DPRK’s RGB shows improved targeting and tool-sharing. Cl0p updates. Two new RATs. Weak radio encryption standard. Razzlekhan will cop a plea.
Dave Bittner: North Korea's increasingly supple cyber offensives. A look at Cl0p. The NetSupport RAT's fake update vectors. HotRat is a Trojan that accompanies illegally pirated software and games. Crackable radio encryption standard: a bug or a feature? Chris Novak from Verizon discusses ransomware through the lens of the DBIR. Carole Theriault describes a ransomware attack that hit close to home. And an alleged money-laundering crypto-rapper is back in the news.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Monday, July 24th, 2023.
North Korea's increasingly supple cyber offensives.
Dave Bittner: Mandiant this morning released research into current activity by Pyongyang's UNC4899, which it describes as "a Democratic People's Republic of Korea (DPRK)-nexus actor, with a history of targeting companies within the cryptocurrency vertical." Mandiant "assesses with high confidence that UNC4899 is a cryptocurrency-focused element within the DPRK's Reconnaissance General Bureau (RGB)," and the researchers also believe it's the same activity tracked and reported elsewhere as TraderTraitor. Mandiant's research was conducted in the course of its investigation of a supply chain attack on one of JumpCloud's customers. North Korean operators have undergone years of refinement and coordination to the point where they represent an agile and sophisticated adversary, with shared tooling and targeting. Mandiant's report concludes, "This seeming “streamlining” of activities by DPRK often makes it difficult for defenders to track, attribute, and thwart malicious activities, while enabling this now collaborative adversary to move stealthily and with greater speed."
A look at Cl0p.
Dave Bittner: Fortinet’s FortiGuard Labs has published a report on the Cl0p ransomware gang. The Cl0p ransomware is associated with the FIN11 cybercrime group, and appears to be a descendent of the CryptoMix ransomware. The gang has been conducting a widespread data theft extortion campaign leveraging a recently disclosed MOVEit Transfer vulnerability (CVE-2023-34362).
Dave Bittner: The gang recently shifted its monetization strategy, and now focuses on stealing data for extortion rather than executing ransomware:
Dave Bittner: Cl0p currently has over 400 victims listed on its data leak site, most of which are located in the US and Europe: “According to data collected through Fortinet's FortiRecon service, the Cl0p ransomware group preyed on several industry sectors between January and June 2023, with business services leading the way, followed by software and finance. When victim organizations are classified by country, the United States is in first place by a significant margin.”
NetSupport RAT's fake update vectors.
Dave Bittner: Malwarebytes is tracking a new campaign called “FakeSG” that uses compromised websites to trick users into installing the NetSupport RAT under the guise of a phony browser update: “The tactics, techniques, and procedures (TTPs) are very similar to those of SocGholish and it would be easy to think the two are related. In fact, this chain also leads to NetSupport RAT. However, the template source code is quite different and the payload delivery uses different infrastructure. As a result, we decided to call this variant FakeSG.”
HotRat, a Trojan that accompanies illegally pirated software and games.
Dave Bittner: Researchers at Avast have discovered a campaign that spreads a newer version of AsyncRAT, this latest iteration called “HotRat.” The RAT (remote access trojan) piggybacks on downloads of illegally pirated games or illicit copies of software applications like Adobe Photoshop or Microsoft Office. Avast writes, “Once it sneaks into your computer, HotRat can swipe your personal info, snap screenshots of what you're up to, and even invite more unwanted guests.” CyberSecurity Connect reports that HotRat has been in circulation since October of last year and has mostly affected users in Africa and Asia. HotRat also has ways to maintain persistence. Investin.com writes, “The malware exhibits persistence by leveraging scheduled tasks, enabling it to maintain a foothold on infected systems. It also can eliminate antivirus programmes, thus endangering the system’s overall security.” As always, experts recommend purchasing or downloading software and applications from verified sellers or sources. HotRAT is another example (as if more were needed) of why free versions of software hawked by third-parties are indeed too good to be true.
Crackable radio encryption standard: a bug or a feature?
Dave Bittner: At Black Hat this year Midnight Blue researchers will present the results of their study of the European Telecommunications Standards Institute's TErrestrial Trunked RAdio (TETRA) standard. Vice's Motherboard has an early look at the research. Midnight Blue says the standard, widely used in first responder, infrastructure operator, and (some) military radios, offers an encryption standard that can be broken by readily available techniques. Midnight Blue says a reduction step reduces the entropy of the initial key and enables passive decryption of traffic to the point that it amounts to "an intentional backdoor." The vulnerable TEA1 encryption is relatively old but continues to see widespread use. Midnight Blue recommends that users replace it with more recent standards, or adopt additional end-to-end encryption. ETSI said that it welcomes any testing of its standards, noting that TETRA was designed to comply with export standards, and that ETSI has seen no evidence of the vulnerability's exploitation in the wild. Midnight Blue thinks such exploitation, being passive, would have been very difficult to observe, and could easily have passed unnoticed.
