
A Couple of Rats Pick Up New Tricks, Un Proposes Cybercrime Treaty
Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence Podcast." I'm Sherry DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. [ Music ] Hello and welcome to the "Microsoft Threat Intelligence Podcast." I am Sherrod DeGrippo, director of Threat Intelligence Strategy at Microsoft. And I am joined by two excellent guests today, Thomas Ball, senior security researcher at Microsoft and Dinesh Natarajan, senior threat hunter at Microsoft. Thomas, Dinesh, thank you for joining me.
Thomas Ball: Thanks for having us.
Dinesh Natarajan: Thank you, Sherrod.
Sherrod DeGrippo: So, I want to know what's happening out on the threat landscape. Probably my biggest hobby outside of the dog is asking people what's going on out there. So, I know that you guys discovered some activity from AsyncRAT, a tried-and-true remote access Trojan that's been around for several years. Give us an idea of what's going on with that attack chain, how it looks and what's interesting about this.
Dinesh Natarajan: Sure. So, in late August, we directed an interesting infection chain that AsyncRAT was deployed through established Screen Connect session. So, this pattern is unique and not seen in previous campaigns. So, basically, we know about these two tools. Right? AsyncRAT is an open source remote access tool. Basically, allows the user to remotely access the computer. And, on the other hand, Screen Connect is an RMM, remote monitoring and management software. And this is often abused by the threat actors in the recent campaigns. We have seen it's used for persistence in some cases and in conducting lateral movements on a compromised environments and even in ransomware deployments. But this is our first time we see the use of Screen Connect to deploy other malware. So, that's an interesting chain we've seen. So, another interesting thing we have seen in this campaign is the initial access vector, so how this Screen Connect comes into the system. And this is through tech support scam campaign where a user received a phishing e-mail impersonating as a tech support person with a link requesting to join a session. And the e-mail is specially crafted in such a way that it looks like a very genuine - like it actually comes from a tech support person offering for help and the subdomain also they were using this Azure storage domain web.go.windows.net. So, to abuse you to increase the chances of the phishing. Once this URL is clicked, it goes to a website where users were prompted with a captcha. So, the attackers are, you know, increasing the techniques - using these techniques to make users believe it is actually coming from a legitimate user. So, once the user checked that box and not a roboted box, it redirected to a link that perfectly looks like a tech support person's log in page, like it has a Welcome page, join us with a code. And what happens in the background is the Screen Connect software gets downloaded. And once the Screen Connect session is established, what happens in the background is the threat actor transfers executable installation files that contains a number of components. We have an NSIS script on that. And then embedded auto IT components and batch scripts which is used to deploy AsyncRAT. So, basically, NSIS is an application used to create Windows installation files. While, on the other hand, AutoIT is a scripting language that can be used to automate Windows' tasks. These are open source tools that are commonly used in the wild and for non-malicious purposes. So, threat actors carefully select these things to bypass defenses and install that and use it to install and deploy malware. So, what this NSIS script does is it runs a batch script and concatenates different parts of the installation files into a single file with the PIF extension. This is basically an AutoIT script and they rename this extension as a part of defense evasion. And what this malicious AutoIT script does, this is the primary responsible for decrypting and launching the embedded AsyncRAT payload and it does into the memory without touching disk. And, also, this AsyncRAT inject into the RegAsm.exe so that it injects the malicious payload into the legitimate Windows process which is a popularly known living of the LAN technique. And what happens is, from this RegAsm.exe, the network connections to the C2 infrastructures code get initiated and the connection gets established. From there, the threat actors take the control remotely on the victim device and performs malicious operations like key logging, file stealing and even in some cases of deploying other malware for the second stage payloads leading to ransomware. So, this is how it looks like. We can clearly see the attacker has emerged to make the users believe and to get the initial foothold of the chain. If you see the connections between screen still connect to asynchronous new. And this infection chain we've commonly seen in the recent times and we strongly believe other info stealers also might be deployed through this technique.
Sherrod DeGrippo: Wow, there's a lot going on there with that one. So, essentially, what AsyncRAT is doing is starting with these tech support emails, right, where it says like you need - some of them I think say that you have to pay, like you have an outstanding invoice and you have to download this application or connect to this website and download this application if you want to fix it. Is that right?
