1% in just a couple of months. 

Giulia Porter: So this is actually an exciting development because it's a great testament to, you know, the efforts to get involved to stop a particular scam and seeing that that's working really basically immediately. So we're very excited about that. Of course, scammers, just like we're seeing with robo text shifts, are really going to often just change their tactics and adopt different scams. In terms of the types of scams that we're seeing, the overall trend that we know about phone scammers is that they watch the news. They know what's top of mind for us. And they're often changing and targeting their scams to be as relevant as possible. So, for example, in the last couple of months, we've seen increases - significant increases in student loan phone scams, both for robo calls and texts, as coverage around student loan forgiveness has increased in the media. 

Giulia Porter: And again, scammers really are just trying to kind of catch you when you're not really paying attention. But, you know, you might, like, look at something and see like, oh, yeah, you know, I did apply for student loan forgiveness. I'm going to, you know, just click this link and check this out in this text. And then all of a sudden, you're hooked. And so that's definitely a common trend that we see, of course, as we head into the holidays. You know, scammers love to pose as delivery service tech companies. I'm beginning a ton of Amazon spam texts the last couple days, actually. And so really, for them, it's a game of relevancy, just to increase the likelihood that you will fall for their scams, unfortunately. 

Dave Bittner: That's Giulia Porter from Robokiller. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is a production of N2k Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella. And I'm Dave Bittner. Thanks for listening. We'll see you back here next year. 

Dave Bittner: One final note. We will be taking a break from our regularly published programs from Christmas Eve to New Year's Day. But not to worry, we still have an exciting line up of great CyberWire Pro content that you won't want to miss. So stay tuned. And Happy Holidays, everyone.