The Crocodile of Wall Street will cop a plea.
Dave Bittner: And, finally, remember the Crocodile of Wall Street? She’s back in the news. Reuters reported Friday on Heather "Razzlekahn" Morgan, the crypto-rapper arrested in February 2022 in connection with laundering some 100,000 Bitcoin stolen in the 2016 hacking of the alt-coin exchange Bitfinex.
Dave Bittner: Her husband, Ilya Lichtenstein, also charged in the case but without an online persona as colorful as his inamorata's, will also be accepting a plea agreement. Both face one count of conspiracy to launder money. Ms Morgan faces an additional charge of conspiracy to defraud the United States. Details of the plea haven't yet been announced. The plea hearing is scheduled for August 3rd.
Dave Bittner: Bitcoin has fluctuated considerably in value. The coin the couple is alleged to have laundered was worth $71 million in 2016, but had appreciated to over $4.5 billion by February of last year. Prosecutors are seeking to have the two forfeit assets now worth roughly $3 billion.
Dave Bittner: Those who can't help themselves may view and listen to Razzlekhan's characteristic rap stylings online. Word to the wise - the performance includes naughty words, not safe for work, unless, y’know, we guess, you work on Wall Street.
Dave Bittner: Coming up after the break, Chris Novak from Verizon discusses ransomware through the lens of the DBIR. Carold Theriault describes a ransomware attack that hit close to home. Stay with us.
Dave Bittner: Ransomware continues to stay in the news, and our UK correspondent Carole Theriault files this report about a ransomware attack that hit a little close to home.
Carole Theriault: So imagine you run a company, and like any company these days, you have at least one IT person. Someone who can help you sort out the tech, make sure it works, make sure it's safe. Now, imagine that you receive an email. A blackmail email that demands that you pay a ransomware fine. Turns out these baddies accessed an unauthorized part of your computer system. What a pickle. So what do you do? You call your IT person to help you figure out what steps you should take next. So far, nothing terribly noteworthy. Companies face ransomware scams all the time. Sometimes it's due to lack of security. Sometimes it's due to insider threats. Sometimes it's simply down to lack of oversight. Whatever the case, you want a crack team that's going to guide you and help you through this mess. And you want them to be trusted. In short, they should be working in good faith. But what if they don't? A recent case in my hometown of Oxford in the United Kingdom stinks of opportunism, greed, and maybe a little stupidity. And it's worth sharing, because it's pretty fascinating. Now, as you probably know, Oxford is home to Oxford Biomedica. This is the UK gene and cell therapy company that was involved in the creation of AstraZeneca, one of the vaccines fighting COVID-19. And back in 2018, they were hit with a ransomware attack demanding a glut of Bitcoin. They call IT to advise. But what the founders of Oxford Biomedica didn't know was that their cybersecurity IT rep, a 28 year old IT security analyst named Ashley Lyles had other ideas. According to the Southeast Regional Organized Crime Unit, Lyles commenced a separate and secondary attack against the company. Now, remember, he had access to sensitive information in this ransomware case, and he inserted himself between the board and the attackers, secretly changing the Bitcoin payment address to his own. So if the bosses decided to pay the ransom, he would be the recipient, not the attackers. Pretty bold move, if you ask me. Lyles also created an email address very similar to the one of the attacker. And from this new email address, he began emailing the employers, pretending to be the attacker and putting pressure on them to pay up. Unfortunately for Lyles, a payment was never made, and the unauthorized access was noticed during the investigation. He was eventually found out and arrested. Lyles pleaded guilty very recently and awaits sentencing. I can't imagine the judge is going to be terribly lenient here. [Music] Crazy story has all the hallmarks for a streaming series, don't you think? This was Carole Theriault for the CyberWire.
Dave Bittner: And it is always my pleasure to welcome back to the show Chris Novak. He is managing director for cybersecurity consulting with Verizon Business. Chris, welcome back. You and I have been talking about the DBIR, and I wanted to focus in on some specifics here, particularly ransomware. In a previous conversation, you and I had talked about how ransomware seems to have flattened out a little bit, but that doesn't mean we're out of the woods yet.
Chris Novak: That's absolutely right, Dave. Pleasure to be back. So, yeah, you're right, it flattened out. But, you know, the thing that I call out is it flattened out at the high watermark. Right? The highest point it's ever been was about a quarter of our cases in the data set and it continues to be at that high watermark. So I tell people it's great that it hasn't gone up any further, but I think you have to look at the why did it, you know, why did it stay flat? What is it that we can maybe take away from that and what do we foresee?
