How the C2C market sustains ransomware gangs. In Russia’s war, intelligence services deploy wipers, and hacktivist auxiliaries handle the DDoS. And a look into other corners of the cyber underworld.

Dave Bittner: Microsoft tallies more than a hundred ransomware gangs. Sandworm's NikoWiper hits Ukraine's energy sector. Mobilizing cybercriminals in a hybrid war. Firebrick Ostrich and business email compromise. Telegram is used for sharing stolen data and selling malware. Crypto scams find their way into app stores. Bryan Vorndran of the FBI's Cyber Division outlines the services the FBI provides during an incident response. Ann Johnson from "Afternoon Cyber Tea" speaks with actor/producer Tim Murck about the intersection of cyber awareness and storytelling. And we are shocked - shocked - that there are fraudulent cyber professional credentials circulating online.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 1, 2023. 

More than a hundred gangs use ransomware.

Dave Bittner: In a series of tweets yesterday, Microsoft said that its researchers are tracking over a hundred threat actors who are engaged in deploying ransomware. The growth of the ransomware-as-a-service criminal-to-criminal market has lowered the barriers of entry. A criminal gang no longer needs to code its own attack tools. Redmond has some advice for defenders. To be sure, it's interesting and useful to know the ransomware strains that are out in the wild, but it's better, Microsoft advises, to focus less on payloads, but more on the chain of activities that lead to their deployment. Phishing remains the most common way the attackers gain access to their targets, but malvertising is growing in popularity, and it's common for ransomware operators to exploit recently disclosed and patched vulnerabilities. They can usually count on catching a few laggards. 

Dave Bittner: Another technique Microsoft researchers are seeing is deployment of bogus malicious updates to compromised targets. ReliaQuest, yesterday, blogged a detailed description of one network, called either SocGholish or, more prosaically, fake updates, to do just that. The researchers say a SocGholish compromise depends on user interaction. In the intrusions we tackled, we found evidence of users operating on our beachheads, interacting with a compromised domain belonging to a large transportation service company. The activity was noticed just this past month in January. ReliaQuest's researchers found Evil Corp's spoor on the beachheads, suggesting that familiar gang's involvement, and the activity isn't, the researchers say, to be taken lightly. They say SocGholish is well-practiced in such plotlines, disguising fake updates and tricking browser or system users into malicious downloads. We note, by the way, in full disclosure, that Microsoft is a CyberWire partner. 

Sandworm's NikoWiper and Ukraine's energy sector.

Dave Bittner: Russian intelligence services have continued their wiper campaign against Ukraine's energy sector. ESET's APT APT Activity Report for T3 2022, released yesterday, describes a hitherto unknown wiper, NikoWiper, which was used against the company in the energy sector in Ukraine in October of 2022. The report goes on to give particulars of the malware, stating, the NikoWiper is based on SDelete, a command line utility from Microsoft that's used for securely deleting files. It's been difficult to see coordination between Russian kinetic and cyber operations. The researchers say this attack happened around the same period that the Russian armed forces targeted Ukrainian energy infrastructure with missile strikes. Even if we were unable to demonstrate any coordination between those events, it suggests that both Sandworm and the Russian armed forces have the same objectives. Coincidence isn't necessarily coordination. But, of course, it might be. Sandworm represents threat activity directed by Russia's GRU military intelligence service. 

Mobilizing cybercriminals in a hybrid war.

Dave Bittner: Russia's cyber auxiliaries continue to play their part in Russia's war. Killnet's hacktivists continue their distributed denial-of-service attacks against U.S. medical centers, with some of the targets reporting brief interruptions of important IT services. Delaware's Christiana Care, the University of Iowa Hospitals and Clinics, and a third-party vendor used by University of Michigan Health are among those who reported disruptions yesterday. 

