Don’t get snatched. Trends in phishing, cyber insurance claims, and threats to academic institutions. Hacktivism in the hybrid war. Updates on the ICC attack. MGM says its casinos are back.

Dave Bittner: CISA and the FBI warn of Snatch ransomware. A look at phishing trends. Ransomware is increasingly cited in cyber insurance claims. Trends in cyber threats to academic institutions. A Russian hacktivist auxiliary disrupts Canadian border control and airport sites. The ICC remains tight-lipped concerning cyberattack. N2K’s Simone Petrella sits down with Chris Krebs at the mWISE conference. In today’s Threat Vector segment, David Moulton from Unit 42 takes a peek into the modern threat landscape with Wendi Whitmore, SVP of Unit 42. And MGM Resorts says it’s well on the way to recovery.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, September 21st, 2023.

CISA, FBI warn of Snatch ransomware.

Dave Bittner: The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint Cybersecurity Advisory outlining tactics, techniques, and procedures (TTPs) associated with the Snatch ransomware. The advisory says, “Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.”

Dave Bittner: Many of the steps the Snatch operators have been observed taking don't evince a deep technical sophistication. They've exploited weaknesses in remote desktop protocol instances, and they've also purchased stolen credentials in criminal fora. Once they've achieved access to a target, they seek to compromise an administrator account and then connections to a command-and-control (C2) server over port 443. The C2 servers are, unsurprisingly, generally located on a Russian bulletproof hosting service.

Dave Bittner: So be on the lookout for Snatch, and take the usual precautions, particularly with respect to credentials.

Phishing trends.

Dave Bittner: There are several reports out on trends in cybersecurity. The first of these notes some of the ways phishbait is changing.

Dave Bittner: ZeroFox’s 2023 Phishing Trends Report has found that threat actors are moving away from using Microsoft Office files to deliver malware, likely due to Microsoft disabling VBA macros by default last year. Attackers are increasingly turning to malicious “Windows image files (ISO), archive files (RAR), Windows Shortcut files (LNK), OneNote files, restricted permission messages (RPMSG) files, and Windows Script files.”

Dave Bittner: The report also looks at developments in the phishing-as-a-service (PhaaS) market. The company says, “ZeroFox Intelligence notes a range of capabilities becoming increasingly prevalent in PhaaS offerings. These include kits that are able to account for regional differences (with geo-blocking), prevent engagement from unwanted sources (such as researchers), and leverage multiple detection evasion techniques. ZeroFox Intelligence has observed an increase in PhaaS packages leveraging Domain Generation Algorithms (DGAs), which generate random domains threat actors can pivot to between during attacks, making it harder for victims to block and remove these domains.”

Ransomware increasingly cited in cyber insurance claims.

Dave Bittner: What’s driving cyber insurance claims these days? No surprise–it’s ransomware.

Dave Bittner: Coalition has published a report looking at cyber trends in the first half of 2023, finding that there was “a 12% increase in cyber claims over the first six months of the year, driven by the notable spikes in ransomware and funds transfer fraud (FTF).” The researchers note, “Companies with over $100 million in revenue saw the largest increase (20%) in the number of claims as well as more substantial losses from attacks - with a 72% increase in claims severity from 2H 2022.” The report adds that the average ransom demand in the first half of 2023 was $1.62 million, a 74% increase compared to 2022.

Trends in cyber threats to academic institutions.

Dave Bittner: And the third trend we’re hearing about is the growing effect of ransomware on academic institutions.

Dave Bittner: Researchers at Comparitech have determined that downtime caused by ransomware in the education sector has caused approximately $53 billion in losses since 2018: “Although ransom demands may be lower in the education sector, downtime is high. Causing downtime is one of the main priorities for cybercriminals when carrying out a ransomware attack. Schools can ill-afford for systems to go down as this often means lessons are disrupted or even canceled as a result. As our findings suggest, downtime can extend for weeks and the effects felt for months after.” The researchers also note an increase in ransomware attacks against academic institutions, with 85 attacks targeting schools and universities in the first half of 2023, compared to 45 in H1 2022.

Russian hacktivist auxiliary disrupts Canadian border control and airport sites.

Dave Bittner: Turning to Russia’s hybrid war and its international effects, we see that Moscow’s hacktivist auxiliaries have been turning their attention to Canada.

Dave Bittner: NoName057(16) has claimed responsibility for recent attacks against Canadian sites, notably airports, according to La Presse. The Record summarizes some of the auxiliary's recent activity in Canada. Canada has been a prominent and vocal supporter of Ukraine throughout Russia's war. On September 15th the Canadian Centre for Cyber Security issued an alert warning that Canadian organizations, particularly government agencies, were the targets of distributed denial-of-service (DDoS) attacks.

