A blurring of lines between nation states and criminals.
Joshua Neil: Surprisingly, the nation-states will be quieter. And maybe that's not surprising. But they have more patience. Their motives are different. They're not trying to ransom you. And they don't want to be burned. They don't want to be identified.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Joshua Neil. He's the chief data scientist for Securonix.
Dave Bittner: All right, Joe, before we jump into our stories, we've got a couple of bits of follow-up here. You're going to kick things off for us. What do you have to share?
Joe Carrigan: Yeah, Dave. I wanted to follow up on the story about my identity theft. I actually had a conversation with the counselor, I guess - adviser from my identity theft protection service. She was telling me some things. Of course, I mentioned last week about the credit holds you can put - or the fraud alerts you can put on your credit report and how...
Dave Bittner: Right.
Joe Carrigan: ...One is for - you know, you have one year and seven years. But something new that I didn't know you could do is you can request - or tell ChexSystems that there's been a fraud incident on your person.
Dave Bittner: Yeah.
Joe Carrigan: Right? And then, once ChexSystems knows about it, the banks know about it, and they won't let anybody open an account in your name without you being physically present in a bank branch.
Dave Bittner: Oh.
Joe Carrigan: Which is actually the way it should be anyway, I think. But I found that interesting. So I'm doing that.
Dave Bittner: So it's kind of a global thing where if someone tries to open a checking account in your name, it puts a flag on it?
Joe Carrigan: Yeah, it - I don't know if it's global. It's certainly national in the U.S.
Dave Bittner: Yeah, yeah.
Joe Carrigan: But it puts a flag on my identity in the ChexSystems database that says, don't let this guy open an account online.
Dave Bittner: I see.
Joe Carrigan: Make him come in.
Dave Bittner: I see. Interesting.
Joe Carrigan: Which I don't know...
Dave Bittner: Maybe that should be the default (laughter).
Joe Carrigan: Yeah. These young people today, opening their bank accounts online. I don't...
Dave Bittner: (Laughter) Yeah, that's right.
Joe Carrigan: Angry old man shakes fist at the way new things are done.
Dave Bittner: I want a banker that I can shake hands with.
Joe Carrigan: Right.
Dave Bittner: (Laughter) That's right.
Joe Carrigan: So I - it doesn't seem like something I would ever need to do, so I think I'm going to put this on my - I'm definitely going to put this on this ChexSystems alert.
Dave Bittner: Yeah, how quaint - writing checks (laughter).
Joe Carrigan: Right. Well, yeah, I don't write checks. Actually, I do write some checks. I am kind of old fashioned that way.
Dave Bittner: Yeah, yeah, yeah. All right.
Joe Carrigan: So the matter's pretty much closed now.
Dave Bittner: All right. Well, good. Glad - all's well that ends well, right?
Joe Carrigan: Indeed.
Dave Bittner: All right. Some more follow-up - we got a question from a listener named Benji (ph), who wrote in. Joe, you want me to read this, or do you want to read it?
Joe Carrigan: You can go ahead and read this.
Dave Bittner: All right. They say, hi, Dave and Joe. Love the pod. I was hoping you could follow up on advice for one issue you spoke about in your last episode. In your Catch of the Day, you said that we see people open up a Gmail account, change the name on the Gmail account to your name and then send emails from it.
Dave Bittner: Benji writes, I know this all too well. I work for a synagogue, and for over the past two years, we've been targeted by scammers - more specifically, our congregants have. People sign up for free Gmail accounts, change the name to our rabbi and then email our congregants directly asking for help - gift cards for cancer patients or something like that. This scam has actually been documented by news outlets, affecting not just our synagogue, but many across the country.
Dave Bittner: We've covered this here before as well, Joe, haven't we?
Joe Carrigan: Yes.
Dave Bittner: Yeah.
Joe Carrigan: Yeah, they - happened at a church in Rockville that I went to.
Dave Bittner: Yeah.
Dave Bittner: Benji writes, I've done everything I can think of to protect our domain and staff accounts, but how do I protect our congregants? Many of them are elderly or technologically challenged and may fall victim to this. We've sent out warnings, but these attacks happen every two to four weeks, so constantly emailing warnings is not helpful. I've also reported to Gmail and the Internet Crime Complaint Center several times because this - but because the scammers can simply create new accounts, there's nothing to stop them.
Joe Carrigan: Right.
Dave Bittner: I suspect there's a list of synagogues with rabbi and congregant emails up for sale on the dark web and it's being sold as a package since the scam emails are almost identical. Luckily, we do not post our member directory online, but they have targeted any email published on our website or online bulletins. Any advice would be appreciated. Thanks for the work you do, Benji.
Joe Carrigan: Yeah, this is a tough one, Benji, and I understand it's very frustrating.
Dave Bittner: Yeah.
Joe Carrigan: But you're absolutely right. These guys can target your congregants just by opening up a Gmail account and pretending to be the rabbi. And in fact, that's exactly what happened in the church that I was at over in Rockville. I think it's St. Mary's. It - the priest was saying to the congregation, I will never send you an email asking you for gift cards (laughter).
