The CyberWire Daily Podcast 11.14.23
Ep 1947 | 11.14.23

The cyber underworld is getting a bit faster and a lot looser, and the gangs may be drawing some unwelcome attention.


Dave Bittner: CISA and the FBI issue an update on Royal Ransomware. A look at Smash-and-grab ransomware attacks as well as Cloud vulnerabilities. A pre-Black Friday look at card skimmers. Fences, and their place in organized cybercrime. DP World Australia restores port operations. Joe Carrigan on scammers taking advantage of the Bitrex crypto market being shut down. In our Industry Voices segment, Usama Houlila from CrossRealms International shares his insights on the pivotal role of AI in cybersecurity. And LockBit may be drawing unwelcome attention to itself.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Tuesday, November 14th, 2023.

CISA and FBI issue an update on Royal Ransomware.

Dave Bittner: We begin today with a warning from the Feds, specifically from the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (the FBI).

Dave Bittner: A classic double-extortion ransomware gang that both encrypts and doxes its victims, Royal is undergoing some changes. CISA and the FBI yesterday updated their advisory accordingly:

Dave Bittner: "Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD. Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors. There are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal. A previous joint CSA for Royal ransomware was published on March 2, 2023. This joint CSA provides updated IOCs identified through FBI investigations."

Dave Bittner: CISA and the Bureau have updated their notes on the gang's tactics, techniques, and procedures, as well as their list of indicators of compromise (IOCs). Read and head, CISOs. And look to user awareness training: rebranded or spun-off, the operators behind Royal can be counted on to continue their phishing.

Smash-and-grab ransomware attacks.

Dave Bittner: Sophos has published its 2023 Active Adversary Report for Security Practitioners, noting a “precipitous decline in dwell time for all attacks.” This represents both an increase in the attackers’ proficiency–they’re able to get in, root around, and get out faster, even as they continue to use tried-and-true tactics, techniques, and procedures. It also suggests that the criminals are aware that defenders are now more alert and much quicker on the uptake. There’s no time for anything other than a smash-and-grab.

Cloud vulnerabilities: current trends and risks.

Dave Bittner: Illumio has released a cloud security survey conducted by Vanson Bourne, finding that “47 percent of breaches in the last year at surveyed organizations originated in the cloud.” There are some trends in cloud vulnerabilities that are worth some attention.

  • First, “Complexity of applications and workloads, and the immense overlap of cloud and on-premises environments,” complicate the defenders’ task.

  • Second, still more complexity: “Diversity and the expansive number of services that cloud providers offer such as IaaS, PaaS, containers, and serverless computing.”

  • And finally, it’s difficult to maintain situational awareness in that complicated environment. “Poor visibility over all the above, including the inability to identify weak points and proactively ensure protection rather than just reactively locking down compromised systems.”

A pre-Black Friday look at card skimmers.

Dave Bittner: Malwarebytes is tracking an increase in card-skimming campaigns ahead of the holiday shopping season. The researchers describe a large credit card skimming operation called “Kritec” that surfaced in March 2023. The threat actors craft customized skimmers for each compromised website: “The experience was so smooth and seamless that it made it practically impossible for online shoppers to even realize that their credit card information had just been stolen.”

Dave Bittner: The researchers comment, “In April this skimming campaign reached a peak and then slowed down during the summer. However, it came back, increasing to its highest volume in October. We measured this activity based on the number of newly registered domain names attributed to this threat actor.”

Dave Bittner: All of this can be expected to continue, and indeed to increase, during the holiday season.

Fences, and their place in organized cybercrime.

Dave Bittner: It’s not just card-skimming, either. There’s also an increase in organized shoplifting.

Dave Bittner: A report from Nisos looks at cybercriminal fences involved in Organized Retail Crime (ORC). The researchers note, “ORC is separate from typical shoplifting committed by individuals stealing goods for personal use. To acquire products, an ORC enterprise typically steals large quantities of merchandise from stores or cargo locations to resell online, at independent locations, or through other retailers.”

Dave Bittner: It works because of the widespread and largely unregulated after-market for stuff that thrives online. Nisos says it all comes down to the fencing. “The success and endurance of ORC relies on the fencer’s ability to sell stolen merchandise to consumers who are either unwitting or apathetic to the product’s origin and acquisition. A review of court cases showed fencers are often the top individuals in smaller or less complex enterprises, while larger enterprises may involve senior individuals who help divert and ‘clean’ stolen goods before resale.”

DP World Australia restores port operations.

