The CyberWire Daily Podcast 1.5.23
Ep 1733 | 1.5.23

PurpleUrchin’s freejacking. Bluebottle versus the banks. A supply-chain attack on a machine-learning framework. The ransomware leaderboard. And cyber ops in a hybrid war.

Transcript

Dave Bittner: The PurpleUrchin freejacking campaign. Bluebottle activity against banks in Francophone Africa. The PyTorch framework sustains a supply chain attack. 2022's ransomware leaderboard. Cell phone traffic as a source of combat information. FBI Cyber Division AD Bryan Vorndran on the interaction and collaboration of federal agencies in the cyber realm. Our guest, Jerry Caponera from ThreatConnect, wonders if we need more carrots than sticks in cybersecurity regulation. And two incommensurable views of information security.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 5, 2023.

The PurpleUrchin freejacking campaign.

Dave Bittner: We begin with news from researchers from Palo Alto Networks' Unit 42, who this morning released a report on threat actor Automated Libra. They're the gang behind the PurpleUrchin freejacking campaign. Automated Libra is based in South Africa and targets cloud platforms in what is known as freejacking, or the process of using free or limited-time cloud resources to perform crypto mining operations. It's a special case of cryptojacking. 

Dave Bittner: The PurpleUrchin campaign was first discovered in October of last year. The gang was seen using play-and-run tactics defined by the researchers as using cloud resources and not paying the cloud platform vendor's resource bill. The actors created and used fake accounts with falsified or stolen credit cards which held unpaid balances. Operations were seen peaking in November, with three to five GitHub accounts being created every minute. More than 250 gigabytes of container data were analyzed by the researchers, and it was found that the group heavily leveraged DevOps automation techniques such as continuous integration and continuous development. 

Dave Bittner: Heroku, Togglebox and GitHub were observed to be cloud service platforms the gang used, but data traced threat actor activity back to August of 2019, and that trail showed activity spread across a broad range of cloud providers and crypto exchanges. 

Bluebottle activity against banks in Francophone Africa.

Dave Bittner: Researchers at Symantec released a report this morning detailing the continuation of cybercrime group Bluebottle's activity in Francophone countries, most recently observed against banks in French-speaking parts of Africa. Symantec says Bluebottle seems to be a continuation of activity tracked by Group-IB as OPERA1ER, most recently documented in a report from the group in November of last year. 

Dave Bittner: The researchers at Symantec find that the current activity shows a lot of carryover from what had been seen earlier. But there are some departures, some developments in Bluebottle's technique. There are some indicators the attackers may have used ISO files as an initial infection vector. The criminals are now using the commodity malware GuLoader in the first stages of their attack, and there are now indications that Bluebottle is now abusing kernel drivers to disable defenses. 

Dave Bittner: Symantec says the cybercrime gang makes extensive use of living off the land, dual-use tools and commodity malware, with no custom malware deployed in this campaign. Three different financial institutions in three different African countries were victimized, according to Symantec, with activity first observed in mid-July with impact on multiple machines at all affected organizations. 

PyTorch framework sustains supply-chain attack.

Dave Bittner: A threat actor carried out a supply chain attack against the open-source machine-learning framework PyTorch, BleepingComputer reports. The attacker uploaded a dependency to the Python Package Index that had the same names as one of PyTorch's dependencies. PyTorch said in a statement that the malicious package was live between December 25 and December 30, stating at around 4:40 p.m. GMT on December 30, Friday, we learned about a malicious dependency package, torchtriton, that was uploaded to the Python Package Index code repository with the same package name as the one we ship on the PyTorch nightly package index. Since the PyPI index takes precedence, this malicious package was being installed instead of the version from our official repository. This design enables somebody to register a package by the same name as one that exists in a third party index and pip will install their version by default. 

2022's ransomware leaderboard.

Dave Bittner: This morning, Trustwave SpiderLabs released a roundup report of what they've assessed as the most active threat groups within the ransomware space last year. You'll recognize the names. They are, in reverse order, coming in at No. 4 was BlackCat, also known as ALPHV, which has possible links to the Darkside and BlackMatter gangs. BlackCat made a name for itself in July by developing a search function for indexed stolen data in July 2022. They're small but with some potential for growth, and they seem to be a veteran crew that's learned its trade in other gangs. Hive, a ransomware-as-a-service operation was No. 3. Coming to light in June 2021, the group uses an affiliate ransomware-as-a-service model and has accounted for around 9% of reported ransomware attacks in the third quarter of 2022. The group also replaced its ransomware in 2022, changing the language from GoLang to Rust, which provided advantages such as deep control over low-level resources, variety of cryptographic libraries, and making it more difficult to reverse-engineer. Hive targets sectors not usually targeted by ransomware groups like health care, energy and agriculture. 