Dave Bittner: Right.
Joe Carrigan: And that's, I think, the best solution for your rabbi. I don't - you know, that, of course, relies on everybody going to services regularly, right?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Is there a Jewish equivalent to Christmas and Easter where everybody shows up, you know?
Dave Bittner: Twice-a-year Jews? Yeah (laughter).
Joe Carrigan: Like twice-a-year Catholics that, you know, you can't find seating anywhere in...
Dave Bittner: Yeah, yeah.
Joe Carrigan: ...The church for Easter Mass, but...
Dave Bittner: Yeah. Certainly, I mean, there's Passover and...
Joe Carrigan: Right.
Dave Bittner: ...There are the, you know, various high holidays. So yes.
Joe Carrigan: Yeah, so maybe at those events where you have the place packed...
Dave Bittner: Yeah.
Joe Carrigan: ...Have the rabbi make that announcement.
Dave Bittner: Right.
Joe Carrigan: The more ears that hear it, the better. It's just - I mean - and it's - these people are despicable. They will prey on anybody they can and use these appeals to humanity. And they will impersonate a member of the clergy, and they have no problem doing this.
Dave Bittner: Yeah.
Joe Carrigan: So it's - yeah, I absolutely get Benji's frustration. I share it. It is - it's difficult to deal with, but the only thing to do is continually tell people, we will never ask you for gift cards. Please don't respond to these kind of emails.
Dave Bittner: Yeah, and I think - I agree that the - that, really, education is the best avenue for this.
Joe Carrigan: Right.
Dave Bittner: Unfortunately, it's - there - I don't think there's a technological solution to this.
Joe Carrigan: There isn't. These guys can go anywhere they want. And, I mean, you're doing all the right stuff. You're reporting to the Internet Crimes Complaint Center. You know, they're never going to catch these guys. These guys are out of the country...
Dave Bittner: Yeah.
Joe Carrigan: ...Probably in Nigeria. Nigeria is where they run a lot of gift card scams out of.
Dave Bittner: Yeah, I would also say that being consistent by not having these sorts of things - by not having legitimate requests come from the synagogue via email...
Joe Carrigan: Right.
Dave Bittner: ...To say, you know, this is the only way - the only way we will put out these sorts of requests is through this. They will be on our website.
Joe Carrigan: Right.
Dave Bittner: They will be, you know, some sort of more secure messaging system than just sending out an email and sticking to that.
Joe Carrigan: Right.
Dave Bittner: So that it doesn't get fuzzy, the people don't expect to - that to be something when - so that when you say, you will never get an email requesting money from us, that is so.
Joe Carrigan: Right, yeah.
Dave Bittner: Right? Right.
Joe Carrigan: Yep.
Dave Bittner: But yeah. Boy, it's a tough one.
Joe Carrigan: It's - man, it angers me.
Dave Bittner: Yeah.
Joe Carrigan: It really angers me.
Dave Bittner: Yeah. All right, well, if any of our listeners have ideas for this, we'd love to hear from you. You can write to us at hackinghumans@thecyberwire.com. And if we have any good solutions to this problem, we'll be happy to share them with our listeners.
Joe Carrigan: Absolutely.
Dave Bittner: All right, let's move on to some stories here. And I'm going to start things off for us. I've got an interesting story here. This is from a couple weeks ago. And, you know, Apple, not long ago, released their AirTags product.
Joe Carrigan: Right.
Dave Bittner: And it received a lot of attention. This is a product that uses - it's basically tracking the location of the AirTag itself. And it uses the fact that there are so many iOS devices out there in the world that when this device gets in the proximity of an iOS device, they communicate with each other over Bluetooth, and the iOS device says, hey, I was near an AirTag, here is the ID of it, and here's where it is.
Joe Carrigan: So it's kind of like Tile.
Dave Bittner: It's - yes, it is just like Tile.
Joe Carrigan: Right.
Dave Bittner: Which is an interesting point to me that a lot of people got their dander up over AirTags and the ways that it can be used to stalk people.
Joe Carrigan: Right.
Dave Bittner: There's been reports of it being used to - people have attached them with magnets to expensive cars so they know where the car goes at night, and then it makes it easier for them to steal the car.
Joe Carrigan: That's very creative.
Dave Bittner: Yes.
Joe Carrigan: (Laughter).
Dave Bittner: But it's - what's been interesting to me is that when Apple came out with this product, which is - as you say, essentially does the same thing that the Tile...
Joe Carrigan: Tile, yeah.
Dave Bittner: ...Product does, Tile didn't receive the media attention that Apple did on this.
Joe Carrigan: Right.
Dave Bittner: And I think, on the one hand, look; nothing attracts web traffic like a bad story about Apple, right?
Joe Carrigan: Yeah.
Dave Bittner: So there's that.
Joe Carrigan: Yeah, that's true. I mean, people like - if there are people out there that like bashing Apple...
Dave Bittner: But also, I think, you know, Apple runs at a different scale than Tile does.