Dinesh Natarajan: Oh, that is in the previous cases. But, here, they impersonate as a tech support person or offering to help like, you know, some update to be installed in the system or your system is infected and it needs some resolution to join the session.
Sherrod DeGrippo: So, they're leveraging social engineering through e-mail.
Dinesh Natarajan: Exactly. And even that links also specially crafted in such a way to make the victim believe that it's actually a tech support person.
Sherrod DeGrippo: So, I saw, too, that there is at least 10 malicious domains that they are using to host some of these campaigns. Is that a lot? Is that a little? Where does that rank kind of in some of the campaigns you've seen in the past?
Dinesh Natarajan: Actually, it's a lot and it's keep emerging as well. We have seen these attackers suggesting new domains and leveraging that for tech support scam campaigns. It's a continuous threat and persistent what we have seen.
Sherrod DeGrippo: And I've also seen that sometimes these require you to actually call on the phone. How does that part work?
Dinesh Natarajan: Yes, there are different ways of this tech support scam happening. In this specific chain, what we have seen is through e-mail and we have seen cases where a tech support person comes through calls or through Teams, that's also another way to face the users.
Sherrod DeGrippo: Got it. Oh, and I also see that it potentially includes malvertising, so pop-up ads that have links to these malicious sites where they direct the victim to download the tech support piece.
Dinesh Natarajan: Exactly, you're right, yes.
Sherrod DeGrippo: So, let's talk a little bit about AsyncRAT. In terms of capabilities, you mentioned info stealing. But it looks like AsyncRAT does - it can do full remote management, key logging, screen capture, AB recording, obviously exfil, data exfiltration and encrypts its own network traffic. The thing that I think about with RATs is now a threat actor has direct access to your machine. And any of these things that they want to do, whether it's those sort of features or they want to download further stage malware options, that's really the scary part about a remote access Trojan.
Dinesh Natarajan: Yes, you are right. So, that gaining initial foothold is the key here. And attackers keep on evolving like on the social engineering techniques and how to get it on the system. From there, there are a lot of more things which can happen. Yes.
Sherrod DeGrippo: So, I think it's really important for people to pay attention to these. Anything that we would suggest for users that possibly run into some of these threats?
Dinesh Natarajan: Yes. First thing is the awareness about these campaigns. And, also, the second part is on the browser usage like Edge and other browsers which support Defender's masking feature, which directly blocks these kind of websites from being downloaded and having the proper network protections in place. So, this will prevent the initial stage itself.
Sherrod DeGrippo: Okay, good. So, people basically just need to really be aware for these. We are blocking them in Microsoft Defender, but, you know, it could be on your home computer, it could be on a friend's computer, your family. Watch out for these kinds of things because they are multi-vector. They are, you know, phone calls, emails, pop-ups. They can come at you from lots of different directions. So, it's something to be really careful about.
Dinesh Natarajan: Yes.
Sherrod DeGrippo: All right, Dinesh, anything else we should know about AsyncRAT and this new infection chain that we're seeing?
Dinesh Natarajan: Basically, what we have seen is this is something very new that if you check on the earlier campaigns we don't see any connect between Screen Connect and the different malwares. But, here, this one is properly connecting with Screen Connect to AsyncRAT. And AsyncRAT is just a start of this I would say. A similar pattern will be deployed by other threat actors in having their customized payload also to be delivered via this similar fashion.
Sherrod DeGrippo: Okay. Well, everyone, be safe out there. Watch out for that one. RATs and Trojans are perennial favorites of threat actors and they seem to be getting more and more creative every day with their attempts to get these onto your machines. So, that's what's going on with AsyncRAT out on the threat landscape. Thomas, I hear you're seeing some interesting things, too. What's happening for you?
Thomas Ball: Yeah. So, another rat that has popped up on our radar is SectopRAT, which is a little bit different than AsyncRAT. It's primarily used for info stealing, so targeting browser information and crypto wallets.
Sherrod DeGrippo: Ohh.
Thomas Ball: It also has a encrypted C2 feature and it also has the unique ability to create a hidden second desktop. So, attackers can operate on the second desktop stealthily without the user actually knowing what's going on in the background.