Dave Bittner: The Centre offered a measured attribution of the activity to pro-Russian actors, saying " Open-source reporting links some of this activity to Russian state-sponsored cyber threat actors whose tactics, techniques and procedures have been extensively documented. In July 2022, the Cyber Centre assessed that Russian state-sponsored cyber threat actors would almost certainly continue to perform actions in support of the Russian military's strategic and tactical objectives in Ukraine. On February 24, 2023, the Cyber Centre reported on similar activity involving DDoS campaigns towards Ukraine-aligned nations."

ICC remains tight-lipped concerning cyberattack.

Dave Bittner: The Register reports that the International Criminal Court (ICC) is closely holding information about the recent cyberattack it sustained. Circumstantial evidence--mostly motive, opportunity, and a record of attempts to compromise the Court--still points to Russia, but little more is known at this time. The New Voice of Ukraine argues that the ICC might well construe an attack on itself as a war crime. The essay cites a Foreign Policy Analytics report by leading prosecutor Karim Khan, who warned that such cyberattacks might be integrated into future war crimes investigations.  Khan wrote, “Disinformation, destruction, the alteration of data, and the leaking of confidential information may obstruct the administration of justice at the ICC and, as such, constitute crimes within the ICC’s jurisdiction that might be investigated or prosecuted.”

Oceans 11, or something. Anyhoo, pass me the shoe.

Dave Bittner: Finally, MGM Resorts says that it’s returned operations to normal after the ransomware that’s troubled it for more than a week.  At least, operations seem to be more-or-less normal from the customers’ perspective. 

Dave Bittner: The casino operator posted a message on its site late yesterday: “We are pleased that all of our hotels and casinos are operating normally. Our amazing employees are ready to help guests with any intermittent issues. We thank you for your patience and look forward to welcoming you soon.”

Dave Bittner: So Danny Ocean and the boys are in custody, or at least they’ve been 86ed from the casino, and you can put on your eveningwear and go back to saying things like “neuf a la banque” [nuff ah lah bank] or “pass me the shoe,” or, wait a minute, those are the things they said in Monte Carlo in the James Bond movies. This high life is so confusing. We’re simple people around here. We’ll stick to the Maryland Lottery scratch-offs they sell over at King Liquors, on Pulaski Highway, in Rosedale, whenever we feel like paying the American tax on innumeracy. (Just kidding. Let yourself play.)

Dave Bittner: Coming up after the break, our own Simone Petrella sits down with Chris Krebs at the mWISE conference. In today's Threat Vector segment, David Moulton from Unit 42 takes a peek into the modern threat landscape with Wendi Whitmore, senior vice president of Uniformity. Stay with us. M 09:57 In today's sponsored Threat Vector segment, David Moulton from Palo Alto Networks Unit 42 speaks with Wendi Whitmore, senior vice president at Uniformity. Here's their conversation. [ Music ]

Wendi Whitmore: AI is game-changing in terms of the impact it's going to have on attacks, and then in particular, attackers' ability to move faster.

David Moulton: Welcome to Threat Vector, a segment where Unit 42 shares unique threat intelligence insights, new threat actor TTPs and real-world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, director of Thought Leadership for Unit 42. [ Music ] In today's episode, I'm going to talk with Wendi Whitmore, SVP of Unit 42. Her career is full of highlights, including being an inaugural member, the first ever Cyber Safety Review Board, launched by the United States Department of Homeland Security. She's serves on the Industry Advisory Board for Duke University's Master of Engineering in Cyber Security and is a member of the World Economic Forum's Global Future Councils on cybersecurity. At Unit 42, we're thrilled to have Wendi leading our team, and today, she's here to share her thoughts on the current threat landscape. Let's get right into it. Wendi, give us some insight into the current state of the threat landscape.

Wendi Whitmore: Hey, David. Thanks for having me today. So I think what's going on is that attacks are happening at a scale, a sophistication, and a speed that we really haven't seen before all together. And the reality is, that makes the work we do even more valuable than it's been before. So when we talk about scale, the reality is that businesses rely on more applications and third-party software than they ever have before, and vulnerabilities in that same software are increasing in scope to a massive degree. That's resulting in organizations being compromised, oftentimes within hours of public disclosure of a vulnerability. One of the most recent examples is the MOVEit case, where the clOp ransomware group exploited over 600 organizations starting in May of 2023, and this number continues to grow. When we look at sophistication, though, and you couple this in particular with scale, you're seeing that nation-state actors in particular -- groups like Russian APT eartha [phonetic], who's famous for the SolarWinds attack -- we're seeing them really demonstrate in-depth knowledge of business processes. And especially today if you move into cybercriminal landscape -- what's in the news right now with Muddled Libra or Scattered Spider -- you see those organizations really have a strong understanding of business processes and how IT departments work in particular. And then lastly what they're doing is leveraging so many apps, trusted applications -- like Office 365, Google Drive, for example, Dropbox -- that we use and really trust and then using those to get information out of the environment. Lastly, when we talk about speed, you know, as if sophistication and scale weren't enough, right, the reality is it used to take these attackers days, weeks, and even months in some cases to carry out an attack. And today we're seeing them do that same attack in a span of hours. I think the biggest concern there is that the attackers are operating by and large faster than organizations are able to respond, especially when we look at the mean time to respond being six days, which it is today, it's absolutely critical that the mean time to respond decreases and becomes faster than the time it actually takes for the attacker to carry out that same attack.

