An international hunt bags Qakbot’s infrastructure. Anticipating remediation. Adversaries in the middle. More effective phishbait. Air travel disruption was a glitch, not an attack. Hybrid war update.
Dave Bittner: An international operation takes down Qakbot. Chinese threat actors anticipated Barracuda remediations. A look at adversary-in-the-middle attacks, making phishbait more effective and the emergence of a new ransomware threat. Narrative themes in Russian influence operations. My conversation with Natasha Eastman from (CISA), Bill Newhouse from (NIST), and Troy Lange from (NSA) to discuss their recent joint advisory on post-quantum readiness. Microsoft’s Ann Johnson from Afternoon Cyber Tea speaks with Cyber Threat Alliance President and CEO Michael Daniel about the current state of cybercrime. And when toilet bowls are outlawed, only outlaws will have toilet bowls.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, August 30th, 2023.
International operation takes down Qakbot.
Dave Bittner: Yesterday the US Justice Department announced the takedown of the Qakbot botnet. Led by the US FBI, it was a multinational action with participation by France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom. The basic approach the agencies followed was first, to obtain lawful access to the infrastructure and redirect traffic to servers the Bureau controlled. Any computer redirected to the server received an uninstaller file that removed the Qakbot malware. The US Attorney for the Central District of California explained Qakbot's place in the criminal economy. "According to court documents, Qakbot, also known by various other names, including 'Qbot' and 'Pinkslipbot,' is controlled by a cybercriminal organization and used to target critical industries worldwide. The Qakbot malware primarily infects victim computers through spam email messages containing malicious attachments or hyperlinks. Once it has infected a victim computer, Qakbot can deliver additional malware, including ransomware, to the infected computer. Qakbot has been used as an initial means of infection by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. The ransomware actors then extort their victims, seeking ransom payments in bitcoin before returning access to the victim computer networks."
Dave Bittner: SecureWorks researchers call the group that operated Qakbot "the financially motivated GOLD LAGOON threat group." As is often the case, the threat group is tracked under several names. Symantec, part of Broadcom, calls it "Batbug." The botnet malware itself has been in action since 2007. It has a modular structure that supports a variety of activities, but it's been especially useful for ransomware attacks. Secureworks also emailed an overview of what they've observed with respect to Qakbot recently, while the botnet was in its salad days. It was global in scope. "We observed 10,000 infected machines in 153 countries connecting to the C2 server over a 4-month period," Secureworks wrote. About 5000 of the infected machines were connected to a domain, and thus can be inferred to have resided in business environments. The business infestations were probably of greater interest to the criminals. The US, Germany, and China represented the three most targeted countries. Symantec reports that Qakbot was especially active between January and June of this year, when it relied principally upon spam for its distribution.
Dave Bittner: Qakbot's operators are based in Russia. That explains the lack of arrests in this case, and it also explains why Qakbot was able to operate with impunity. It was tolerated and probably enabled by the Russian authorities. Cooperation with criminal organizations is commonplace among Russian security and intelligence services. They're left free to operate as long as the victims aren't Russian, or as long as their crimes abroad don't harm Russian interests.
Dave Bittner: But may they be brought to justice eventually. Well done, FBI and all international partners. And for future operations against the Qakbot gang, “Fetch!”
Chinese threat actor anticipated Barracuda remediations.
Dave Bittner: Last week the US Federal Bureau of Investigation (FBI) released an alert warning that Barracuda’s Email Security Gateway (ESG) appliances remain vulnerable to compromise by suspected Chinese government threat actors. Yesterday Mandiant described how that exploitation was proceeding. The threat group responsible, UNC4841, is both adaptable and responsive to defensive measures, readily altering its tactics, techniques, and procedures to maintain persistence in the face of defenders' attempts to expel it. In this case UNC4841 anticipated remediations in advance. Mandiant expects the group to continue to seek ways of compromising edge devices.
The Microsoft Threat Intelligence team has warned of a rise in adversary-in-the-middle (AiTM) phishing attacks, The Hacker News reports. These attacks are launched via phishing-as-a-service (PhaaS) offerings. Microsoft said in a post on X (formerly known as Twitter), “This development in the PhaaS ecosystem enables attackers to conduct high-volume phishing campaigns that attempt to circumvent MFA protections at scale.” The researchers add, “Circumventing MFA is the objective that motivated attackers to develop AiTM session cookie theft techniques. Unlike traditional phishing attacks, incident response procedures for AiTM require revocation of stolen session cookies.”
Making phishbait more effective.