Joe Carrigan: I would agree.
Dave Bittner: A lot more of these AirTags are going to be out in the world.
Joe Carrigan: And they're leveraging their own communication platform, right?
Dave Bittner: And there are so many more iOS devices, too, so.
Joe Carrigan: Yeah.
Dave Bittner: I think there's some legitimacy to that. This story, however, is fascinating in that a researcher took an Apple AirTag, put it in the mail in Germany. And this researcher was trying to figure out - this is an activist named Lilith Wittmann. And evidently, Germany has a - let's say an intelligence agency.
Joe Carrigan: Every country has an intelligence agency, Dave.
Dave Bittner: (Laughter) Well, yes, but this one's called the Federal Telecommunications Service. And they - there was suspicion that this was a camouflage authority for a secret intelligence agency.
Joe Carrigan: I see.
Dave Bittner: So, you know, this is the plain white van outside.
Joe Carrigan: Flowers by Irving (laughter).
Dave Bittner: Right, exactly. Exactly. And so what this activist did was sent a package with an AirTag in it to this agency to see where it went, and they could track where it went.
Joe Carrigan: And they got that information back, I'm imagining.
Dave Bittner: And they got the information back from where the AirTag went, and so was able to verify the existence of this agency, but more importantly, where they reside.
Joe Carrigan: Ah.
Dave Bittner: (Laughter) Right? So...
Joe Carrigan: Because they have a shipping program, right?
Dave Bittner: Yeah.
Joe Carrigan: They - this is an intelligence agency's front company?
Dave Bittner: Yes.
Joe Carrigan: Which intelligence agencies do all the time.
Dave Bittner: Yes.
Joe Carrigan: So nobody should get bent out of shape about this. This is just the tradecraft of intelligence agencies. I mean, you could argue that maybe we shouldn't be doing this, but it's the state of the world. It is what it is.
Dave Bittner: Sure.
Joe Carrigan: So this company - this - an agency set up this company. They receive packages. And when they get packages, they go, well, we better send these back to headquarters.
Dave Bittner: Right. Exactly.
Joe Carrigan: And that's what they did (laughter).
Dave Bittner: And that's exactly what they did, yes. And so the location of headquarters was revealed.
Joe Carrigan: I will bet that every intelligence agency, once this story broke, has changed their policy...
(LAUGHTER)
Joe Carrigan: ...If they hadn't done so already.
Dave Bittner: Yeah. Well, and it reminds me of the - we had stories - I don't know - it's probably been over a year now - where you had soldiers and other...
Joe Carrigan: Oh, yeah.
Dave Bittner: ...Agents of the government who were - who had...
Joe Carrigan: Using a fitness app?
Dave Bittner: Using fitness apps.
Joe Carrigan: Right.
Dave Bittner: Right. And so they were able to - basically, the fitness apps were mapping out their routines, their morning exercise or whatever.
Joe Carrigan: It was aggregate data. I remember - I can't remember which fitness app it was, but they were saying, look at all the aggregate data to see where people all over the world run. And then there were, like, these hotspots in Afghanistan, where...
Dave Bittner: Right.
Joe Carrigan: ...A bunch of people were doing exercise. And you're like, hmm, who has cell phones and is in Afghanistan that needs to keep fit (laughter)?
Dave Bittner: Right. Exactly. Exactly. So I think this is interesting for a lot of reasons. To tag on to the Apple story - Apple, in response to some of the criticisms about AirTags being able to be used for things like stalkers...
Joe Carrigan: Right.
Dave Bittner: ...They've updated some of the functionality of it. Evidently, the - I think the AirTags will sort of signal their existence more often if they're not near the iOS device that initialized them...
Joe Carrigan: Right.
Dave Bittner: ...They make a beeping sound, which - after a certain amount of time - I think it's 24 hours, something like that - which is designed so that if, for example, you know, I dropped an AirTag into your coat pocket...
Joe Carrigan: Right.
Dave Bittner: ...To keep an eye on you, after 24 hours, if that AirTag wasn't within the proximity of me, it starts beeping to alert you that you have an AirTag on you.
Joe Carrigan: Right.
Dave Bittner: And so you'd say, what's that beeping noise in my coat pocket? - pull it out and say, oh, Dave.
Joe Carrigan: Right.
(LAUGHTER)
Dave Bittner: He's at it again (laughter).
Joe Carrigan: I'll bet you you can open that AirTag up and disable that beeper.
Dave Bittner: Ah. Well, funny, you should say that, Joe...
Joe Carrigan: OK.
Dave Bittner: ...Because there was a gentleman - where there's a need, there's a supply, right?
Joe Carrigan: Right.
Dave Bittner: And there was a gentleman who set up an Etsy shop of modified AirTags...
Joe Carrigan: (Laughter).
Dave Bittner: ...With their speakers disabled. And the shop didn't stay up for long.
Joe Carrigan: Yeah. Etsy took it down?
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: Yeah, good.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: It doesn't matter. They're still out there selling them. It's just...
Dave Bittner: True.