Dave Bittner: Russian cyber gangs have, for years, operated at the sufferance of the government, which gave them broad immunity from interference as long as they restricted their attacks to foreign targets whose disruptions served Moscow's interests. The Record, citing research by its sister organization in Recorded Future, the Insikt Group, notes that a brief, sharp and unexpected crackdown on some cyber gangs by Russian law enforcement in January of 2022 served as both misdirection and as a means of clarifying relationships and bringing the gangs to heel before the February invasion of Ukraine. The Insikt Group summarizes the Kremlin's mobilization of cyber criminals, stating the relationship between the state and the gangs is longstanding. The gangs provide ready talent and a measure of deniability. There's a useful analogy here - just as the Wagner Group recruited convicts from Russian prisons to fill its infantry ranks, so the intelligence services mobilized gangland to augment their cyberattack capabilities. 

Ukraine shares lessons learned from the receiving end of Russian cyber warfare.

Dave Bittner: In an article published by the Atlantic Council, the head of Ukraine's State Service of Special Communications and Information Protection summarized some of the lessons his country has learned from its experience of Russian cyber warfare. First, the effects of cyberattacks can be difficult to contain. Targeteers might think of cyberattacks as an area weapon as opposed to a precision weapon. Cyberattacks continue to occupy a gray zone. They can be used with fewer inhibitions than kinetic strikes. They are more deniable, and they're more difficult to deter. Cyber operations are economical of manpower. Auxiliaries can make an important contribution to offensive cyber operations. And finally, cyber operations are difficult to mount. They require both time and skill to prepare and pull off. He expects the world to see more of this in future conflicts. The war against Ukraine is unlikely to be a one-off with respect to cyber operations. 

Firebrick Ostrich and business email compromise.

Dave Bittner: Turning to more ordinary cybercrime, we see some news today about business email compromise. Abnormal Security described a business email compromise gang it calls Firebrick Ostrich that performs third-party reconnaissance attacks in the service of subsequent BEC attacks. The researchers explain that third-party reconnaissance attacks rely on open-source information rather than compromised accounts. The goal is to establish a protracted relationship with the target. After the threat actors have established that two organizations have a business relationship with each other, they'll set up lookalike domains and email addresses to impersonate the vendor organization. Then, they'll send a vague request for an invoice, hoping that an employee at the customer organization will assume it's real. Firebrick Ostrich has launched more than 350 of these BEC attacks since April 2021, impersonating at least 151 organizations. All of the threat actor's targets have been based in the U.S., although the targets seem to have been chosen opportunistically. 

Telegram used for sharing stolen data and selling malware.

Dave Bittner: Security firm KELA has published a report looking at cybercriminals' use of Telegram to conduct their business. The researchers explain that Telegram's Secret Chat feature provides end-to-end encryption and relative anonymity. While the vast majority of the app's users are legitimate and Telegram has cooperated with law enforcement in the past, criminals are still attracted to the platform. KELA notes that the channel owned by the Lapsus$ data extortion group has gained more than 55,000 subscribers since it was created in December of 2021. Hacktivist groups, particularly those operating on behalf of Ukraine or Russia, have gained hundreds of thousands of subscribers. Criminals also use Telegram groups to sell physical goods, including drugs, guns and counterfeit luxury items. We stress that this amounts to abuse of a legitimate service. There's nothing inherently nefarious about Telegram. Platforms don't conspire. Crooks do. 

Crypto scams find their way into app stores.

Dave Bittner: Sophos researchers today released a report detailing their observations of fraudulent CryptoRom apps making their way into the App Store for pig butchering scams. Pig butchering, which we've mentioned previously, combines social engineering tactics with false financial apps and sites to lure victims and steal their money. Two CryptoRom apps were found in the Apple App Store - one called Ace Pro, the other MBM_Bitscan. Ace Pro does not appear to have any connection to cryptocurrency. Rather, it's described as a QR code scanning app. The other, MBM_Bitscan, feigns its use to be a real-time cryptocurrency stock tracker, though it has a fake trading interface as well. Researchers suspect that the remote nature of the malicious functionalities allowed for concealment of the true nature of the app until after the stringent App Store review. Google Play also has a version of the app, though the vendor name is different. The actors behind the scams are tracked by researchers as the Sha Zhu Pan group, initially targeting Chinese and Taiwanese victims. The victims in this case, paradoxically, seem to have been, for the most part, well-educated and sophisticated. 