Dave Bittner: Cofense warns that users should be wary of emails that have dates in their subject lines, especially if the emails reference “late faxes, missed voicemails, overdue invoices, payroll, and other themes generally involving the need for immediate interaction.”
Dave Bittner: The researchers explain, “[I]n over 2/3rds of the emails with dates in their subject line, the listed dates are before the email is accessed. This is not surprising as it has long been assumed that threat actors are doing this to create a false sense of urgency. The dates in email subjects can now be added as a suspicious indicator. If the date in a subject line is before the date the email is accessed, then the email should be examined with additional scrutiny and time should be taken rather than allowing the threat actor to take the initiative and pressure victims into quickly interacting.”
The emergence of a new ransomware threat.
Dave Bittner: Flashpoint is tracking a new threat actor called “Ransomed” that conducts data theft and uses a new tactic to coerce victims into paying the ransom: “Ransomed is leveraging an extortion tactic that has not been observed before—according to communications from the group, they use data protection laws like the EU’s GDPR to threaten victims with fines if they do not pay the ransom. This tactic marks a departure from typical extortionist operations by twisting protective laws against victims to justify their illegal attacks.”
Dave Bittner: The group sets ransom demands between €50,000 and €200,000—relatively low compared to the fines typically imposed under GDPR. It’s worth noting that this tactic depends on the victim concealing the breach, which could lead to even heftier fines if this comes to light later on.
UK air travel disruption was a malfunction, and not an attack.
Dave Bittner: Wrapping up a loose end from earlier this week, whatever caused the UK's Nats air traffic management system's problems earlier this week, the BBC reports that the government's preliminary investigation has effectively ruled out a cyberattack.
Narrative themes in Russian influence operations.
Dave Bittner: And, finally, Russian propaganda in the active theater has taken a tactical turn, apparently aimed at undermining Ukrainian morale while simultaneously shoring up Russian domestic resolve. The Institute for the Study of War confirms five themes the Ukrainian Main Military Intelligence Directorate (GUR) is pursuing.
Ukraine is "conducting mass mobilization regardless of age, gender, or health."
The West is losing faith in Ukraine.
The Ukrainian counteroffensive is failing.
The Ukrainian government is utterly corrupt.
Russia has improved standards of living in the territories it's occupied.
Dave Bittner: That high standard of living in the occupied territories is so high they even have indoor toilets, which is why the occupying troops have been stealing those and sending them home. There are some things it’s impossible to resist, after all. The standard of living is so high in the newly annexed territories that they’ve got stuff they can only dream of back in small-town Lokomotivny [loh-koh-moh-TEEV-nee] or Magnitogorsk [mahg-nee-toh-GORSK]. Like, y’know, toilet bowls. And stuff…
Dave Bittner: And hey, if you believe those five things, there’s this bridge in Minsk…no, wait, this is the Twenty-first Century, not the early Twentieth…there’s an NFT on a server in Chelyabinsk you might be interested in buying. No, really, it’s like in this blockchain and everything… step right up.
Dave Bittner: Coming up after the break, my conversation with Natasha Eastman from CISA, Bill Newhouse from NIST and Troy Lange from NSA to discuss their recent joint advisory on post-quantum readiness. Microsoft's Ann Johnson from "Afternoon Cyber Tea" speaks with Cyber Threat Alliance President and CEO Michael Daniel about the current state of cybercrime. Stay with us. So for the past few years, there have been warnings coming at a steadily increasing pace that organizations, and indeed we as a nation, need to prepare ourselves for the coming wave of quantum computing, systems with the computational power to render modern encryption methods obsolete. CISA, NSA and NIST jointly published a fact sheet titled Quantum Readiness: Migration to Post-Quantum Cryptography. I'm joined today by experts from each of those organizations. Natasha Eastman is chief of CISA's post-quantum cryptographic initiative. Troy Lange is chief of encryption production and solutions at NSA, and Bill Newhouse is a cyber security engineer at NIST. Natasha, can I start with you? For you and your organization, how would you describe the state of things?
Natasha Eastman: I think we're at the beginning. From a critical infrastructure standpoint, organizations are at a spectrum. And particularly some sectors, are well aware of this technology and where it's going, and they're thinking about how to incorporate it into their products, into their security. And for others, this is very much a new thing that they're just starting to learn about and starting to prepare for.
Dave Bittner: Troy, how about you?
Troy Lange: Yeah, I agree. We're very early on in the journey here. What I'm heartened by is that the Department of Defense has clearly taken this very seriously. They've made some investments to make sure we're getting after making sure that national security systems are quantum resistant. And with the issuance of National Security Memorandum Number 10 last year that compels departments and agencies to get a plan together shows that we're early on, but we're getting a good head start on this.