Joe Carrigan: ...They're not selling them on Etsy. That's all.
Dave Bittner: Yeah. Yeah. It reminds me (laughter) when my youngest child was a toddler, we got him one of those exersaucers. You know what those are?
Joe Carrigan: Yes.
Dave Bittner: Yeah.
Joe Carrigan: Yes, my daughter and son both had one of those.
Dave Bittner: Yeah. So an exersaucer is a little thing you plop the kid down in, and it has a bunch of different little activities. This one had kind of - you put the kid in this little - I don't know - like, a little seat they sit in, but it has...
Joe Carrigan: It's like an old walker, but the kid is...
Dave Bittner: Without the wheels.
Joe Carrigan: Without the wheels and the kid's...
Dave Bittner: (Laughter) So they can't go down the steps into the basement.
Joe Carrigan: Exactly. Like my sister...
Dave Bittner: Right.
Joe Carrigan: ...Did when she was a kid.
Dave Bittner: (Laughter) Right.
Joe Carrigan: (Laughter).
Dave Bittner: But the seat on this one had ball bearings, so they could spin around...
Joe Carrigan: Right.
Dave Bittner: ...And get to these different things. And it works great. It works great because, you know, you stick the kid somewhere. You know where the kid is. The kid is occupied. All good.
Joe Carrigan: Yeah.
Dave Bittner: But this particular exersaucer had a button that the kid could press, and it would play some electronic song. Let me tell you, Joe, it didn't take me long to get in there with a screwdriver and clip the leads on that music thing...
Joe Carrigan: (Laughter).
Dave Bittner: ...Because it was driving me up a wall (laughter).
Joe Carrigan: Right. (Vocalizing).
Dave Bittner: (Laughter) Right. Right.
Joe Carrigan: (Vocalizing).
Dave Bittner: Yeah, so anyway. All right, that is my story this week. Joe, what do you have for us?
Joe Carrigan: Dave, my story comes from McKenna Oxenden, right here in our hometown of Baltimore, from the Baltimore Sun.
Dave Bittner: OK.
Joe Carrigan: And she has a great story about how Baltimore, the city of Baltimore, fell victim to a phishing scam. I don't know that I would say it's a phishing scam, although I - it's an interesting story. So here's what happened. Baltimore has a bunch of contractors it does business with...
Dave Bittner: Yeah.
Joe Carrigan: ...Just like every other government does.
Dave Bittner: Sure.
Joe Carrigan: And there was one contractor who had done business with the mayor's Office of Children & Family Success. And the inspector general of Baltimore City, who is named Isabel Mercedes Cummings, I believe - and she is - she does audits of the city and finds out what's going on. And she found out that this office asked the office of payroll and budgets, which is the actual payment office...
Dave Bittner: Right.
Joe Carrigan: ...To send $376,000 to a fraudulent bank account.
Dave Bittner: Oh.
Joe Carrigan: So here's what happened. This is a business email compromise case, and we see this happen a lot. This business that does work for the city of Baltimore, their email was compromised. And this malicious actor actually sent emails to the city of Baltimore as a member of this company using that person's email address. And they said what we frequently see in in these attacks, here are some new banking details.
Dave Bittner: Right, right.
Joe Carrigan: OK?
Dave Bittner: We've updated our banking information.
Joe Carrigan: We've updated our banking details.
Dave Bittner: Here's the new information.
Joe Carrigan: And this happened over a year ago. So in December of 2020, somebody in the office - the children's office received this email. And they went to the billing and payment office, the payroll office, and they said, we got to change these credentials. The payment was made. The bank had flagged the account as fraudulent and returned the money to the city of Baltimore.
Dave Bittner: Wow.
Joe Carrigan: Right?
Dave Bittner: So the bank was the hero in this story.
Joe Carrigan: Hold on, Dave.
Dave Bittner: Oh.
Joe Carrigan: We're not done yet.
Dave Bittner: I spoke too soon.
Joe Carrigan: You spoke too soon. That bank was a hero in this story.
Dave Bittner: OK (laughter).
Joe Carrigan: Right. A few weeks later, in January of 2021, these guys realize their bank account's been shut down, and they send another email to Baltimore going, our details have changed again. And Baltimore changes the payment address. This time, they were successful in sending the $376,000.
Dave Bittner: Wow.
Joe Carrigan: Once they - once the bank realized it was fraudulent, the bank froze the account, and they managed to return $38,000 to the city of Baltimore. And the company filed a claim with their insurance, their - they had some kind of cyber insurance, and they got $50,000.
Dave Bittner: OK.
Joe Carrigan: So the vast majority of this money, close to $350,000, is gone.
Dave Bittner: Yeah.
Joe Carrigan: The hackers got away with it, these...
Dave Bittner: Wow.
Joe Carrigan: ...Malicious actors. So here's my question for you, Dave, what I'd like to discuss with you.
Dave Bittner: Mmm hmm.
Joe Carrigan: Who do you think is culpable here? Do you think this contractor is more culpable? Or do you think the city of Baltimore is more culpable? Or do you think they both share responsibility?