Fraudulent professional credentials in the C2C market.

Dave Bittner: And finally, you want that sheepskin - that shingle you can hang out that says you're a No. 1, A-grade cybersecurity professional. Sure you do. Who wouldn't? But beware of cheaters. Researchers at Cybersixgill this morning describe the small but pervasive group of threat actors shilling fraudulent cybersecurity certification services, from falsified diplomas and certificates to cheating services and leaked courses. Various cybersecurity certification courses are seeing an increased presence on the dark web, with researchers citing a 73% increase in advertised underground courses from 2021 to '22. The courses hackers are selling online are from a variety of providers and are offered at a steep discount. The average cost of cyber training courses varies, but can be upwards of $5,000, while many dark web scammers are offering courses for a maximum of around $200, based on course content. Some actors have also been seen giving the courses away in free downloads. For heaven's sake and the love of whatever mater your alma might have, by the great horn spoon, friends, pay your tuition and do your work honestly. And no, it doesn't mean letting ChatGPT take your exams, either. 

Dave Bittner: Coming up after the break, Bryan Vorndran from the FBI's Cyber Division outlines the services the FBI provides during an incident response. Ann Johnson from the "Afternoon Cyber Tea" podcast speaks with actor/producer Tim Murck about the intersection of cyber awareness and storytelling. Stay with us. 

Dave Bittner: Microsoft's Ann Johnson is host of the "Afternoon Cyber Tea" podcast right here on the CyberWire Network. In an excerpt from a recent episode, she speaks with actor/producer Tim Murck about the intersection of cyber awareness and storytelling. 

(SOUNDBITE OF ARCHIVED BROADCAST) 

Ann Johnson: On today's episode of "Afternoon Cyber Tea," we are going to cover a really fascinating topic at the intersection of cyber awareness and storytelling. I am joined by Tim Murck, who is an actor, producer and co-founder of Flavour, an applied gaming and storytelling company, and HackShield, a gamified cybersecurity learning experience for children. Tim is a creative, passionate about storytelling, gamification and helping people turn themselves into problem solvers. 

Ann Johnson: I frequently talk about how we need people to change the language of cybersecurity and change the methods of education if we actually want the average consumer or those who are younger - people who aren't cyber pros, right? If we want them to understand it, we actually need to change the industry fundamentally. And part of that is how we tell the story about cyber. So what's your perspective on storytelling as it relates to helping people specifically understand complex topics and then specific to cybersecurity? 

Tim Murck: Good question. There are a lot of things that I can answer on this question. So at first, there's something very interesting in how we learn. So when I started HackShield, me and my colleagues, we were advised by a lot of, let's say, people with real knowledge about how people learn, and they gave us a lot of advice. And I remember two big things, and one was how you create a security mindset. And if you want to create a security mindset, they told us you have to learn people adversarial thinking. So the simple explanation for me was learn to think as the bad guy. If you know what potential threats are, you could try to avoid them, of course. So the second thing was representational fluency. And it was also very inspiring for us because they said to us, hey, if you really want to change behavior and want to learn something, you have to, like, rewire their brains - meaning that you have to use all different part of the brains to give them the tools to see things differently. 

Ann Johnson: Thinking about your experience and educating children, what's your advice for business leaders and cyber advocates and others on how we can use storytelling to more effectively educate folks? 

