DDoS trends. Asia sees a Lancefly infestation. Lessons from cyber actuaries. Infostealers in the C2C market. False flags.

Dave Bittner: DDoS "carpet bombing." Lancefly infests Asian targets. Cyber insurance trends. Infostealers in the C2C market. A Russian espionage service is masquerading as a criminal gang. KillNet's running a psyop radio station of questionable quality. Joe Carrigan describes baiting fraudsters with fake crypto. Our guest is Gemma Moore of Cyberis talking about how red teaming can upskill detection and response teams. And geopolitical DDoS.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Tuesday, May 16th, 2023.

DDoS "carpet bombing."

Dave Bittner: Corero this morning released its 2023 DDoS Threat Intelligence report, detailing the DDoS landscape and its evolution in the past year. The research showed a 300% increase from 2021 to 2022 in what are known as "carpet-bomb" DDoS attacks; attacks which researchers define as "distributing traffic across large IP address spaces, challenging standard victim-oriented detection and mitigation techniques." Botnet attacks that resemble the patterns of the Mirai botnet have spiked to over seven times the amount of traffic from 2021 to 2022. Domain Name System services were also a much heavier target for DDoS attackers, seeing double the amount of attacks as occurred in 2020.

Lancefly, a new APT with a custom backdoor.

Dave Bittner: Symantec, reported yesterday that the advanced persistent threat, Lancefly, is using a custom backdoor to target government, aviation, education, and telecommunication sectors in South and Southeast Asia. Lancefly's custom back door, "Merdoor," seems to have been around since 2018 and facilitates keylogging, multiple C2C communication methods, and the ability to listen in to local port commands. Merdoor is "injected into the legitimate processes perfhost.exe or svchost.exe." Symantec assesses that Lancefly may have used phishing emails as an attack vector in a campaign in 2020. In its more recent activity, however, the initial infection vector was unclear. The researchers write, "We saw some indications of what the initial infection vector may have been in two victims, though this was not conclusive." Lancefly's reuse of tools associated with Chinese APTs suggests some connection with those groups, but Symantec regards the evidence as inconclusive for precise attribution: many of those tools have been widely shared.

Trends in cyber insurance claims.

Dave Bittner: Cyber insurance provider Coalition released its 2023 Cyber Claims Report, which discusses trends and evolutions in cyber insurance claims. Data showed that those with even one unpatched critical vulnerability were 33% more likely to experience an incident, while those using software at its end-of-life had triple the risk of an incident occurring. Phishing threats accounted for over three quarters of the reported incidents, with claims related to phishing incidents increasing 29% since the start of 2022. The overall amount of claims related to cyber, however, decreased between 2021 and 2022 by 17%.

Infostealers in the C2C market.

Dave Bittner: Secureworks released a threat report this morning discussing "The Growing Threat from Infostealers." Logs from infostealers that have taken user data continue to see an increase as time draws on. On the Russian Market underground forum, a total amount of logs for sale increased by 150%, from two million in a day in June of last year, to five million in February of this year. The overall growth rate for the Russian Market forum was also rather notable, with a growth rate of 670% in logs for sale between June 2021 and May of 2023. Raccoon, Vidar and Redline remain the most pervasive infostealing threats. Legal action against the Genesis Market and RaidForums has slowed underground market activity. Telegram has also benefited from this change, as more logs are being traded over the messaging platform. There is also, researchers report, an increased need for tools to aid in parsing logs once the data is received. Tools with this capability are expected to increase in popularity in the future.

Report: Russian espionage service masquerades as a criminal gang.

Dave Bittner: TechCrunch reports that the Cuba ransomware gang, most closely associated with the RomCom remote access Trojan, is not actually a criminal organization, but rather a false flag being flown by a Russian intelligence service. The attribution, which TechCrunch credits to BlackBerry, is based principally on Cuba's target selection and the timing of its attacks. Cuba behaves like a well-resourced combat support operation, its activities closely coordinated with Russian operations across the spectrum of conflict.

Radio Life, Russia’s psyop radio station with questionable taste in Western pop music. 

Dave Bittner: KillNet posted an approving link to an online psyop radio station centered around demoralizing Ukrainian and foreign troops fighting in Ukraine. On its website, Radio Life explains that its mission is to "help Ukrainian military members to make the right choice, accept the only decision, which will help save their own lives and the lives of their loved ones." In the five minutes we were able to listen to it, the radio station was blasting Quiet Riots' "Cum on Feel the Noize," but the broadcast abruptly fell silent. The station also broadcasts in Ukraine via VHF radio channels, and created a Telegram channel on May 7th of last year that saw no posts until yesterday, when they dumped approximately fifty messages meant to demoralize Ukrainian service members and other Ukrainians engaged with the channel. The big question, of course, is why would the station confine itself to Quiet Riot? Were Mungo Jerry and Screamin' Jay Hawkins unavailable?