Dave Bittner: Oh, boy. That's an interesting question. Who is on the hook for this?
Joe Carrigan: Yeah.
Dave Bittner: So we could say the contractor is responsible because they did an inadequate job of protecting their own systems.
Joe Carrigan: That's right.
Dave Bittner: They allowed this fraudulent request to come through their infrastructure.
Joe Carrigan: Correct.
Dave Bittner: We could say that the city was culpable for not doing their own due diligence and verifying with the contractor that the change was legit. I mean, ultimately, I guess if we don't want to blame any of the victims (laughter)...
Joe Carrigan: Right, right.
Dave Bittner: ...The bad guys are culpable.
Joe Carrigan: No, that's 100% correct. These guys are criminals.
Dave Bittner: Right, right.
Joe Carrigan: And these guys are - but, you know, there's $350,000 that's gone. Somebody's...
Dave Bittner: Yeah.
Joe Carrigan: ...Got to bear the responsibility of that.
Dave Bittner: Right. And yes, and so there - you have to - yes. Yeah, I get what - yeah.
Joe Carrigan: So who - I don't know. Who carries that? It's a tough question for me.
Dave Bittner: And I wonder what the insurance company said here. Do you know?
Joe Carrigan: Well, the insurance said, here's your $50,000, the maximum payment that you're entitled to.
Dave Bittner: I see. I see.
Joe Carrigan: They gave it to him.
Dave Bittner: Yeah. Huh.
Joe Carrigan: But that's - so now the company is still out a bunch of money, right? I don't know. I don't know who...
Dave Bittner: Well...
Joe Carrigan: What happens here?
Dave Bittner: So - right, but I guess - so part of the question is, what happens next?
Joe Carrigan: Right.
Dave Bittner: I suppose - does - is the contractor - because it wasn't a legit request from the contractor. It's not like the contractor provided $350,000 worth of services.
Joe Carrigan: Right.
Dave Bittner: But then that $350,000 of services went to the scammers instead of the contractor.
Joe Carrigan: Yeah. It may actually be that the contractor did provide $350,000 worth of services.
Dave Bittner: Right. So in that case, is the contractor out the $350,000 because...
Joe Carrigan: Right.
Dave Bittner: ...The city paid that money out...
Joe Carrigan: Yup.
Dave Bittner: ...Based on information from the contractor?
Joe Carrigan: Yeah, I don't...
Dave Bittner: The information came from the contractor.
Joe Carrigan: That is where I tend to go with this.
Dave Bittner: Yeah.
Joe Carrigan: Although, the...
Dave Bittner: And wouldn't it be up to the contractor to then go to their own insurance company and say, we got hit...
Joe Carrigan: Right.
Dave Bittner: ...So we want the 350,000 or whatever our policy is for?
Joe Carrigan: Right. And that's what...
Dave Bittner: Yeah.
Joe Carrigan: ...They did, but they only got 50 grand.
Dave Bittner: The contractor only got 50 grand.
Joe Carrigan: The contractor only got 50 grand.
Dave Bittner: Yeah.
Joe Carrigan: Yeah.
Dave Bittner: All right. Well, I mean...
Joe Carrigan: So they had - they weren't adequately covered, I guess...
Dave Bittner: Yup.
Joe Carrigan: ...You could say.
Dave Bittner: That's right. That's right.
Joe Carrigan: You know, I think this is going to be something the contractor just has to live with. It's a - but I will say this, that the article quotes director of - finance director, Henry Raymond, and they - and he says they immediately strengthened internal controls. This is something we've been screaming from the mountaintop for a very long time, Dave, and that is whenever anybody does something that's out of ordinary the process, like changing banking credentials, that is something that requires a phone call...
Dave Bittner: Right.
Joe Carrigan: ...At a minimum.
Dave Bittner: Right.
Joe Carrigan: Because if the person in the office of - what is it? - child and family success?
Dave Bittner: Yeah.
Joe Carrigan: If that person just picked up the phone and said, hey, are you trying to change your banking details with me...
Dave Bittner: Right.
Joe Carrigan: ...This would never be in The Baltimore Sun.
Dave Bittner: Right.
Joe Carrigan: This would have been something stopped. Now, if the contractor had physical protections on their email account, like physical multifactor authentication like a YubiKey or a Google Titan or some kind of FIDO open standard - FIDO is an open standard, by the way.
Dave Bittner: Yeah.
Joe Carrigan: We get comments. I seem like I'm endorsing YubiKey; I'm not endorsing YubiKey. YubiKey uses FIDO, and that's open. Anybody can build a FIDO solution.
Dave Bittner: OK.
Joe Carrigan: But if they were to put something in place like that, this would have stopped the account takeover because they never would have been able to just log in with just a username and password.
Dave Bittner: Yeah. So there are multiple opportunities from many parts in this story...
Joe Carrigan: Yeah.
Dave Bittner: ...To have done better (laughter).
Joe Carrigan: Right. I agree.
Dave Bittner: Yeah. Well, and I suppose I - you know, that's money that isn't going to be used to help the folks in Baltimore, right?