Dave Bittner: DP World Australia has reopened port operations as its investigation into the cyberattack the company sustained Friday continues. There is so far no public disclosure of the precise nature of the incident, and no known criminal group appears to have claimed responsibility. DP World did issue a statement to its various stakeholders in which it said, "A key line of inquiry in this ongoing investigation is the nature of data access and data theft.” BleepingComputer points out that data theft is typically a concern in extortion attacks, but there's been no public acknowledgement that the incident involved ransomware. (In any case, a concern about data loss would be prudent in any victim of a cyberattack.)

LockBit may be drawing unwelcome attention to itself.

Dave Bittner: And, finally, has LockBit maybe gone too far with its recent attacks?

Dave Bittner: The Washington Post comments that LockBit's attack against the Industrial and Commercial Bank of China’s ICBC Financial Services division may backfire against the gang. LockBit is generally regarded as operating under the tolerance and effective protection of the Russian government. LockBit says that it's based in Amsterdam, and that it's a group of disinterested criminals without political purposes and interested simply in financial gain. It's got a plausible case for financial motivation, but the group's Russian identity isn't in serious question. It operates effectively as a privateer, free to attack where it will, as long as it avoids Russian targets. It also runs an affiliate program in which it licenses its malware to other criminal franchises.

Dave Bittner: US and (especially) Chinese authorities are unlikely to ignore or overlook the attack on ICBC. Prominent members of the Chinese Communist Party lost money in the financial turmoil that followed the attack, and China is likely to take enforcement action against the gang. Russia may have been embarrassed by an attack against a country it's assiduously courted as a wartime ally, and it's not impossible that Russian security services might make a gesture against LockBit with a round of arrests. The Post lists some other possibilities surrounding the attack:

  • Russia may have approved the attack as retaliation for Chinese cyberespionage.

  • LockBit may have imperfect control over its affiliates, and is brazening out the attack to avoid losing face in the underworld.

  • The Russian government's close relationship with cyber gangs may be fraying under the pressure of the war against Ukraine.

Dave Bittner: LockBit told Reuters yesterday that ICBC had paid the ransom demanded, and that the matter was now closed, but that's just LockBit's unreliable word. And, have you heard? Gangland is inhabited by lots and lots of fibbers.

Dave Bittner: Coming up after the break, Joe Carrigan on scammers taking advantage of the Bitrex crypto market being shut down. In our Industry Voices segment, Usama Houlila from CrossRealms International shares his insights on the pivotal role of AI in cybersecurity. Stay with us. [ Music ] Usama Houlila is founder and CEO of CrossRealms International, an IT services provider. In this sponsored Industry Voices segment, Usama Houlila outlines his thoughts on the pivotal role of AI in cybersecurity and its potential to revolutionize our response to cyber threats.

Usama Houlila: Historically speaking, it used to take three months for an attack to take place. Like, if we go back to Target and others, it was three months, and then it dropped down to a couple of weeks, then a couple of days, and now we're zero to four hours for an attack to start -- start to finish. So the thought is, a human isn't going to be able to deal with it because it's actually quite complex as a problem. So one, you have to receive the logs in time. Two, you have to figure out what those logs are and correlate them and enrich them, then figure out what action to take on them, and you have zero to four hours. Well, that's kind of short. That's extremely short. So the way I view AI is a way to kind of speed things up so that we're able to react skillfully or automatically before the hackers are able to kind of complete their attack.

Dave Bittner: Can you walk us through that process? I mean, a threat actor decides that they have their sights set on an organization, how could AI help facilitate their defense?

Usama Houlila: The way we're dealing with it is we're looking at all the machine data that is coming in and we're trying to turn it into an enriched data that is in a human format. So instead of looking at pages and pages of logs that you have to somehow try to forensically understand, we're turning it into simple format, simple language format. So it says, for instance, this person logged in, this person did this, this person changed their password, this person went somewhere else. So the first thing we're dealing with is utilizing AI to turn machine data into a human language model, and then from there, turning that into action, whether automated or human, depending, of course, on what it is. So this is how, at least for us at CrossRealms, that's how we're tackling AI in cybersecurity.

Dave Bittner: And what part does the human have to play in this equation?

Usama Houlila: Well, a lot of times, there are outliers. Like, you could program a lot of things. You could program, for instance, your reaction to an attacker coming in on a firewall, or, for instance, an attacker coming in, in the cloud, but what happens if the actor is much more capable or smarter than that and trying to come in from different vectors? This is where AI could look at a huge amount of data and understand what's happening or learn what's happening fast enough to counter it. A human can usually deal with a single incident or multiple incidents, but if you have thousands of incidents and they're all kind of are there to deceive you or to have you look at a -- at an issue somewhere else instead of focusing on what's happening, where the attack vector is, AI actually can help tremendously here.