Geopolitical DDoS.

Dave Bittner: And finally, to return to trends in distributed denial-of-service attacks, DDoS actions against selected targets in NATO-member nations have risen since Russia's invasion of Ukraine. Presently, Netscout reports, Finland, Hungary, and Turkey are receiving most of this malign attention. Easy and deniable, and the kind of activity you can hide under a false flag.

Dave Bittner: Coming up after the break, Joe Carrigan describes baiting fraudsters with fake crypto. Our guest is Gemma Moore of Cyberis talking about how red teaming can upskill detection and response teams. Stick around.

Dave Bittner: Gemma Moore is Cofounder and Director of Cyberis, a pen testing, red teaming, and Cloud Risk Management organization. I spoke with her about how pen testing and red teaming can be an opportunity to upskill your detection and response teams.

Gemma Moore: So, red teaming sort of lives in the same stable as penetration testing, but it's actually quite a different approach. So, penetration testing we tend to look at technology and we're looking at can we find all the vulnerabilities in this network or this system or this application, tip them all off, give you a remediation for each of them? Red teaming is very different, because we're looking at pretending to be the adversary, pretending to be the attacker and using the same type of techniques. And what the means with red teaming is that we, the Red Team, have an objective to meet and it might be gain the main admin, it might be gain access to a customer database something like that. And we can use all sort of techniques including sort of special engineering against people, misusing processes, and of course vulnerabilities in technologies to sort of join an attack chain together to achieve our objectives. So, we're touching on a lot more threats of area than the penetration test does, but also with less detailed coverage if that makes sense.

Dave Bittner: And what's the opportunity here than for the members of your team to take advantage of this and up their game?

>> Gemma Moore: Well, this is something that not a lot of people appreciate when they think about red teaming. Red teaming, there's a lot of sort of Zeitgeist about Red Team I suppose and it's the cool thing to do, and you know, you get the Red Team in to come and, you know, give you the fence to the kick. But the big opportunity is actually getting in a safe way your defenders to work out how well the processes work; how well their controls are functioning. As an analogy, if you were thinking about wrestling, you know, it's one thing learning all the wrestling moves and the wresting techniques on you own in your room, it's quite another when you come up against a partner who is wrestling against you and trying to take advantage of your weaknesses and your technique. So, you know, if you are training your Blue Team, for example, your responders, sort of only in theory or only against sort of very restricted sets of behaviors that they expect of other people, you will find that they won't have the sort of adaptability or the flexibility to, you know, change their processes on the fly when an adversary is doing something they don't expect. And Red Team really lets you exercise that type of flexibility and work out actually, you know, if there was an incident, if there was a breach that you were trying to head off; would you be able to do that? I suppose in some ways it's a little bit like trying to think like an attacker rather than think like a defender and that's the opportunity that you have with Blue Team. So, a lot of Blue Teams, let's take a really simple example, let's look at malware or an antivirus alert. So, you'll have an antivirus alert and you'll almost certainly have a control which quarantines a file or shuts down that file, that piece of malware that you found in your network, and you'll have a Blue Team or an instant responder sort of triaging that alert and saying "Right, there was malware. It's been shut down. It's quarantined," you know, it--that particular issue is contained. The sort of join up that often Blue Teams don't have in their own minds is the threat is not a file. The threat is not the piece of malware. The threat is the person that sent the malware in they're trying to get into the network, they're trying to, you know, gain someone's credentials or get some malware running on a workstation, whatever it was. And just because your control has stopped that particular piece of malware does not mean that the threat has gone away. It does not mean that they're not going to try again. It doesn't mean they're not going to try something different. So, that's the sort of an aspect that often you can exercise in Red Team where you can't normally do that without the help of someone taking on the role of the adversary.

Dave Bittner: Is there a certain amount of diplomacy that goes into this as well? I mean, I'm thinking that by its nature, this is an adversarial process, but in the end, everyone is on the same team.

Gemma Moore: Yes. Getting people on the side is really important. We'll quite often find that we start off a Red Team engagement with a bit of reluctance maybe from some people in the customer side or a bit of apprehension, and it's natural, because, you know, they are worried about, you know, what's going to happen if you know it turns out you know we can't see anything? Are we suddenly bad at our jobs or, you know, what's going to happen if you know we don't manage to contain the outbreak, you know? Are they going to be blamed? Are we're going to be in trouble? So, there's definitely a diplomacy, but what I would say is that a lot of the time if you are open to running the Red Team in the right way, you can get people on the side and most of the time what we manage to end up with is an exercise where everyone, including the people--including the Blue Team, have actually found it quite fun ultimately. There will always be cases where, you know, there will be someone who doesn't want you to be doing an adversary simulation, because they don't want you to be checking their work or looking at what they're doing or what have you, but it's quite rare actually that that happens. A lot of the time, focusing on you know reducing blame, because blame culture doesn't help anyone in these situations, emphasizing the positive outcomes of this, so you know if you're a stretch response team and a lot of response teams are stretched, you know, they have limited resources, they have limited tooling, and they have limited time. A lot of them are in a fairly high pressured situation a lot of the time. One of the big positives of this type or engagement with the Blue Team, you know, towards the end or during a Red Team, however it happens to be going, one of the big positives is you can make a really good case for a business case for extra project effects for resources, for extra training and ultimately that benefits everyone.