Tim Murck: Well, what I always find very difficult to understand is, when I speak with scientists, researchers, cyber experts, they often tell me that the only real way that's proven effective is if you scare someone. So imagine - you know the programs in where the employees get a mail - a phishing mail - and they have to, like, click on it, and then they get a mail back from the security program - hey, you just clicked on a phishing mail - boo hoo. Learn from it. 

Ann Johnson: Yeah. 

Tim Murck: Never do it again. 

Ann Johnson: Yep. 

Tim Murck: So on a short notice, of course, this is impactful. It's just like when my kids are stealing cookies from my kitchen. And when I get very mad, they probably won't steal a cookie next day. But my idea is that, in the long run, you are creating a distance from people being open for new knowledge or people being open to experiment in the online world and to learn the things they don't already learn from somebody else. So often, I think that our way of teaching others using fair and only repeating what all the difficult and dangerous consequences potentially are in the online world - I think, in the long run, you're creating people that are feeling distance and just, like - I don't know - just stop learning at all, and at the same time clicking on every link and using every device. So the thing I learned most till now - the last years, from working with kids - is that if you motivate them and you make them proud of what they already learn and you make them curious towards what kind of new tricks the hackers found out now, you give them a responsibility to share that knowledge with their colleagues, and I think that's so much more effective than scaring the hell out of them. 

Dave Bittner: Ann Johnson is host of the "Afternoon Cyber Tea" podcast. You can find more information about the show on our website. 

Dave Bittner: And joining me once again is Bryan Vorndran. He's assistant director of the Cyber Division at the FBI. A.D. Vorndran, thank you again for joining us. I want to touch base today on what folks can expect when they engage with the FBI for incident response. Can you give us an idea of the spectrum of what the FBI offers in a situation like that? Sure, Dave. And thanks for having me back. I have a few thoughts on this. And what I'll do is I'll walk you through what I think is important to know actually before an intrusion happens and what we recommend, and then walk you through what that time actually does look like. We do think that before intrusion is a distinct phase for everybody's planning. And during that phase, it's important that an organization does a lot of different things. But one of those things is to proactively build a relationship with their local field office - with the FBI. That relationship should be built really for two reasons - one, to facilitate the understanding of expectations during an intrusion, but also the passage of intelligence in real time at any point during a week or a month. But the second real purpose is to establish trust between the FBI and that organization and between that organization and the FBI. 

Bryan Vorndran: And so when we talk to organizations about this, we do think it's important that the FBI is brought into your tabletop exercises - for instance, response planning - because it really just does help with establishing a foundation of trust. But during an intrusion, it's been my experience that the FBI and those organizations that unfortunately do suffer those intrusions are so much better if that relationship is already in place. And one of the things that we encourage an organization to think about is, OK, you are notified now that an intrusion happens, most likely by your internal net defenders - your internal IT security shop. What is your first call, you know? And maybe relative to the FBI or maybe relative to CISA, how do you want the FBI, CISA or the U.S. government to more broadly plug into your organization? We've received some feedback that says, you know, we really want the FBI and CISA to go through our general counsel. We've received other guidance that says we want the FBI and CISA to go through our retained outside counsel for the cyber breach. We've received other feedback that says we want the FBI or CISA to connect with the CISO of an organization. 

Bryan Vorndran: But you can see right from the get-go, in terms of establishing trust and understanding a process, that it's important to all be on the same page because we would never want to unintentionally knock on somebody's door and not know that they prefer that we go through a different vector. And so even these basic things are really important. You know, what we try to encourage when a organization does suffer an intrusion, from a victim perspective and our role in incident response, is probably a little bit different than you would expect. We really encourage our people to focus on the human element of that response. 

Bryan Vorndran: It's been my experience and many others' experiences that it's the human element - you know, the part of being a victim-centered organization for more than a century - that leaves a mark. So we've been asked to direct all national-level media inquiries to the FBI on behalf of victims. We've been asked to take servers safely offline. We've been asked to serve as a technical consultant for companies as they navigate next steps. We've been asked to provide high-level threat overviews. We've been asked to provide very nuanced threat overviews. We've even been asked at times to consider - we actually wound up not, in this scenario - deploying victim service specialists because there were a bunch of employees who were really struggling as a result of the intrusion their company went through. 