Dave Bittner: Black Basta, a new crew, but one that seems to trace its descent to Conti, REvil and Fin7, comes in at No. 2. The group's use of established tools such as QakBot and Cobalt Strike, as well as its lack of affiliate recruiting in favor of collaboration with previously associated actors, seems to contribute to the gang's success. And finally, the winner is LockBit. Noted for running like a business, LockBit version 3.0, the latest, added automated permission elevation, ability to disable Windows Defender, a safe mode for bypassing installed antivirus tools, and the capacity to encrypt Windows systems with two distinct strains of ransomware. Trustwave explains that that last feature decreases the chance that a third-party decryptor might blow the gaffe on the scam. How troublesome has LockBit been? Plenty. About 44% of 2022's successful ransomware infestations can be chalked up to LockBit. 

Cellphone traffic as a source of combat information.

Dave Bittner: The extent to which cellphone signals have been used for geolocation and then targeting in any particular case remains unclear, but the devices represent a persistent operations security challenge for both sides. The phones make it possible to collect combat information that would formerly have been difficult to come by, from unguarded conversations to revealing photos shared in social media. The New York Times summarizes the problem that simple phone conversations pose. Russian commanders have ordered the troops to give up their phones, but such orders have been widely evaded. It's also not only the words that matter, but the signals themselves. The Times report states soldiers did not appear to know that cellphone data alone could potentially betray them, giving Ukrainians enough to pinpoint a phone's location down to an apartment building. Another way of putting it would be to say that metadata can be every bit as lethal as data. 

Incommensurable views of information security.

Dave Bittner: And finally, the Carnegie Endowment for International Peace notes that Russia has an understanding of information security that's quite different from the one that prevails in Western and especially U.S. circles. It's more concerned with influence, with controlling a narrative, than it is with the confidentiality, integrity and availability of data. This view is significantly inward looking and inclined to view information operations as deterministic. Concentrating on confidentiality, integrity and availability is a poker player's way of seeing the world. You want to hold your cards close, know what's in your hand, and don't give the other players any tells. A chess player sees the contest differently. Mistakes might be made, but nothing happens by chance. 

Dave Bittner: Coming up after the break, FBI Cyber Division AD Bryan Vorndran on the interaction and collaboration of federal agencies in the cyber realm. Our guest, Jerry Caponera from ThreatConnect, wonders if we need more carrots than sticks in cybersecurity regulation. Stick around. 

Dave Bittner: There's an age-old bit of wisdom about motivating people - that you can use carrots or sticks. Cybersecurity regulations and guidelines often fall into these two categories, trying to use a positive lure to get you to do the right thing or a negative punishment if you don't. Jerry Caponera is general manager of risk products at ThreatConnect, and I spoke with him about the notion of regulatory carrots versus sticks. 

Jerry Caponera: The sticks are real. The GDPR regulation is written such that you could potentially lose between 2 and 4% of your gross revenue to a fine. That's a pretty big stick. That's a lot of money. But in regards to carrots, we don't see a lot of that. Where that really starts to get interesting is when the government starts to mandate what you should be doing. So I was reading about some of the health care regulations that are coming down the pipe, as well, too, and they're trying to figure out how to build regulations in a way that makes sense. So they're putting sticks together, but there's no carrot. By that, I mean, they're saying, well, they'll have to do this. You have to be compliant with this sort of standards or this approach, and that's great, but they're not providing any financial incentive for them to do this. And the reason that that carrot, in terms of financial incentive, matters is because every company has a bajillion things to do right? That's a technical term, bajillion. They do. And security is one of them. 

Jerry Caponera: So if now, all of a sudden, you have regulations that say, here's what you need to do, what they're going to - what companies are going to do is they're going to look at that and analyze, what's the potential fine that I'm going to have to deal with, and is it worth just paying it, instead of the government or these regulatory bodies saying, here's a way that if you were to actually implement and meet our standards, we can reduce your cost or provide funding. And that's the carrot piece that's missing from a lot of these regulations. They're pretty much all - if you do something bad, we're going to fine you. And it works for things like GDPR for New York state. But when the government starts saying, we need you to be compliant with this set of standards and doesn't provide the funding or the carrot to do that, it just creates a really challenging situation for these companies. 