Dave Bittner: That's Gemma Moore from Cyberis.

Dave Bittner: And joining me once again is Joe Carrigan. He is from Harvard Labs and the Johns Hopkins University Information Security Institute. Hello Joe.

Joe Carrigan: Hi Dave.

Dave Bittner: Interesting article came from Cointelegraph which is, I guess kind of a place where you get information about crypto currency and stuff like that, and.

Joe Carrigan: Yes.

Dave Bittner: I will admit that I tend to shy away from these sorts of things. I tend to shy away from crypto stuff in general for better or for worse.

Joe Carrigan: Right.

Dave Bittner: But this story caught my eye here. This was about Kraken building a fake crypto account to try to bait some fraudsters.

Joe Carrigan: Right, so.

Dave Bittner: This is the kind of thing you and I talk about over on Hacking Humans.

Joe Carrigan: It is.

Dave Bittner: All the time. What's going on here Joe?

Joe Carrigan: There is a YouTube and Twitch streamer who goes by the name of Kitboga, K-i-t-b-o-g-a.

Dave Bittner: Okay.

Joe Carrigan: And the article also refers to him as Kitbot which I'm just going to call him Kit; I don't boga is kind of hard for me to say.

Dave Bittner: Okay.

Joe Carrigan: So, I'm going to call him Kit. But he is remarkably good at scamming scammers. It's scam baiting.

Dave Bittner: I see.

Joe Carrigan: Is the practice. So, what he does is he calls into these--these people that are conducting a scam, they--it's like the IRS scam or whatever.

Dave Bittner: Yeah.

Joe Carrigan: And he's done things like redeemed gift cards in front of them while they're telling him to just give them the numbers.

Dave Bittner: Uh-huh.

Joe Carrigan: He redeems it before they can and they see all the money fly away and they get really frustrated. It really hurts these bad guys' feelings.

Dave Bittner: He kind of turns the tables on them.

Joe Carrigan: He does. > Dave Bittner: Okay.

Joe Carrigan: He does. It's not really--he doesn't do anything remarkably sophisticated. He's not hacking into their systems. He's not-he's just trolling them.

Dave Bittner: Yeah.

Joe Carrigan: Which is great.

Dave Bittner: Wasting their time.

Joe Carrigan: Wasting their time, because every second they spend on the phone with this guy, is a second they're not scamming you know your mom or your dad.

Dave Bittner: Right.

Joe Carrigan: Right. They're not doing that.

Dave Bittner:  Yeah.

Joe Carrigan: So, it's good work that he's doing. Well, Kraken reached out to him. Kraken is a crypto currency exchange.

Dave Bittner: Okay.

Joe Carrigan: And they gave him access to some environment that for all the world looks like it's a Kraken, a real Kraken environment.

Dave Bittner:  Huh.

Joe Carrigan: And they made it look like he had half a million dollars in Bitcoin in his account.

Dave Bittner: Awe.

Joe Carrigan: And he calls up one of these scammers and the scammer is trying to get him to put the money into his Bitcoin wallet.

Dave Bittner: Uh-huh.

Joe Carrigan: Which, by the way, was also a Kraken wallet.

Dave Bittner: Oh.

Joe Carrigan: Which if you're a scammer, why do you have a wallet on Kraken? I don't.

Dave Bittner: That's where the money is [brief laughter].

Joe Carrigan:  I don't understand that at all. But it was. It was a, you know, I said a wallet, I say this wrong frequently. You don't get a wallet on Kraken, you get an address.

Dave Bittner: Okay.

Joe Carrigan: The wallet is Kraken's wallet.

Dave Bittner: Okay.

Joe Carrigan: And the address is associated with your account.

Dave Bittner: Okay.

Joe Carrigan: So, Kraken controls the keys and as a crypto currency exchange they're the ones that actually own the crypto.

Dave Bittner:  Yeah.

Joe Carrigan: Think of it like a bank, you put your money in the bank they're holding your money.

Dave Bittner: Right.

