Cyber escalation in a hybrid war, and some notes on the markets, both gray and C2C.

Dave Bittner: Scattered Spider prompts warnings from CISA and the FBI. Phobos ransomware is an affiliate crimeware-as-a-service program. A "hack-for-hire" contractor. “Scama” in the C2C market. Our guest is Lee Clark from the RH-ISAC with a look at Holiday Season Cyber Threat Trends. Tim Eades from Cyber Mentor Fund shares recent trends in cyber venture capital, with tips on finding a good match. And the tempo of cyber operations in Russia's hybrid war.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, November 17th, 2023.

CISA and FBI warn of Scattered Spider.

Dave Bittner: The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint Cybersecurity Advisory outlining the activities of the Scattered Spider cybercriminal gang: “Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) engages in data extortion and several other criminal activities. Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).” The threat actor targets large companies, and has “been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.”

Dave Bittner: The joint advisory represents a call for information sharing as much as it does a warning against the activities of this particular threat group. Scattered Spider has taken an unusual interest in its victims' internal corporate communication channels like Slack, Microsoft Teams, and Microsoft Exchange. They do so in order to monitor for signs that their activity has been detected or suspected, and the group has also shown a propensity to attempt to join conversations about remediation efforts.

Dave Bittner: The FBI, Reuters reported earlier this week, has for several months known the identities of about a dozen members of Scattered Spider, and some observers have wondered why the Bureau hasn't been more aggressive in making arrests. The FBI bridled at the criticism, CyberScoop reports, saying in a media call about the advisory, “Just because you don’t see actions being taken, it doesn’t mean there aren’t actions being taken."

Dave Bittner: So, as true believers say of Bigfoot and the Loch Ness Monster, absence of evidence isn't evidence of absence. But in this case the Bureau has a point: not all law enforcement is immediately visible to the public. In any case, good hunting, FBI. 

Phobos ransomware: an affiliate crimeware-as-a-service program.

Dave Bittner: Cisco Talos has published a study of the Phobos ransomware affiliate program, alongside an analysis of the ransomware itself. The researchers found five commonly used Phobos variants: Eking, Eight, Elbie, Devos and Faust. They are, for the most part, distributed to targets through the SmokeLoader backdoor Trojan.

Dave Bittner: The researchers explained why Phobos seems to be a criminal affiliate program. “There is some indication that Phobos may be a RaaS, due to the variation in email addresses we observed. Each Phobos variant from VirusTotal was associated with at least a dozen emails that were provided to victims to maintain contact, and some had close to 200 unique email addresses with various domains. In some instances, ICQ and Jabber were used as the main contact address.”

Dave Bittner: That shiftiness of email addresses is one mark of a ransomware-as-a-service operator. “While it’s possible that there is a single group behind Phobos, it would be uncommon to have a threat actor change their contact email address so often....We also assess that Phobos is likely closely managed by a central authority that controls the ransomware’s private decryptor key.”

A "hack-for-hire" contractor.

Dave Bittner: Reuters, working with researchers at SentinelOne, has published a report on Appin, an Indian technology company that’s allegedly offered hack-for-hire services for more than a decade. Shane Huntley, head of Google’s Threat Analysis Group (TAG), told Reuters that hackers tied to Appin targeted tens of thousands of Gmail accounts. Huntley said, “These groups worked very high volumes, to the point that we actually had to expand our systems and procedures to work out how to track them.”

Dave Bittner: SentinelOne states, “Appin is considered the original hack-for-hire company in India, offering an offensive security training program alongside covert hacking operations since at least 2009. Their past employees have since spread to form newer competitors and partners, evolving the Appin brand to include new names, while some have spread into cybersecurity defense industry vendors. Appin was so prolific that a surprising amount of current Indian APT activity still links back to the original Appin group of companies in one form or another. Campaigns conducted by Appin have revealed a noteworthy customer base of government organizations, and private businesses spread globally.”

Dave Bittner: It’s worth noting that the reports don’t characterize Appin as a criminal organization. It’s more like a training, testing, and lawful intercept shop. As the case of NSO Group and others like it have shown, the customers can be, to say the least, problematic with respect to malware proliferation.

“Scama” in the C2C market.

Dave Bittner: Researchers at Vade describe the underground market for sophisticated phishing kits, or “scama.” Crooks can now use tools to scan phishing kits for malicious code: “Scama sellers often attempt to exploit customers by embedding malicious code in their packs. Because of this common practice, tools like RezStealerFinder have emerged to protect hackers and enable them to secure their phishing pages. RezStealerFinder detects malicious content in webpages, scanning for vulnerable, sometimes obfuscated code and unknown links that may be present in scama packs. The tool is effective at finding hidden code that a devious scama seller might use.”