Sherrod DeGrippo: What is a second desktop? What does that mean?
Thomas Ball: So, on Windows, there is a capability of having different desktop and also on Mac OS, too, where you can shift between desktops. So, you can have completely different windows open, different programs open and then you can just, with a quick touch of a button or a mouse move, switch to the different one where you have other windows open.
Sherrod DeGrippo: So, this is like a productivity thing. This is like I have multiple desktops to keep all my stuff efficient or something.
Thomas Ball: Correct.
Sherrod DeGrippo: Okay, okay.
Thomas Ball: Make it easier to switch between the different -
Sherrod DeGrippo: Tasks.
Thomas Ball: Applications that you're running. Yeah.
Sherrod DeGrippo: Okay.
Thomas Ball: So, like attackers do, they're abusing this productivity functionality for their own benefit. As far as the info stealing capabilities, it can steal your system information, things like location data, but primarily it's for browser data, so any passwords that you have saved, your cookies, particularly auto-filled passwords. And then they use that information to go after crypto wallets if you have that set up.
Sherrod DeGrippo: So, just to be clear on the crypto side of the house, if you've got the password stored for your wallet, for exchanges that you use, things like that, in a machine where the SectopRAT is installed, it's going to siphon out that as well.
Thomas Ball: Exactly.
Sherrod DeGrippo: Okay. Pretty smart.
Thomas Ball: It's scary because, you know, there is a trust involved in your browser. You know, you trust that those things are safe, that they're safely stored in there. But, unfortunately, attackers have found ways to go after those things.
Sherrod DeGrippo: Got it.
Thomas Ball: The investigation that we performed where we found this activity happening, it all started with a user looking for some software to download. So, they went out to Google, searched for a specific app. Attackers use different software, it's not necessarily a specific one, but, you know, you could be looking for Screen Connect or some kind of project management or notetaking software. And they have websites set up to mimic the legitimate website. So, when you go search for it, they've figured out how to either poison the search engine or have a malicious ad where theirs shows up first. And you click on that one and you're actually taken to the attacker's website where they have a link to download what looks like a legitimate tool or piece of software, but it's really malware. And the victim goes to the website, downloads the malware, executes it thinking they're going to install it on their system and then they're just going to have that software to use. But what it's actually doing is downloading the malware, which is then reaching out and downloading the secondary payload, which typically is a DLL file, which then they load that and then that executes some malicious code and then that reaches out to attacker infrastructure where it downloads additional payloads. In this case, it downloads SectopRAT and then it'll go through some things like looking for antivirus using a tool like Tasklist to see what's running on that system. And then what's really new about the activity that we're seeing, and this isn't necessarily just SectopRAT, but we're seeing this with other RATs as well, including AsyncRAT, and that is the use of AutoIT3.exe and malicious AutoIT scripts.
Sherrod DeGrippo: What is that?
Thomas Ball: I'm not sure if you want to call it a productivity tool, but it's something that people use to execute scripts for IT purposes. And, again, attackers love to exploit tools that are meant to be used for good. And, in this case, they use it to execute malicious scripts that they write, which then inject code into Windows binaries, like, in this case, it's InstallUtil, but it could also be - we've also seen it with MSBuild, Regasm and other less commonly used Windows binaries. I think Windows Update is also another one that's pretty popular. And they'll inject into that and then they'll use it to make C2 connections out to their infrastructure. And, that way, it looks like it's a legitimate binary doing things that not totally out of the ordinary, making network connections like MSBuild, for instance, very common for it to be reaching out. So, it's a way for them to kind of hide their tracks and avoid detection. But they're really reaching out to their infrastructure. And, at that point, that machine is compromised and the attacker has access to it. And they can almost really, you know, beyond just stealing your crypto wallet or your passwords, you know, they can almost do whatever they want.
Sherrod DeGrippo: Did I see for the command and control for this one that they're using a DGA?
Thomas Ball: I'm not sure if they did that on this one. I don't believe that they did. But that is something that they're doing. They are definitely using DGAs to essentially generate new domains that they can just quickly filter through when they need to make a new one.