Dave Bittner: Do you suppose that we're seeing some carrots coming from other directions? I'm thinking particularly of the insurance industry, you know, where they're saying, you know, if you want to be covered and you don't want to spend as much money, do these things, and perhaps your rates will be lower. 

Jerry Caponera: Absolutely. I think that's one area where we can - we will see a lot of innovation in the coming year or two because we've seen that the premiums are rising pretty high. Not only are premiums rising, but the - the zone fencing or how the insurance companies are limiting what they pay out is increasing, as well, too. They're making it harder, which is why it's a business. And so I think there's a couple things we'll see. I think what I'd love to see is I'd love to see - now, it's funny. I'd love to see something I won't do. But I'd - GEICO insurance company came out a while back with a device you put in your car, and, you know, they monitor their speed. You know, if you're going a certain speed and you're not speeding and you're not crashing, it's a good thing. Over a period of time, they'll lower your rate because they're measuring and actively monitoring where you are from a risk perspective versus how much you're paying. And lower risk, you pay lower. 

Jerry Caponera: That's the concept that's going to have to be implemented in security when it comes to - when it relates to the insurance world, as well, too. So we will see some of that. But the insurance industry also has to adapt both how they look at risk from a company's perspective and how they're measuring it 'cause today they're not measuring at that level of detail or really doing that kind of inside-out measurement in general. So yeah, I do see that coming, but there's some work to do there. 

Dave Bittner: Well, when we think about the government and particularly the federal government, what sorts of options do they have to incentivize organizations? 

Jerry Caponera: So the government has a lot of different things that they can do, right? They can, for example, do something as simple as, you know, if you as a vendor, for example, are, you know, producing a low number of vulnerabilities, a low - you know, highly secure technologies, in a good way, they can provide incentives for you to work with the government, better rates, better contracting terms, lower taxes. They've got a lot of flexibility there. There's a model, though, that's worked in the past. And it's interesting because the - if you look back in history, you know, we drive cars. We were driving cars for 100 years or so. The National - the NTSB, National Transit Safety Board, was set up to help solve a similar problem. A similar problem was that there was a lot of accidents that caused death in cars because there was no security. There was no defenses in a car at that time. And if I look back at the numbers, you can see that - you know, back to the death rate, the motor vehicle death rate reached peak in 1937 with about 30 deaths per 100,000 population, whereas today the current rate is 12.9. So that's a 58% improvement. 

Jerry Caponera: Now, what they did was they actually worked with the manufacturers, with the vendors, with consumers to figure out what would work from a security perspective. What I think the government can and should be doing is looking at creating, like, an NTSB-type organization for security because what - that will help solve the end-to-end problem because we don't think about this like an end-to-end problem. What'll end up happening is you'll fix one part of the problem or you'll fix one part of the supply chain, and then something else will pop up as the bigger problem. Playing Whac-A-Mole, you know, with this kind of security - Whac-A-Mole doesn't work. You have to have somebody looking at this problem at a broad level. And I think that's where the government can come in. I'm surprised they haven't tried to create a cyber technology safety board to do something very similar and encourage vendors and consumers and companies to get on board with us and really help for increased security for both critical infrastructure and everybody writ large. 

Dave Bittner: That's an interesting idea. And I can't help wondering, you know, what's the cyber equivalent of an airbag or a seatbelt or a, you know, a padded dashboard? 

Jerry Caponera: You know, it's interesting. I think it's simple as two-factor authentication, right? It's as simple as maybe a VPN when you're browsing. I know I've done something right in my life. I mean, I can - you know, how successful I am, I have no idea. But I can measure success in one way and that my family has been trained. If they get a weird text, they don't click on it. They get a weird email, they don't click on it. Even my mother says, hey, is this a bad email? I'm like, yes. Like, that kind of simple training works. So it can be as simple, Dave, as just training people. Hey, you know what? You probably don't have a cousin who's a long lost cousin who's a prince in a foreign country that wants to send your money. You don't. Don't click the link. It could be as simple as training, two-factor authentication. Basic cyber hygiene doesn't have to be crazy complicated. 

Dave Bittner: That's Jerry Caponera from ThreatConnect. 