Dave Bittner: And Bill, from your perspective, where are we right now?
Bill Newhouse: Well, NIST put out draft algorithms last week, the FIPS 203, FIPS 204, and FIPS 205, and that's a culmination of seven years of cooperative work across the globe with cryptographers to identify what can be created that is quantum resistant. And so that's a nice seven-year process. And now we get closer to the realization of these algorithms in today's technologies. And then when that happens, testing that makes them available to the federal government for use becomes part of the process. So we're getting ahead of the ability to use this stuff because it's going to be complicated to do those things and to figure out where you're using quantum-vulnerable cryptography that needs to be replaced, that if you continue to use quantum-vulnerable cryptography, you're putting data at risk, getting ahead of that curve. So it's early days, but it's late days in some respects on the work towards these algorithms that we're going to be moving to.
Dave Bittner: You know, both Natasha and Troy, I'm curious, do you suppose there's a possibility that we could experience a Sputnik moment when it comes to quantum, where one of our adversaries would suddenly announce to the world that their capabilities are perhaps farther ahead than we had thought that they might be?
Natasha Eastman: I'll leave the speculating on our adversaries to Troy. I think the important thing that we're thinking about here is that it's not like the minute that a cryptanalytically relevant quantum computer appears that all cryptography is broken across the globe. You know, the information and particular cryptographic implementations will still have to be targeted. But I think what we need organizations to understand and what we are seeing is that information is being taken today that is considered secure, possibly for use and breaking later. So organizations have to start thinking about it earlier than a cryptanalytically relevant quantum computer is actually here. Troy, over to you.
Troy Lange: Yeah, I mean there's no way to predict when the breakthrough is going to happen, and what you kind of talked about there with a Sputnik moment is kind of like my worst nightmare scenario. Hopefully we won't find ourselves there. I don't believe that we will, but nobody can predict with any accuracy when, you know, that day is, when it's going to be first turned on and fired up. But we have to take it seriously, because I think if you take a look at the amount of investments that's being made just in commercial industry, there is a lot of investment in research that's going into this. In my mind, it's inevitable it's going to happen, and we need to be prepared for that because it will be devastating if we are not.
Dave Bittner: You know, Natasha, let me switch back to you here. For the folks in our audience who are responsible for defending their own organizations, what would be your advice coming into this transitional period here? Any tips or words of wisdom for them?
Natasha Eastman: Yeah, and I think there's two things that we focus on, right? And the first is thinking about creating a plan, right? What are the different parts of the organization that need to be a part of that? There's the element of, you know, inventory. There's the element of how you are working with your vendors. There's the development of your IT. This is, you know, not just a team's board of organizations, but internal to an organization. What does that team look like that's going to get your organization ready? And the second is the foundation. How is an organization thinking about the data that they own and what data that they own is, number one, protected by cryptography today? Number two, needs to be protected by cryptography? And three, what is the secrecy lifetime of that data? And so is that something in that system that protects that data? Does that need to be upgraded or where is that priority within the organization?
Dave Bittner: Troy, how about your thoughts? Same topic there.
Troy Lange: Yeah, so, you know, a lot of interesting parallelism. As I'm listening to Natasha talk about, you know, industrial control systems, we have a lot of the same challenges with weapons platforms. You know, you put out a submarine to sea, it doesn't come into port for an oil change every 3,000 miles. So that planning is a critical component of what we're doing. And the first foundational part is understanding what your overall inventory looks like. And so while we represent pretty significantly different sectors, we have a lot of the same overlap and a lot of the same issues that I think cut across all domains, is understanding what is your exposure, understanding what are those things that you care most about. And then again, I can't emphasize this too much, that starting to plan now. You know, as we talk about driving towards a 2035 or 2034 date, that may seem like it's a long way off. But when you think of the enormity of the inventory that's out there that needs to be addressed, there's a lot of work to do between now and then.