David Moulton: Wendi, how is AI coming into play here?

Wendi Whitmore: So AI is, in particular, generative AI, is really increasing the speed with which attackers are able to operate. So if you think about the work that they do today, there's the human component of it with social engineering, and generative AI, in particular, enables them to move faster, reduces language barriers, and increases their effectiveness of social engineering tactics used by these same threat actors. And then when we look at new tools coming into play -- like WormGPT and FraudGPT -- we're going to see that enabling them to be able to move more effectively going forward.

David Moulton: What do businesses need to consider when looking to protect themselves against quicker, more creative, and large-scale threat actors?

Wendi Whitmore: First and foremost, speed. So what I mean by that is businesses need to be able to respond at machine speed or the speed of the attack, right. So they need to be able to implement detections at the speed of the attacker, and they're going to have to leverage technology to do that. The second challenge I see relates to integration. So there's too many tools today that organizations are using that require manual integration, there are different screens and different panes of glass. And having a platform approach to detection really helps organizations prevent -- so, one, detect, prevent, and respond at every stage of the attack, which includes network endpoint and cloud. And then lastly, we really need these operationalized capabilities and processes. So we can't stop at just having speed to detect and then integration of tooling, but it really has to be operationalized with strong repeatable processes in order for it to be consistently effective, but also continually matured within an organization.

David Moulton: Wendi, thanks for joining me on Threat Vector today. It's great to hear directly from you. For our listeners that want to learn more about the threat actor groups Muddled Libra or clop that Wendi mentioned today, or to go deeper on many more threat actors, visit the Unit 42 Threat Research Center. And if you think that you may be under attack, contact the experts at Unit 42 to help assess your risk and exposure. We'll be back on the CyberWire Daily in two weeks. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]

Dave Bittner: And that is Threat Vector, a sponsored segment brought to you by Palo Alto Networks Unit 42. [ Music ] Chris Krebs is well known and respected in the cybersecurity world as former director of the Cybersecurity and Infrastructure Security Agency, now a partner at the Krebs Stamos Group and an advisor to SentinelOne. My N2K colleague Simone Petrella sat down with Chris Krebs at the mWISE conference in Washington, DC, hosted by Mandiant and Google Cloud. Here's their conversation.

Simone Petrella: So I know one thing that has been on kind of all of your talking points is how technological systems have really become part of enterprise risk management writ large, and then in addition, business strategy. So I guess maybe to kick it off, what are some of the things that you think security executives and teams in particular need to do to navigate between this kind of inevitable in separation between technology systems, security risks, and business objectives?

Chris Krebs: Yeah. So there are two immediate thoughts. One is that we really need security teams and screening program leads to make sure that they're thinking strategically and not get trapped in the day-to-day shiny object procurement cycles; really start thinking about the broader risk to the enterprise, rather than, again, diving down into a single capability. And part of that is starting, as I see it, with a real full analysis and understanding of what your threat model looks like. You know, we do see a lot of organizations get wrapped around the actual ransomware, which is important, and it's also probably the single greatest threat to any organization. But at the same time, there's an increasing number of organizations that kind of fit into an adversary's playbook. And what we're seeing lately is much more aggressive behavior by particularly the Chinese Ministry of State Security and the PLA, as evidenced by the Volt Typhoon and Crimson Typhoon activity that reported earlier this summer out of Microsoft. This shows that they're preparing for conflict. And in doing so, they would try to win the fight before the fight's actually begun. And part of that is going after US critical infrastructure and our ability to support the military as well as just general civil society. So, you know, I do think it's critically important that organizations take a step back, say, how would I fit into an adversary's gameplan, and what do I need to do to step up from a security perspective, but also, you know, how do I need to work better with government and make sure I understand the threats coming my way? That's great, right. That's exactly where you need to start. How do you get that done is actually quite complicated though. You start with a threat model, you run a gap analysis against your current security program, and then you pull together the roadmap on how you do that. A CISO or a security team lead, in their own positions, will not be able to get that done in any sort of, you know, realistic timeframe or, you know, practically execute. It really does require high level executive engagement to ensure that you're pulling together a team that can communicate the risks to the business. And it's going to take a collective approach here. So make sure you're working across industry. ISACs are great tools to make sure you kind of know what else is happening in the sector across the industry. And then, of course, keep working with government, whether it's CISA or the intelligence community and the FBI, or foreign partners that play a similar role.