The tempo of cyber operations in Russia's hybrid war.

Dave Bittner: Finally, Ukraine warns friendly nations to expect to receive Russia’s unwelcome attentions in cyberspace.

Dave Bittner: Viktor Zhora, deputy chairman of Ukraine's State Service of Special Communications and Information Protection, told IRISSCON this week that CERT-UA logged 2054 cyber incidents in the first ten months of 2023, which represents no decline from the total of 2194 tracked throughout 2022. The attacks' principal goal this year has been espionage, some of it intended to collect for immediate tactical purposes. Closed-circuit video systems, for example, have often been targeted with the aim of collecting information on the results of drone and missile strikes.

Dave Bittner: The activity hasn't been entirely confined to cyberespionage. Attacks against operational technology (OT) systems have also been observed, with Industroyer2, Incontroller, and CosmicEnergy deployed by the GRU against Ukrainian electrical power distribution systems. The Irish Times reports that Zhora warned that other governments could expect similar attacks, from Russia and from other authoritarian and outlaw regimes. “While cyberattacks have been often considered a weapon of the future until recently, experience of the ongoing war has clearly shown to the whole world that the future has come,” he said. “We can say for sure that cyberspace has become a real warfare domain. There are no boundaries that can stop cyber attackers.” 

Dave Bittner: He urged that countries prepare themselves for a coming extension of cyberwar, and the threat isn’t exclusively Russia, either, in his view. “It’s just a matter of time before other authoritarian regimes start their cyber wars against the West,” Zhora added. “It’s crucial now for everyone to realise the degree of danger posed by the combined use of conventional and cyber warfare. Democracies should immediately adapt their military doctrines to address emerging cyberspace-based threats. Cyberattacks should be treated in the same manner as conventional military aggression and should result in a similar response.”

Dave Bittner: Russian operations against countries it considers unfriendly are no novelty. The GRU's Sandworm has been active against electrical power distribution systems in Denmark, and this is the sort of activity against which Zhora warned IRISSCON.

Dave Bittner: So, as CISA would say, “shields up.”

Dave Bittner: Coming up after the break, Lee Clark from the RH-ISAC has a look at holiday season cyber threat trends. Tim Eades from the Cyber Mentor Fund shares recent trends in cyber venture capital with tips on finding a good match. Stay with us. Lee Clark is cyber threat intelligence writer and analyst at the Retail and Hospitality Information Sharing and Analysis Center, the RH-ISAC. They recently released findings from their 2023 holiday season cyber threat trends report, and I checked in with Lee Clark for the details.

Lee Clark: Cyber threat activity is top of mind for most of our member organizations during this time of year. Commonly known malware like LokiBot, Qbot, and Emotet used to rank really high in terms of what our members shared as threatening their organizations. Those have virtually disappeared for the current season, right? The other big divergence is in the past we saw a lot of chatter about Log4J, but as organizations quickly moved to patch that, it's fallen off the list completely, whereas it used to hold a very prominent spot. That, of course, has been overtaken by other critical vulnerabilities that have emerged over the course of the year, including MoveIt and Citrix Bleed. Right? A couple of trends stay largely the same, right? Credential harvesting, phishing, imposter domains, and especially various types of fraud all remain consistent escalating threat star membership during the holiday season.

Dave Bittner: What are you tracking in terms of trends? Do you have a sense? Are things improving or getting worse or are we staying the same? Where do we stand there?

Lee Clark: I don't know about a value judgment like better or worse, but I do know we're seeing changes over time, right? So we see prevalent malware like QBOP, Agent Tesla, Formbook, Emotet. We see those malware falling in prevalence of reporting over time, right? And what we see rise in that place are members tracking more on MITRE ATT&CK, TTPs, tactics, techniques, and procedures, right? And we see that tracking coming in a lot more heavily, which suggests that our membership overall is improving their sophistication and being able to detect and mitigate these threats. Now, a couple of big changes that we don't quite have hard data yet on, so this is more qualitative than it is quantitative, is we see an explosion right now in three key areas, right? The first being QR code phishing, the second being imposter domains, and the third being extortion attacks, so what used to be termed ransomware attacks, but we're sort of moving away from calling them ransomware because they tend to be extortion-based attacks now instead of encrypting attacks, right?

Dave Bittner: Can we dig into each of those individually? Why do you suppose that those are receiving the attention that they're getting from the bad actors?