Dave Bittner: Natasha, I want to give you the final word here. To what degree should security professionals have a sense of urgency when it comes to this? Yeah, I think, you know, this has been a theme throughout the entire discussion. You know, the preparation needs to start now. You know, the work that needs to be done is not easy, nor is it things that can be done overnight. So, you know, security professionals really need to think about starting their team, getting their inventory done, starting to think about how they're working across development lines, you know, working with their vendors and what that timeline looks like. So, you know, when we think about urgency, is it something that we need everyone running around with their hair on fire? Not necessarily, but we also need them thinking about getting this started today so that by the time we are thinking about a cryptanalytically relevant quantum computer coming on board, that they're ready. Our thanks to CISA's Natasha Eastman, NSA's Troy Lange, and NIST's Bill Newhouse for joining us. The joint fact sheet is titled Quantum Readiness: Migration to Post-Quantum Cryptography. You can find it on CISA's website. Do check it out. There's an extended version of this conversation that will be dropped into your CyberWire podcast feed. You can also find it on our website. We hope you'll check that out as well. Microsoft's Ann Johnson is host of the "Afternoon Cyber Tea" podcast right here on The CyberWire network. She recently spoke with Cyber Threat Alliance President and CEO Michael Daniel. Here's a segment from their conversation.
Ann Johnson: Today, I am joined by Michael Daniel, President and CEO of the Cyber Threat Alliance, an organization focused on cyber intelligence sharing across the digital ecosystem. Michael has been the President and CEO of the Alliance since early 2017. Prior to this, he served as the U.S. Cybersecurity Coordinator under the Obama administration. Michael has decades of leadership experience in the U.S. federal government and is a leading expert on ransomware and the disruption of cybercrime. He is also co-chair of the U.S. Joint Ransomware Task Force and is a leader on the World Economic Forum Partnership Against Cybercrime. Welcome to "Afternoon Cyber Tea", Michael.
Michael Daniel: Thanks for having me. Really happy to be here.
Ann Johnson: So the big picture, right? You know, I think it's still a little under-known about cybercrime and people don't understand what a big multi-trillion-dollar business it is. And it's not just some, you know, hooded figure, you know, that we like to see hacking an individual computer by sitting in a basement in some remote part of the world. There's actually large cybercrime organizations that have CEOs and CFOs and they have leadership and they have HR people. They have everything you could think of that a large corporation has. What challenge does this new sophistication, this evolution from small-time crime to them actually becoming big business bring to the industry as a whole?
Michael Daniel: Yeah, and I think you're absolutely right to sort of focus on that, that like people's image of the hacker, right, is still that that dude in the hoodie, you know, living in his mom's basement. And that is not what we're facing as the cybercriminal adversaries. I think that, you know, with that sophistication means that they can be much harder to defend against. They have access to a much wider array of tools. They have access to a lot more financing to support development of tools so they can be more sophisticated when they need to be. They don't often need to be, unfortunately. And as a result, it means that these networks are much more challenging to tackle and they're much harder to defend against as a result. It also means that the problem, and you said it, I mean, the problem is actually, you know, very large. Obviously, exact estimates about the size of the criminal underworld are hard to come by, but certainly the size of the cybercriminal industry, if you will, is certainly measured with words that start with Bs, right, billions, if not into the trillions. And so it's a huge, enormous, sprawling business. And it also means it's much harder to disrupt because it's much more resilient. And simply arresting, you know, one person here or there is not going to really put a dent in cybercrime. And so as a result, it means that we're going to have to build new ways of tackling it.
Ann Johnson: I read an article this week that talked about how whilst ransomware payments were down a little bit in the year 2022, they've actually increased again in the first half of 2023. So can we talk about the numbers? How big of a problem -- you know, you said ransomware and business email compromise are the biggest, but what impact is ransomware in particular having on organizations across the globe? And what's new about it, right? What do you think is new from a defense standpoint or a tactic standpoint from the actors?
Michael Daniel: Well, I think there's a couple of things that are new. One is, as I was just mentioning, the level of aggressiveness and the willingness to sort of engage in that double and triple extortion, right? And even getting into threatening individuals, like sending harassing texts and making harassing phone calls to executives and executives' spouses at target companies. Those tactics, they've gotten a lot -- the best word I can use for it is darker and more sort of criminal, blatantly criminal and not sort of with this fiction that like, oh, this is kind of this victimless crime and just kind of this white collar money thing, you know, they're making it much more personal. And so that's been a big -- I think that we're starting to see more and more of that. It's a big problem because it can cause a huge amount of disruption, both to an individual organization, but also at a societal level. If you have a major school system that is the subject of ransomware, right, and the kids can't go to school, that has a big impact on a community, right? Everyone in that community is affected as a parent, as a student. It can even have effects up to the national level, as we saw with Colonial Pipeline back in 2021.
Dave Bittner: Don't forget to subscribe to the "Afternoon Cyber Tea" podcast hosted by Microsoft's Ann Johnson. It's right here on The CyberWire Network. And that's The CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like The CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Eiben. Our mixer is Trey Hester, with original music by Elliott Pelzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.