Dave Bittner: What's the potential here for cross-organizational data-sharing? And I'm imagining, you know, you all, for example, work with organization A and some alarm gets tripped on their system, could that inform the way that organization B gets defended while still maintaining privacy?

Usama Houlila: A hundred percent. So one of the things that we're working on currently is we're collecting data from our managed services customers and other customers who are willing. We're collecting correlating that data. We're collecting from other resources that are out there and available, even the paid ones, and it does work and it's extremely, extremely effective because, in a sense, it closes in the attack area, the surface area. It becomes much smaller as we create these large filter sets. Basically, for instance, if an attacker tries to hit a bank, then hit a law firm, then hit the professional services company, etc., there can't be anything -- anything good in here. Obviously, this is an attack in progress, and by having everybody sharing that data and collecting it and taking action on it, that means that, dynamically, worldwide, we are able to close in and reduce that surface attack area.

Dave Bittner: To what degree do you believe that the bad guys are utilizing this technology themselves?

Usama Houlila: A hundred percent. I mean, they are definitely using it. One of the things that we are afraid of is, look, whatever system you buy currently on the internet, anywhere, to actually create your defense, well, guess what? They have the same ability. They're a business. They're going to buy it. They're going to use it. They're going to study it. They're going to dynamically monitor it. So that's one of the issues is, for us, that we have to stay ahead of it by making sure that people don't have access to it, or if they do, that it is of no consequence, that it doesn't give them an advantage, but currently, what I've seen is a lot of these attackers and hackers have full access to the entire platform that most companies use to defend themselves.

Dave Bittner: What are your recommendations for that cybersecurity leader who is curious about this and perhaps wants to check it out for their own organization? What's the best way to get started here?

Usama Houlila: I would say it's difficult. That's part of the problem. We actually, as an organization, we didn't see the amount of effort that it takes before, especially when it comes to cybersecurity. So just to repeat that, we as an organization, we didn't realize how much effort it takes to secure an organization. You're talking about patching, you're talking about updates and upgrades, you're talking about protection and firewall audits, you're talking about compliance, the cloud. It takes a lot of effort to do it. So those are the basics. You have to do that first and then the AI comes in. If an organization is interested in an AI and they do have a development team of a sort, then yes, they should definitely start installing it, looking online, getting some training classes, installing it, training it, etc., but it takes a lot of effort. The team that we have currently working on it at CrossRealms is like almost 12 people and it's a slug, and the reason -- although we're working with a limited amount of data, which is basically cloud firewalls, perimeter identity, access management, other services, DNS, etc., it still takes a large amount of time in order to do it, because to train it, you have to kind of walk through the process, walk through the logs, etc. So do I advise a medium or a large-size organization to get into it? Definitely, because they're going to learn a lot. It's not the issue of achieving some AI nirvana. It's the idea of learning from it and being comfortable with it or being, you know, getting acquainted with it enough so that you would know where it fits your organization and where it doesn't.

Dave Bittner: That's Usama Houlila from CrossRealms International. [ Music ] And joining me once again is Joe Carrigan. He is from the Johns Hopkins University Information Security Institute and also my co-host on the Hacking Humans podcast. Hi, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: Saw a story about some research that the folks over at Abnormal Security were doing here about some scammers trying to take advantage of, I guess, some news about the Bitrex crypto market being shut down.

Joe Carrigan: Right.

Dave Bittner: Unpack what's going on here for us, Joe.

Joe Carrigan: All right, so this is some research from Mike Britton, who is the writer of this Abnormal report.

Dave Bittner: Okay.

Joe Carrigan: And "Abnormal" being the company name, not "abnormal report."

Dave Bittner: Right.

Joe Carrigan: So what happened was, there was a company called "Bitrex" that started trading cryptocurrency and they were doing that in the U.S., and the Security and Exchange Commission said -- the SEC here in the U.S. said, "No, you can't do that now. You're an unlicensed security dealer."

Dave Bittner: Okay.

Joe Carrigan: So they shut down in April and they -- so they didn't -- it wasn't like FTX where there wasn't any money there. The money was still there. So they said to everybody, "Okay, you have until August to get your money out," and they sent emails out, and by the time the deadline rolled around, which was the end of August, something like 77% of these accounts had less than $100 in them.