Joe Carrigan: No, it's not.
Dave Bittner: Yeah.
Joe Carrigan: It's money that's going to help some scammer and probably help him or her build a - but probably him...
(LAUGHTER)
Joe Carrigan: ...A much larger empire of scams.
Dave Bittner: Yeah. All right. Well, we will have a link to that story in the show notes for the show. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Our Catch of the Day comes from a listener who calls themselves G, who writes - (reading) Gents, this spam actually required me to do some research. Apparently, they're looking for Oracle credentials. Clue No. 1 was that the email appeared to be forwarded by me to get past the email filtering system that some companies use. Clue No. 2 was that I had no idea what they were talking about, hence the research. After looking at the header for fun - fun, he says?
(LAUGHTER)
Dave Bittner: Yeah, I don't know what you do in your spare time, Joe, but looking through email headers is right up there at the top of my list.
Joe Carrigan: They fed the link into VirusTotal, and one of the services found that it was suspicious. So this person says even though they use Linux, they did not open the attachment, which is wise, I think, very wise.
Dave Bittner: (Laughter).
Joe Carrigan: Here's the message, Dave. Why don't you read the message that this person...
Dave Bittner: All right, the message is - (reading) Hi, we've requested for DLT template to be activated on our account severally, but nothing has been done. Please find below for our DLT files and do the needful immediately. Recipients, download link, one item DLT template.rar, 200 kilobytes. Thank you.
Joe Carrigan: So this is obviously - an RAR is a WinRAR archive.
Dave Bittner: Yeah, a compressed file.
Joe Carrigan: Compressed file.
Dave Bittner: Yeah.
Joe Carrigan: Probably has something malicious in it. Two hundred kilobytes...
Dave Bittner: (Laughter) Count on it.
Joe Carrigan: ...Might not be that big, yeah.
Dave Bittner: Right. Right. Right. Right.
Joe Carrigan: What - we see this frequently. I'd like to know - there's some language that this is being transferred - or translated from rather. Do the needful.
Dave Bittner: Yeah.
Joe Carrigan: We see that phrase frequently. I'd like to know what language that comes from.
Dave Bittner: Do the needful. Yeah. That's interesting. As, I guess - yeah. I don't know how we could reverse engineer that, but interesting. All right. Well, good for you, G, for not falling for it.
Joe Carrigan: Right?
Dave Bittner: (Laughter) That was a fun one.
Joe Carrigan: Yep.
Dave Bittner: Again, if you have a Catch of the Day for us, you can send it to us. It's hackinghumans@thecyberwire.com. Joe, I recently had the pleasure of speaking with Joshua Neil. He is the chief data scientist for SecurOnix. Here's our conversation.
Joshua Neil: I think the actors who are executing these techniques are new. And they're - they have different motives. So you know, the nation states, for a long time - at least my career, 20 years now - they've been doing these kind of things. They use system tools that are built in. They don't need to import malware. They already have credentials. And they execute kill chains, as described by MITRE, attack techniques. These are our understanding of the nation state tactics. What we've seen in the last few years, however, is that the criminals have gotten more sophisticated. And they've begun adopting the methods of the nation states and doing the same things, living off the land, conducting extensive kill chain activity, you know, multiple steps within an enterprise after the initial exploit or initial compromise in order to identify the right assets that they want to ransom or drop coin miners or steal information from. So we're starting to see a blurring of lines in the techniques between the nation states and the criminals. And I think that's why you're seeing so much success out of ransomware. This - these are human-operated groups. They don't drop ransom payloads on the first machine they get access to. They're penetrating further into the enterprise to identify really valuable assets that the company actually might be willing to pay a ransom for rather than, you know, Joe User's laptop. And so I think the incentives, financial incentives, of ransomware have lined up with the need to go further into an enterprise. And that's lined up with more of these advanced techniques that look a lot more similar to nation state behavior.
Dave Bittner: Can we walk through a hypothetical scenario together? I mean, suppose I'm the, you know, proprietor of ACME Widgets Inc. And, you know, I've got a successful business, a few thousand employees. And we've been, you know, making widgets for a decade or so. If a bad actor has me in their sights, can we walk through how they would go about doing the things that they would want to do?
Joshua Neil: Sure. You know, I'll just use one example. I'm not going to represent every attack in this.
Dave Bittner: Yeah.