Dave Bittner: And I'm pleased to be joined once again by Bryan Vorndran. He is assistant director for the cyber division at the FBI. Director Vorndran, thank you for joining us again here today. I want to touch base with you and get your perspective on the interaction and collaboration of the various federal agencies when it comes to cyber. Can you give us a little bit of behind-the-scenes insight as to how the different agencies interact? 

Bryan Vorndran: Sure, Dave. And thanks for inviting me to join you again. It'd probably be best to break this down into two use case scenarios. The first is when we disseminate cybersecurity advisories, and then the second is when we have an act of intrusion with a victim that we're involved with. So in the former example, where we're disseminating cybersecurity advisories, we work very, very closely with CISA and other agencies within the U.S. government, most notably NSA, to consolidate our different threat intelligence in our world, the results of our investigative activity to inform net defenders and private sector and other equity holders about what we are seeing across the totality of the U.S. government apparatus. You know, if we do that work unilaterally, we have different products that we would disseminate. 

Bryan Vorndran: But more and more, you're seeing a consolidated effort across the U.S. government and bi-seal, tri-seal products or dual-seal, tri-seal products that really do formulate and show the results of our collective work. We do that work because we think that between the multiple agencies that are developing those products, that we can tell a better story, not just a better story about a threat, but also a better story about how to counter the threat through net defense activities and net defense posture. 

Bryan Vorndran: In the second example, where we are actively involved with a victim of a cyber intrusion, it looks a little bit different. And so because the FBI is a decentralized workforce, there is a high likelihood that if the victim is a major organization, that the FBI will be directly engaged with them in person. But, you know, CISA and the bureau are very insistent that a report to one of us, whether that's CISA or the FBI, truly is a report to all of us. And we are responsible to synchronize our efforts on the back side. And I think we're getting better and better at that as the years go on. And so I've been asked directly, Bryan, do you really care that we call the FBI first? And the truth of that answer is, well, I would love for you to call the FBI first, but it's more important to me that you call the U.S. government and report what's happening because the totality of the U.S. government's knowledge on a specific threat is really important to understand the totality of the nature and the scope of the threat. 

Bryan Vorndran: But in those moments where we would, you know, be engaged with a victim, there's really two distinct roles. The FBI's role is a role of investigative activity, operational activity, to understand the nature of the threat, other potential victims that may have been compromised, and to take the totality of those findings and share them with CISA, primarily, so that CISA can do really good work to share the nature of the threat, the indicators of the threat, general TTPs and IOCs with other net defenders so that net defenders have a current view of other activity. 

Bryan Vorndran: The only last piece I would add, Dave, is, you know, certainly, the sector risk management agencies have an ever-increasing role. And so the best example I can give you is for the pipeline sector, TSA is a sector risk management agency, so if there is a significant compromise, cyber compromise, of a pipeline company, undoubtedly TSA would be involved with CISA and the FBI so that they could provide sector-specific, in this example, pipeline company-specific use information to those pipeline companies who they have a close relationship with. So that's how it all synchronizes together in the two examples. I'd be happy to take further questions for you, but hopefully that sheds some light. 

Dave Bittner: Yeah, it does. I'm curious, what goes into deciding who takes the lead in any particular case? Is it how it falls into any particular agency's areas of specialty expertise? 

Bryan Vorndran: Specifically, between CISA and the FBI, we both have distinct roles. So within what we broadly refer to as PPD-41, Presidential Policy Directive 41, it scopes the FBI's role as a threat response role and CISA's role as an asset response role. So the threat response you can interpret as investigation, operational responsibility. The asset response role you can interpret as net defense assets. You know, what are we doing to make sure that our firmware, our software, our hardware is up to date, patched and that defenders are knowledgeable of the latest TTPs and IOCs that adversaries are using? So it's not really a lead role for one agency or another; it's really a better conversation about all of us having different roles to fulfill the totality of the U.S. government mission. So hopefully that offers a little bit more perspective. 

Bryan Vorndran: The only thing I would share with your audience that I think is important is we have learned that one of the best conversations private organizations can happen before an intrusion is which organization they would like to serve as an ingress and an egress to their C-suite. And there have been many times where the FBI has been selected in that role, and there have been many times when the FBI has not been selected for that role. We are equally fine with either. We would just encourage companies to, A, make sure they're reporting when they are become - when they do become a victim, and, B, think through who do they want to serve as the ingress and egress for the U.S. government. 

Dave Bittner: All right. Well, Bryan Vorndran is assistant director of the cyber division at the FBI. Thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Tyler and senior producer Jennifer Eiben. Our mixer is Tre Hester. Original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.