Lee Clark: Sure, so QR code phishing is an easy way to trick victims into going outside of their organization's security architecture, right? If you send someone a phishing email with a QR code, they scan it with their personal cell phone and it takes them to a fake login screen asking them for tool credentials, right? This is a great way to get around any internal security controls because you have now essentially tricked your target into using a personal device to enter professional credentials, right? So any security controls that the enterprise may have in place aren't going to protect the individual's personal phone, right? That's one reason we see this blowing up in terms of prevalence. The other side of this is that scam activity overall is getting more sophisticated, more organized, and more aggressive. It's more professionalized, right, in terms of call centers and even pay schedules and benefits packages for scam operators, right? If we move to imposter domains, we see imposter domains in two ways, right? The first imposter domains are targeting enterprise employees. It's sort of a sub -- there's an overlap with QR code phishing in that we see imposter pages for major vendor software login. These typically are seeking to steal credentials, right? That's targeting the enterprise. The second type we see is actually targeting the guest or targeting the customer, and that's usually looking for payment data or loyalty points, things of that nature, right? We see that exploding in prevalence because, again, the professionalization and ease of developing scam operations, but standing up that phony infrastructure is very low-effort. And as any company that's ever tried to do a domain takedown on a typo squatting domain will tell you, it's not always the easiest thing to get taken down. There are legal questions as well as interpersonal politics between different organizations and telecommunications providers, right? All right. And the last one, even if CLOP hadn't exploited the move at vulnerability over the course of 2023 to carry out extortion attacks against however many, I think we're up to more than 700 organizations now, I'd still be reporting an explosion in extortion attacks targeting the retail, hospitality, and travel sectors. Of course, we're not getting hit as heavy as sectors like healthcare or education are, but we're getting our fair share. So it's a sort of global trend that we're no exception to. Trends towards extortion because encrypting requires additional time, effort, and resources on the part of attackers. Whenever you can move straight to the phase of pay me the money or I publish your data, right, it's an easy attack to carry out once you get your initial access, which often you can purchase from an initial access broker instead of doing the initial compromise yourself, right?

Dave Bittner: What are the take homes for you in terms of the things that you hope people get out of this report?

Lee Clark: Sure. So the key takeaways we're hoping our members see is that communal defense, right, what we call protect as one as a sort of slogan at the ISAC helps drastically in strengthening individual enterprises, right? Sharing security control recommendations as well as indicators, compromise, tactics, techniques, and procedures, anything technical, but as well as policy-level recommendations in between these organizations that operate in similar spheres. It helps defense both at the community level and at the individual enterprise level, right? And these trends that we see changing and reporting in the threat landscape affect organizations regardless of their specific niche in the market, right? Because these attacks tend to be opportunistic in nature. They're not targeting companies for the sake of targeting that specific company in most cases. And engaging this kind of communal defense and staying aware of what these key changes are and implementing the mitigations that are recommended by our subject matter analysts who were so gracious with their time and effort to help us with the report for this period of the 2023 holiday season, which as every holiday season is going to see a significant surge in threat activity. This type of communal defense can really be a massive advantage for organizations.

Dave Bittner: That's Lee Clark from the RH-ISAC. And joining me once again is Tim Eades. He is the co-founder of the Cyber Mentor Fund and also a serial entrepreneur in the cybersecurity space. Tim, always a pleasure to welcome you back.

Tim Eades: Dave, great to be here.

Dave Bittner: I want to check in with you today on the state of VCs and where you see us heading when it comes to fundraising in the space.

Tim Eades: Yeah, it's definitely an interesting time to be fundraising. Over the last, I guess the first year of the pandemic, everybody got high valuations, raised big funds, had to put the money to work. Valuations got out of whack. The correlation to revenue was really out of control. But over the last year, everybody came out with seed deals or seed funding. Some VCs are not built for engaging with the entrepreneurs as seed people. I think sometimes they think they can, but I think there's a DNA that seed funds are really good at seed funds and working with entrepreneurs. There's definitely a dynamic that first part of the pandemic, massive funds raised, massive valuations, massive money going around. Over the last 18 months, just about every fund in cyber started off with, I do more in seed, I do more in seed. But like I said, certain funds don't really have the dynamic or the ability to relate to entrepreneurs in the same way. I think when you're doing seed deals, you have to be really operationally focused to help the entrepreneur because, you know, particularly the first-time ones, it's a struggle, right? It's a lonely job. It's a really hard job and you need somebody that is, you know, we talk about all the time, is shoulder to shoulder with you, helping you do it, helping you with things like comp plans. Or even right off the bat, like, you know, EIN numbers so you can actually trade in California or getting a general counsel, working with building a financial model. These kinds of like early-stage stuff, some funds are not built for. And sometimes I think there's a missed opportunity, you know, for the entrepreneurs because they got to be careful who they partner up with because, you know, you're getting married, right? You're getting married for a long time.