Bryan Vorndran: You'll see in my answer here that we really try to focus on the victim and the organization before really having a focus on our needs. And our needs - you know, there are some time-sensitive needs, right? We do know that our authorities - whether that's to seize stolen data or to seize cryptocurrency - are best executed in the first 24 hours. You know, that's just the reality of the world we work in. But many of the other pieces of intelligence that we benefit from - and I'll give you some examples here in a minute - really are nothing that we need at that moment. You know, if those come three days or four days or five days later, or even a week later, you know, that's OK. The one thing we would encourage victim organizations to think about is, with the passage of timely intelligence, it can - with a huge emphasis on can - it can at times help us prevent other organizations from being victimized. Now, there's a whole host of variables that go into whether that will or won't prove fruitful, but we just encourage companies and organizations to at least think about that. 

Bryan Vorndran: You know, at the end of the day, here's a list of a few things we like to have. No. 1 is obviously a listing of logs - right? - because we can determine a lot from the logs. With that, when did the criminal or the nation-state activity begin? Is it still ongoing? Is there a sense if anything was exfiltrated in terms of data or emails? Do we have login records from suspicious accounts? And then, obviously, virtual wallet information is hugely beneficial to us if we're going to be asked to trace cryptocurrency. You know, I have one other thing that I'll talk about in a minute, which is OFAC. But, you know, I really do think, when it comes to incident response, prior to an intrusion is a really important focus area for relationship building and establishing trust. During an intrusion, we do encourage our agents and our initial response elements to really put focus on the victim first and what the victim needs. And then, eventually, we get to what we need to further our investigative or operational outcomes. 

Bryan Vorndran: Touch briefly on OFAC - you know, OFAC obviously is the governing body for sanction entities within the - globally, the sanction entities. And one very specific piece of mitigation guidance issued by OFAC is early engagement with law enforcement. And we are always happy to take a list of names or email addresses or monikers that you have from the adversary you're dealing with. And, you know, we can do some work on those and tell an organization if they are or are not likely dealing with a sanctioned entity. And I think that's a powerful piece of intelligence for an organization to have before they make a host of decisions about whether they do or don't want to engage with an adversary. So Dave, hopefully that helps provide some background about how we look at our role. 

Dave Bittner: For organizations who have an existing relationship with a third-party, private organization - an incident response company - does the FBI still stay on their list for assistance? 

Bryan Vorndran: Yeah, we have very, very good, strong, professional relationships with most of those companies, as does CISA as well. We generally find ourselves working a lot together because of the natural mission overlap. So what we traditionally see in an intrusion, from an organizational perspective, is you'll generally see that organization retain outside counsel that is specifically equipped to deal with cyber intrusions. You'll likely then see them hire or retain third-party incident response. And then, you know, many of these organizations make a determination, long before they are intruded upon, whether they will or won't work for the - with the U.S. government, the FBI and CISA being generally the two agencies that are brought into that conversation. 

Bryan Vorndran: But as you can see from that construct that I just outlined, we work with all of those companies and many of those law firms very, very routinely. We're very knowledgeable of their processes and procedures, and they're very knowledgeable of ours. And it's actually a fairly mature relationship at this point, where everybody has an understanding and appreciation of the equities that they have to protect on behalf of the organization. So I say that in the spirit of - this is not an environment where the attorneys, third-party incident response, the FBI and CISA are all in a room together, level-setting on the intelligence we have. It's not that at all. In fact, it's very cordoned off to protect the victim entity. But nonetheless, we have very good, mature working relationships with each one of those. 

Dave Bittner: All right. Well, Bryan Vorndran is assistant director of the FBI's Cyber Division. Thank you for joining us. 

Bryan Vorndran: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.