Simone Petrella: So switching gears on you here a little bit, but since you left CISA, the agency has been pretty much on the lead or pegged as the US government's efforts to help attract, retain, and bring in additional cybersecurity talent. And I'm curious even from your time and what you're seeing now, what are some of the skill sets that the agencies you've worked with need the most when we think about kind of cybersecurity profession?

Chris Krebs: Yeah. I think one of the real turning points over the last several years, particularly at CISA, is, you know, the ability -- it's not too different from the private sector, right. It's the ability to communicate risk in a way that makes business sense. How do you talk to not just the defenders that understand how to, you know, they know what a yard rule [phonetic] is, how do you talk to their executives that set their budget, that give them, you know, that have the governance and policy responsibilities? And that's one of the big things that we really tried to emphasize in my time, and I see Jen continuing to do working at the senior level, is to help them understand -- hey, the best example that I have here is, in 2020, January 2, when the US government took out General Soleimani with the IRGC. We were able to immediately get not just some tactical information out to defenders on, here, you know, the common TTPs for Iranian threat actors and their proxies, but also flip it into an executive version that said, here's why this matters to you in the private sector, and the things they've done in the past, going after banks and other critical infrastructure, when they're agitated, how they've hit regionally as well as they've hit -- just try to put into context why events matter to executives, not just at the technical security level, but also at the business risk level. That's the sort of thing, again, we need more people that understand how to communicate in business terms. I also think, you know, the thing that I've been really kind of heartened by is the continued emphasis on building out the CISA field force. Jen Easterly, a month or so, announced that there are going to be election state coordinators out. And I understand they're in the process of hiring and interviewing for this. I think that's fantastic to have dedicated election support teams out in the regions as well as the continued cybersecurity advisor, so that you can get that, you know, last mile engagement, that last mile tailoring of engagement. Because otherwise, if you're pushing CISA out in DC, it's just not going to land, it's not going to resonate uniformly.

Simone Petrella: I know one of the things we talk about is this idea that, you know, we in the cybersecurity community have spent so much of our time kind of focused on like finding those unicorns or finding someone who has all that experience and then can all the sudden communicate it. And it's partly because we focus on the individual and try and hire those superstars right off the gate. But in reality, a lot of times they just don't exist until we grow them. So, you know, should we shift our attention from finding those diamonds in the rough and grow that workforce more than we have necessarily in the past?

Chris Krebs: Well, I think some of the programs that have been put into place for hiring over the last year, including the cyber talent management system, is going to give a bigger kind of top of the funnel for recruiting to bring in more technical people. They don't stick to the traditional GS scale that really is more of an administrative management approach. And, you know, you don't really know how, within the GS scale, how to hire and retain someone that may have been, you know, hacking boxes since they were, you know, 10, 11, 12, and now they just finished either a two-year school, or maybe didn't even go to college. And it really does prioritize in the GS scale, you know, four-year degrees. And that may not always be relevant. And so CTMS should give an advantage. But, you know, there are still challenges in hiring in government. It takes too long. It's far too bureaucratic. You have security clearance challenges at times as well. So, you know, we need to continue looking to make sure that we're not over-classifying and over-specking positions. And, you know, within my role at the Aspen Institute, in the cyber working group there, we have done some work on hiring recommendations, including making sure we're not over-specking, things like that.

Simone Petrella: Yeah. Well, my last question is probably the most important question/statement, which is: I have been told that you are known for your socks.

Chris Krebs: Yes.

Simone Petrella: Even though I can't see them, I wanted to share with everyone your socks.

Chris Krebs: Oysters.

Simone Petrella: Oysters, all right. Just in time for fall.

Chris Krebs: Yes [laughing]. I kind of got away from socks for a little bit, and then mainly just would not wear them during the summer.

Simone Petrella: Right. We're just coming back into it.

Chris Krebs: Right, there we go.

Simone Petrella: Awesome. Well, Chris, thank you so much for taking the time with us this morning. I really appreciate it.

Chris Krebs: Thanks a lot. Yep, thanks. Have a great day.

Dave Bittner: That's Chris Krebs speaking with my N2K colleague Simone Petrella. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.