Dave Bittner: What sort of questions should an entrepreneur be asking of their potential investors here to make sure it's a good match?

Tim Eades: Here's what I would ask. I mean, in no particular order, but I'll give you my top three or four. I would absolutely do references, right? And see, you know, what worked and what didn't work in the person in the past. And the questions that I would ask is what, as a subplot to that one, is what do they take outside the boardroom and what do they keep inside the boardroom? Do they know what to take offline and when to take it offline? Does the board member come to the board meeting with the last board deck and conscious of the last board meeting and what you said you were going to do? Corey Malloy is one of the best investors in Silicon Valley, and he always did that for me. And he would turn up with the current board meeting with the last couple of board decks to try and keep you honest on the current one. So what to take offline, what not to do. So references, but ask about questions like online, offline. How involved are they in the board meetings? How involved in the previous board decks they bring into it? Questions around that. How they engage with you outside the board. Do they come see you? Do you go see them? Do you have walk and talk meetings? How do you get along with them outside of the meeting? And how coachable are they? Pete St. Clair is an old friend of mine, and he was on my board at Silverton, my second company, and we would walk all the time, all the time, around and around in Menlo Park. So that would be another one. References, obviously, like that. Go back in time and understand the domain expertise. So the second one would be domain expertise. Do they know cyber, in my case? How deep do they know cyber? Are they on the technical side, on the go-to-market side? Do they have history? Do they have a Rolodex? Do they really know the subject matter, or are they just skimming the tops of the waves? If they're skimming the tops of the waves, I would probably avoid it, just simply because there's going to be a time where you want to have a conversation about the market and the market dynamics and market transitions. And there's too much of an uphill battle to try and educate that. The third one would be fund dynamics. What fund are they on? Are they in the first fund? How far are they through that fund? One of the things that entrepreneurs don't do enough on is ask about where they are in that fund. Let me give you an example. Let's say they're on fund two, and it's a $200 million fund, but they've already invested $130 or $140 million of it. You've got to be careful because the fund dynamics will start impacting their investment decisions and follow-ons and reserves, particularly if you take it all the way to the top. You say, hey, I'm at $170 of a $200 million fund. You don't really want to be -- my advice, and I'm sure people will call me out on it, you don't really want to be the last deal in a fund. You would rather be the first five or six deals in a fund at the front end of it. Just because you have a whole length of time of investment, there's a whole dynamic there. Those would be my top three.

Dave Bittner: Yeah. Do entrepreneurs sometimes make a mistake of thinking that the folks who are investing in them are going to have more available time than they actually do?

Tim Eades: Another great question. Man, you're on a roll. There's a great test for an entrepreneur on this stuff. Do they work at weekends? Can you get ahold of them? When can you get ahold of them? Can you shoot them a text? Do you respond? A friend of mine raised a bit of money recently, and they met an investor on a Friday, and they got the term sheet by -- I think they got the term sheet on the Tuesday or the Wednesday, but the VC really played no-huddle offense and got in. But that's because that particular venture capital person is an always available, always around kind of guy, and it's a great test. As you go through the funding process and you're raising money or you're starting to engage in the sand hill shuffle or whatever you want to call it, get to see them at weekends. Get to see them out of hours, and see what they're like. See how they interact with people, and they will see that on you, too, because they need to see how your work ethic is and your responsiveness and everything else. That's a good two-way play.

Dave Bittner: Yeah. I always say, and this is certainly not an original thought on my part, but go out to dinner and see how they treat the waitstaff.

Tim Eades: I do that, too. When you're walking around Los Altos, which is where my office is, I want to see how they treat the little old lady crossing the street, how they treat the waitstaff, do they make room for people, are they understanding that? I do that for people that I hire, too. Let's go for a walk.

Dave Bittner: Yeah. All right. Well, Tim Eades, thanks so much for sharing your insights.

Tim Eades: Great to be here, Dave.

Dave Bittner: And that's The CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Ashir Malhotra from Cisco Talos. We're discussing their research and findings on Kazakhstan-associated Eurotrooper Disguises Origin of Attacks as Azerbaijan. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at N2K.com. This episode was produced by Liz Ervin and senior producer Jennifer Eiben. Our mixer is Trey Hester with original music by Elliott Pelzmann. The show was written by our editorial staff. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.