Dave Bittner: Okay.

Joe Carrigan: Meaning that everybody who had gotten their money out essentially had the opportunity, and took it, to go get their money out of the account.

Dave Bittner: Okay.

Joe Carrigan: So these phishers, in October, well after the deadline, sent another email saying, "Last chance to get your money out," and it was a -- essentially just a credential-harvesting operation.

Dave Bittner: So they sent the email pretending to be someone from Bitrex.

Joe Carrigan: From Bitrex, and they sent it to Bitrex -- people who had Bitrex accounts.

Dave Bittner: Okay.

Joe Carrigan: But mostly students, because a lot of them were academics. I'd like to know where they got the mailing list. That may be public information. I don't know. It may not be. But they sent this email out to target specifically people that were Bitrex users in the hopes of harvesting their credentials. Now, they're probably not going to get any money because the deadline has already passed, right? But what they are going to get is username/password combinations, which could be email address and password combinations.

Dave Bittner: Right.

Joe Carrigan: So once they have that, that's what Mike Britton is theorizing they're going after here, is they're just building essentially another criminal product for the for the black market.

Dave Bittner: Yeah.

Joe Carrigan: Of username/password combinations.

Dave Bittner: And presumably, in this case, because it's something that was used for something like someone's crypto account, that perhaps it is a combination of username and password that people put value in, or use for other valued accounts, I guess is what I'm trying to say.

Joe Carrigan: Correct. So let's say you have an account still at another cryptocurrency exchange, like Kraken, that's still open.

Dave Bittner: Right.

Joe Carrigan: And you use the same password, which you shouldn't do.

Dave Bittner: Right.

Joe Carrigan: So now what you've just done is, in using the same password on Bitrex and Kraken, you've just given them your Kraken account.

Dave Bittner: Yeah.

Joe Carrigan: Now they can go in and essentially send themselves all of your cryptocurrency out of your Kraken account that's still valid.

Dave Bittner: Yeah.

Joe Carrigan: Assuming you don't have multi-factor authentication on your Kraken account, which you should do.

Dave Bittner: Yeah. It's interesting to me in these cases, you know, this is something you and I talk about over on Hacking Humans a lot, that there seems to be a degree of kind of self-filtering in these scams where --

Joe Carrigan: Right.

Dave Bittner: You know, certainly within the mix of folks who are active with cryptocurrency, there's going to be a certain number of them who are unsophisticated.

Joe Carrigan: Yes.

Dave Bittner: And the way that this scam works, it seems to be coming at them in a number of directions to take advantage of their lack of sophistication.

Joe Carrigan: Right, like number one, it's just a typical phishing scam, right?

Dave Bittner: Right.

Joe Carrigan: A credential-harvesting scam. Number two, it's after the deadline has expired to withdraw your funds, and I guess those are the two big ones.

Dave Bittner: Yeah.

Joe Carrigan: So it's -- it's -- yeah, you're right, it does target people with a certain lack of sophistication in this.

Dave Bittner: Right.

Joe Carrigan: You know, I say this on Hacking Humans frequently, but when you're investing in crypto, don't do that unless you can afford to take whatever money you're going to invest in crypto out into the street and light it on fire, and, you know, because we don't know where this is going. I mean, it may be the currency of the future.

Dave Bittner: Yeah.

Joe Carrigan: It may not be.

Dave Bittner: Right.

Joe Carrigan: So, you know, it is a high risk. Even if you know what you're doing, it's still a high-risk investment.

Dave Bittner: Yeah, yeah. Yeah, it's interesting that you say that the perpetrators here were fairly sophisticated in the emails --

Joe Carrigan: Right.

Dave Bittner: That they sent out.

Joe Carrigan: No grammatical errors in the emails.

Dave Bittner: Yeah, yeah, which makes me wonder, you know, we talk about it being in this large language model world now, to what degree is that contributing to the ability for these phishers to get their stuff through to people?

Joe Carrigan: Yeah, it has all the hallmarks of a legitimate email on it. It's got the Bitrex logo and everything.

Dave Bittner: Yeah.

Joe Carrigan: The only thing is that it says "Dear Bitrex user" at the top, so it's kind of a generic email.

Dave Bittner: Right. Interesting.

Joe Carrigan: Yeah.

Dave Bittner: All right. Well, again, the research is from the folks over at Abnormal Security. Joe Carrigan, thanks for joining us.

Joe Carrigan: It's my pleasure, Dave. [ Music ]

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]