Joshua Neil: But, you know - so in order to avoid a phishing email and the sophisticated blocking they would have on the phishing side, you know, the adversary may run a brute force campaign against open-facing web servers for the enterprise. They would bombard the enterprise with millions, if not billions, of connection requests, authentication requests and then get lucky and identify a combination of user and password, which will give them access. Once they have access to this open web server, it's fairly trivial to escalate privileges and be able to install arbitrary software on that server. Typically, they'll want some element of command and control installed. So there'll be a remote access tool of some kind, along with persistence. They'll change the start menu in the - you know, maybe some registry changes in order to survive a restart or reboot. From there, you know, it's, even among nation states, quite common that the adversary doesn't know the internal authentication topology, where they can get to or what assets, you know, and services are available. So they'll conduct internal reconnaissance. You know, a lot of times, this is in the form of port scanning or attempted authentications to various assets. They may do some recon on the machine itself, you know, listing connecting machines to that machine accounts, maybe scrape memory to get more credentials from memory from that machine. Once they identify likely next hops, they'll laterally move. This is - can be done through remote code execution or an actual interactive login, like an SSH or RDP, to another machine. And sometimes the next hop is the victim. They want to drop a ransomware payload on that victim machine because they've found a - you know, I don't know, maybe a SQL server with a whole bunch of important data on it. But commonly, even that next hop isn't enough, isn't attractive enough, or maybe it's - maybe they want multiple victim machines. Typically, they do. So they'll continue this iterative process of sort of reconnaissance on the box and on the network, followed by a lateral move, followed by reconnaissance on the box and on the network, followed by a lateral move.
Joshua Neil: In the government - you know, I used to work for the Department of Energy - you know, we'd see kill chains - and even at Microsoft, we would see kill chains that were 15, 20 steps long. You know, the SolarWinds attack was extremely complicated in terms of the - of this structure of lateral plus recon. But eventually, they find the right victim machines. And in this case, since it's a ransomware attack, they'll drop payloads and execute them. And at that point, the victim machines are encrypted, and they'll obviously send a painful message to the organization saying, you know, you better pay up or you'll never get your data back.
Dave Bittner: What sort of timeline are we talking about here? Is this happening quickly, or how much are they - how patient are they? How much are they biding their time?
Joshua Neil: So it depends on the threat actor, and it depends on, I think, mostly on the threat actor and their efficiency. Surprisingly, the nation states will be quieter and they - maybe that's not surprising - but they may take longer. They have more patience. Their motives are different. A lot of times, they're not trying to ransom you. They're trying to establish persistence and perhaps steal critical information, and they don't want to be burned. They don't want to be identified for a lot of reasons, one of which being political, you know, that this could be a problem for their nation. On the other hand, criminals will move fast. They'll smash and grab, and they'll be loud about it - not always, but commonly.
Joshua Neil: Even so, with these kill chains, you know, I mean, it varies. I mean, if we're talking about a proper human-operated ransomware with well-targeted victim machines, I would estimate that it's anywhere from six hours, you know, to a week or two to execute a full ransomware attack. We have seen attacks which took more than a week. And then on the nation state side, we'll see persistence for years. We'll see attackers that are in for six months. Then they'll do something. Then they'll go quiet. Then they'll do something else, and this will happen for years. However, there's a trend and there's a - I have a bit of a fear, and I hate to do FUD.
Dave Bittner: (Laughter) Sure.
Joshua Neil: But there is something coming, I think, which is any human sort of sequence of events - you know, I'm a data scientist, right? So I think about automation. I think about, how can I write AI to mimic what the humans are doing? And most of the time, in defenses, what I'm doing is decision support. I am not replacing humans, but I am accelerating them. I think we're seeing this on the offensive side, as well.
Joshua Neil: One can imagine a day when the decisions made by the human attack team are coded. And with a bit of reinforcement learning or other sort of more advanced analytical techniques, you know, I think many of the tactics currently executed by humans are going to be executed by machines. At that point, if they don't care about being quiet, you know, I could imagine millisecond-level attacks instead of six-hour-level attacks, you know? I think we'll see much faster process of lateral and recon to identify the right victims and just, blindingly fast, move through the network, drop the ransom payloads, and they're done (laughter). So I don't know how soon that's coming. But if it occurs to me, I think it's probably occurring to our adversaries.
Dave Bittner: You know, again, going back to that businessperson who's doing their best to defend their own network, how much of this is, you know, putting - and I'm totally going to mix metaphors here - but how much of this is putting bigger locks on the doors versus, you know, I don't have to outrun the bear, I have to outrun you?
Joshua Neil: Yeah, it's a tough one. And I'm not a guy who would say that protection or prevention is impossible. These two things go hand in hand. The more protection you have, the more effective your detection is because you're reducing the attack surface, and you're simplifying the detection effort. But on the other hand, I don't think either protection, or locking the gates, or leaving the gates open and having some kind of, you know, zero-trust, constant authentication sort of approach is the smoking gun. I think it's just a - like everything, a moderation between, you know, investing in protection technologies, antivirus, you know, get your authentication and credential portfolio and plan together. Yeah, these kind of things - you know, vulnerability management, assessments, you know, red teams - these are preparing and preventing, and then on the detection side, a similar level of investment. I don't think you can put all your eggs in one basket, I think is the answer.
(SOUNDBITE OF MUSIC)
Dave Bittner: Joe, what do you think?
Joe Carrigan: Dave, I speak for a lot of Joes when I say, I object to the term Joe user.
Dave Bittner: (Laughter) It's kind of like, I feel really sorry for all the nice women out there whose name is Karen.
Joe Carrigan: Right, right (laughter).
Dave Bittner: Yeah. OK.