Joe Carrigan: But when it comes time to transfer the money away, this interface that Kraken has built for him allows him to just try to transfer money in and what he does is he puts a typo in there and makes it look like he has just burned a half a million dollars-worth of Bitcoin. And burning is when you send it to an address where nobody has the private keys.

Dave Bittner: Oh.

Joe Carrigan: It's just you can do that with any crypto currency that uses public and private keys, which is all of them. So, you can burn coins by sending them to essentially a random address.

Dave Bittner: And when they're gone they're gone?

Joe Carrigan: And they're gone. You can get them back unless you can find the private keys that can generate that address, which is remarkably difficult to do.

Dave Bittner: Okay.

Joe Carrigan: When I say remarkably difficult, understand impossible.

Dave Bittner: Okay. Right.

Joe Carrigan: But you can't do it.

Dave Bittner: Yeah.

Joe Carrigan: So, this guy gets infuriated with him.

Dave Bittner: The bad guy?

Joe Carrigan: The bad guy. Because he's just burned.

Dave Bittner: He sees half a million dollars go into the, I was going to say ether, but that's.

Joe Carrigan: Right.

Dave Bittner: That would be a bad pun.

Joe Carrigan: Right.

Dave Bittner: Okay.

Joe Carrigan: That would be a bad. He sees half a million dollars go to some unknown crypto wallet.

Dave Bittner: Right.

Joe Carrigan: And he's asking him why didn't you just copy and paste the Bitcoin address? Because that's what you should have done.

Dave Bittner: Uh-huh.

Joe Carrigan: And he's like, well I didn't enter it--I entered right.

Dave Bittner: The bad guy is already counting the money, right?

Joe Carrigan: Right. He sees--he gets in there and he, what happens? The first thing these bad guys do when they're doing these kind of scams with anything, with a crypto exchange, with a bank, a bank account or anything, is they have you install something like TeamViewer which is a remote access system for doing remote tech support or, you know, maybe if you're if you have a license and your parents need tech support.

Dave Bittner: Yeah.

Joe Carrigan: You can have them use it. So, he gets to see what's going on on Kit's screen. And he sees that Kit is logged in to Kraken and he sees that Kit has half a million dollars in there and he's just oh.

Dave Bittner: He just starts drooling.

Joe Carrigan: Yeah. Oh this is going to be a great day [multiple speakers].

Dave Bittner: It's going to be a great day.

Joe Carrigan: I am going to.

Dave Bittner: Right.

Joe Carrigan: I am going to be able to take my kids on vacation.

Dave Bittner: Yep.

Joe Carrigan: I'm going to move out of my mom's basement.

Dave Bittner: Right.

Joe Carrigan: This is going to be great.

Dave Bittner: I'm ordering a large ice cream cone today.

Joe Carrigan: Yes.

Dave Bittner: Yes.

Joe Carrigan: And Kit essentially burns this nonexistent half a million dollars in crypto and sends the guy into a seething rage. Worth the time to watch, you know, it's a one minute video that he has on, it's in the article that Kit has posted on his Twitter account, definitely worth it. I've watched a number of his videos and watched this guy just lead people on for hours. It great. Yeah, I skip around the videos just.

Dave Bittner: Yeah.

Joe Carrigan: To hear, see what's going on.

Dave Bittner:  What do you make of Kraken doing this, putting the effort into, I mean, there's on the one hand do we label this a publicity stunt? I mean, it's certainly there's some of that here.

Joe Carrigan: I would say there's good PR to be had, yeah.

Dave Bittner:  Yeah.

Joe Carrigan: I don't know I would call it a stunt.

Dave Bittner: Yeah.

Joe Carrigan: But, yeah there's good PR to be had, but additionally, this was--this attacker did have a wallet on Kraken and then allowed them to, or an address on Kraken, I've got to stop saying wallet.

Dave Bittner: Right.

Joe Carrigan: An address on Kraken.

Dave Bittner: Right.

Joe Carrigan: So, he had an account on Kraken. They know what his account is now.

Dave Bittner: Uh.

Joe Carrigan: And they can shut him down.

Dave Bittner: I see.

Joe Carrigan: So, he can't use their infrastructure anymore. So, there is a legitimate good business purpose for this.

Dave Bittner: Yeah.

Joe Carrigan: So, but the PR is, yeah, I'm sure the PR opportunity is not lost.

Dave Bittner: No. Alright, well interesting stuff. So, this was kind of fun I guess, right?

Joe Carrigan: Yeah. The guy is impersonating President Joe Biden.

Dave Bittner: Awe, okay sure [background music].

Joe Carrigan: That's impossible. I mean, it's a terrible President Joe Biden impression [background music].

Dave Bittner: Yeah. Okay. Alright, well Joe Carrigan thanks for joining us.

Joe Carrigan: It is my pleasure.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.