Dave Bittner: And let's dig into that. What is some of the back-story?
Chris Novak: Sure. Yeah. So, I mean, what I call out is I think ultimately it has kind of flattened maybe partially because we've gotten better. Organizations have gotten more prepared, which is great. I don't attribute it to fully that aspect. I also attribute it heavily to I think the threat actors have reached a point of saturation. The tools that they have at their disposal and the resources they have to deploy them, they've reached a point where I think they've hit a lot of what they can hit and be successful. And I think ultimately what they're looking at is either recruit more resources to be able to go out and hit harder, or they need to evolve their tools more in order to be able to get past some kind of layers of defenses. But I don't think it's going away. I don't think this is like a flattening followed by a decline. I honestly think it's a flattening followed by a retooling. I've been calling it kind of a retooling or a rebuilding year. You know, they're working on some player trades and some new offenses, and I think we're going to see them, you know, look to try to kind of get another leg up on that chart in the coming time. And I think part of that also is the fact that ransomware pays so incredibly fast. You know, if you look back at the history of breaches, most of the data breaches play out over weeks or months. Ransomware typically plays out over days. So if you're a threat actor, much better to get paid in days and move on to your next one than weeks or months. So I think the financial dynamics continue to be strong for them.
Dave Bittner: What are we seeing in terms of the ransoms both demanded and paid? How's that tracking?
Chris Novak: Interestingly as well, that is also remaining relatively flat. And when we actually look at the data, while we've seen the number of successful attacks flatten, we've actually started to see a little bit of an increase in the actual paid ransom amount. So threat actors are demanding more, victims are, I would say, willing to pay it. And I think part of it also is the entry and maybe maturity of cyber insurance. And not in any way suggesting that cyber insurance causes ransomware attacks. But what I've found is in talking with lots of organizations, one of the leading reasons they typically say in terms of why they buy insurance is to help them through a ransomware event. They want someone they can lean on to pay that ransom and absorb that cost. And so I think that has also resulted in situations where threat actors recognize, I hate to say this. This is like the old school analogy to bank robberies, where the bank robbers would say, we're robbing the bank, but the bank has got insurance. It's a victimless crime, right? The bank depositors, they don't lose a cent. They're insured, right? And so the threat actors think that nobody really gets hurt, right? It's just an insurance company that pays out and as if the money just grows on trees.
Dave Bittner: Right.
Chris Novak: And I think the threat actors somewhat are looking at ransomware in a similar vein of nobody really gets hurt. You know, we're just asking for money. The insurance company is going to step in and pay it and nobody really loses. And so in that respect, I think that is also still driving kind of some degree of bad behavior and bad hygiene because the victims of it also believe that the insurance company will step in and pay it for them as well.
Dave Bittner: Interesting. Are we seeing any dent from either direct involvement of law enforcement or even just the specter of that for the threat actors here, or do they still feel like they're pretty much able to operate out of reach?
Chris Novak: In many cases, they're still able to operate out of reach. You know, whether they believe it or in actuality, I think we still continue to see that. It obviously depends on where they operate. And obviously the geopolitical tensions, I don't think are helping because, you know, while we may not have always had the best alignment with some of the countries where we see these events emanate from, we have had case studies of success stories where things have been shut down or prosecuted or disrupted. And now I think there's a level of coldness that exists in a lot of those relationships where that's probably the last conversation that, you know, we're diplomatically going to have or law enforcement may engage in, in some of these different geopolitical climate. So I think that is definitely a challenge. I know that I see a lot of organizations who they'll see a headline that look so and so managed to get their ransom payment back. So maybe we'll just pay the ransom and we'll do the same thing. You know, and I also try to advise people that you never know that you're going to be successful in trying to recover the ransom, and you never know that paying a ransom is going to lead to you getting your data back or getting your systems unencrypted or any of those things. You're placing a lot of trust in the threat actor that they're going to follow through and maybe they will. But the other thing I also always tell people is the ransom is only one part of the cost. At the end of the day, you still need to do the root cause analysis to figure out how it started. You still need to patch and rebuild all the systems involved. So it's not like paying the ransom makes it like it never happened. Paying the ransom buys you a little bit more time, and obviously there's a whole other debate on whether or not we should even allow ransoms to be paid. [Music] I know there's a lot of things going back and forth in various legislative bodies around the possibility of even making ransom payments illegal.
Dave Bittner: Yeah, no, it's a complicated equation for sure. Yeah. Well, Chris Novak, thanks so much for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2k and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by the CyberWire editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.