Joe Carrigan: This concept of living off the land is interesting, right? Every computer comes with essentially tons of tools. Computers are very useful and very powerful nowadays. Remember when we were kids, and they just came with an operating system, Dave?
Dave Bittner: Yeah, in ROM (laughter).
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: That was it. And, I mean, it didn't have any tools. You wanted tools, you had to load them up. Now...
Dave Bittner: Yup.
Joe Carrigan: ...The operating systems come with all these tools. And like I say all the time, tools are useful. They can be used to build a house or tear it down.
Dave Bittner: Right.
Joe Carrigan: Right? This software isn't malware...
Dave Bittner: Right.
Joe Carrigan: ...Right? PowerShell is not malware, and secure copy is not malware, but they can be used to do very malicious things. So your virus protection is never going to stop you or help you stop somebody from using a legitimate tool to do malicious things like exfiltrate data or change configuration or ensure persistence, right? Criminals are getting more sophisticated, and we've been saying this for years. It's interesting to see how Josh was watching this evolve from the criminals adopting what are nation-state tactics.
Dave Bittner: Right.
Joe Carrigan: I wonder, are these criminals learning from nation-states, or are they just following along the same evolution that nation-states have always been on?
Dave Bittner: Well, and there's also the speculation that some of them are moonlighting, that they are nation-state employees, let's say. And in their free time, they use the skills that they've acquired for personal profit.
Joe Carrigan: Yeah.
Dave Bittner: And the nation-state organizations are willing to look the other way.
Joe Carrigan: In some nation-states, I'm sure that's fine.
Dave Bittner: Yeah.
Joe Carrigan: The hopping around that Joshua describes when moving laterally, this is how I used to get around the internet. Do you remember this? I would...
Dave Bittner: (Laughing) Go on.
Joe Carrigan: In the 1990s, I was - I actually am proud to count myself among one of the first 1 million users of the internet...
Dave Bittner: Yeah.
Joe Carrigan: ...Because if you look at internet users over time, when I started using the internet in 1990, there were less than a million users. So...
Dave Bittner: I suspect I'm probably on that list.
Joe Carrigan: Yeah.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: But that's how we used to get around. We used to telnet into (laughter) one computer, and then I could use that to telnet to another computer and hop around.
Dave Bittner: Sure.
Joe Carrigan: And I'd have connections going from one, two, three, and I'd exit out and have to exit all the way back out. This is age-old stuff that people are still using to move around current networks. Nation-states and criminal organizations, while they have the same kind of techniques, they're going to use different tactics in those techniques. They're going to use them differently. Nation-states want to be very, very quiet, and they really want to lay low in these environments because their goals are very different from criminal organizations. Criminal organizations want to monetize the attack, and they want to do that as quickly as possible because they're like a business. They have time pressures. Nation-state actors do not want to do that. They want to know stuff, and that's a different motivation. Joshua's warning about automation and AI is accurate, I think. AI, again, just a tool. So it's going to be used by these guys to tear down houses - right? - if you will.
Dave Bittner: Right, right, right.
Joe Carrigan: It's interesting to see how we've gone from not enough data to way too much data, which I think is probably an accurate or almost certainly an accurate statement. Because false positives are the bane of an analyst's life.
Dave Bittner: Yeah.
Joe Carrigan: Chasing down a false positive makes people miserable. It's one of the leading causes of burnout, I think.
Dave Bittner: Yeah.
Joe Carrigan: I think I remember reading something about that. And I like what he says about chaining these indicators together. You know, a single indicator is very well - could be a false positive. But when you start seeing a bunch of indicators in a row along what is the cyber kill chain, you can start to filter out a lot of the noise and see a lot of these things. Like, you know, somebody running a port scan - that's probably bad. But if the user is someone like me and I'm a developer and I got to look at my machine to see what ports are open, I'm going to run a port scan on it, right? But that's going to cause the security analysts to go, hey, Joe, why are you running port scans? And that takes time...
Dave Bittner: Right.
Joe Carrigan: ...Out of his day. But if that port scan then results in me connecting to some obscure service and then that machine connecting to another machine, that's not something I generally do.
Dave Bittner: Yeah.
Joe Carrigan: So chaining those things together can be, I think, very telling.
Dave Bittner: Yeah. I'm a big fan of the notion of these systems looking for behavioral things...
Joe Carrigan: Yeah.
Dave Bittner: ...Like you say, not just indicators of compromise. But what are you actually doing?
Joe Carrigan: Right.
Dave Bittner: Yeah. All right. Well, our thanks to Joshua Neil for joining us. Again, he is the chief data scientist for Securonix. I have to say, Joe, I love talking with data scientists.
Joe Carrigan: Yeah, they're interesting.
Dave Bittner: (Laughter) They're always interesting conversations.
Joe Carrigan: I like his story, too, how he started as a statistician and...
Dave Bittner: Yeah.
Joe Carrigan: ...Got into cybersecurity.
Dave Bittner: Yeah. Yeah. So again, thanks to Josh Neil for taking the time.
Dave Bittner: All right, that is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