Sherrod DeGrippo: And then tell me a little bit about like what volumes we're seeing this in. Is this really widespread? Is it super targeted? Is there anything that we see around like specific victimology?
Thomas Ball: With this kill chain, I would say no. And that's primarily because it's kind of - it's not targeted. It's kind of wait for the victim to come to you type attack. But, in general, and Dinesh can correct me if I'm wrong, but we are - you know, we're generally seeing a lot of widespread RAT usage. I wouldn't say it's targeted at anything specific, like any specific industry or geolocation. It's pretty widespread.
Sherrod DeGrippo: Okay, that's good to know. Anything else we should mention about this attack chain or specifically what's going on there?
Thomas Ball: So, one of the things that they also did with this attack was they used typosquatting. So, that's one of the ways that they trick the user into going to the website. So, when they see those search results, it looks like it's the legit website and, if you're not really paying attention, you're not going to catch it. So, it's not a new thing. This is - you know, it's an old technique, but it still can be very effective.
Sherrod DeGrippo: So, when you say "a typo domain" it's like a domain that looks like a well-known brand or something like that, like a commercial brand, but the actual domain is not the right - it's like it uses a lookalike or it uses some kind of letter transposing them to make it look like that's where you're going and then they are also getting put into the search engines with that?
Thomas Ball: That's right. So, it could be like you're going to nike.com, but instead of an I, it's an L.
Sherrod DeGrippo: Okay.
Thomas Ball: So, if you're not really paying attention - it's not super sophisticated, it's really simple. They're not doing anything tricky, like a homographic attack where it looks exactly like the real domain, but it's actually there's some trickery they're doing there, it's just they're just replacing a letter and hoping that you don't notice.
Sherrod DeGrippo: And that's something that we've seen for a really long time. But, I'll tell you, I don't feel like most people, including myself, really inspect the text of the domain that you're clicking on. I think, you know, especially if you're using a search engine that you specifically are like, "I'm going to go look this up, this is what I want," you're not checking to make sure that that domain is as it says it is.
Thomas Ball: Right, exactly. You search on Google, you expect that that first result is going to be the best one. And, unfortunately, you know, actors have figured out ways to get themselves up there and violate that trust.
Sherrod DeGrippo: Yeah, search engine poisoning and malvertising are something that I think a lot of people have been watching that landscape for years and years and years. And you'd expect, by this point, that those techniques really wouldn't be successful anymore. But that, in my opinion, is a fallacy to believe that the old techniques don't work anymore, assuming that technology has filled those holes. They have not. And, when they do, the threat actors just go around them and find a new way. So, whatever they were doing to do search engine poisoning five years ago, they're still doing search engine poisoning, they're just using different tactics to make it work.
Thomas Ball: Yes. And, as long as there is a human element involved on the victim's side, it's just going to work, unfortunately.
Sherrod DeGrippo: So, that sounds like you're saying that we should eliminate all humans.
Thomas Ball: Not all of them. No, I'm just kidding.
Sherrod DeGrippo: I mean, I think that that's something that like we've struggled with for a long time as an industry, right, is that human intervention and technology blocking things for security reasons. But, as we see, humans are still sort of that most targeted, most easily breached aspect of a security chain. And, so, threat actors know social engineering, get people to click on things that aren't really what they appear to be, all of those kinds of techniques still work because there's a human in the mix.
Thomas Ball: Education is extremely important. You know, just teaching people what to look for, how to be cautious, not to trust everything and just to be aware of what's going on. And even - you know, even family members and - like my parents, like just keeping track and making sure they know little things are going on. You know, I'm not going to into deep talks with them on what the threat landscape looks like, but just -
Sherrod DeGrippo: You don't give your parents a threat landscape update every week?
Thomas Ball: No, I think their eyes might roll in the back of their heads. You know, letting them know if you're searching for things online, just be aware these are the small things that they do that could impact you and you could fall victim to them.
Sherrod DeGrippo: I feel like there is definitely some awareness gap, but, at the same time, hopefully, technology is getting better and better. I assume that we're blocking these when we see them within the Microsoft products. And, so, there is that level of technological security that's super important.
Thomas Ball: Yeah, absolutely. And that like goes back to what Dinesh mentioned about using browsers that have Smartscreen or some equivalent that as long as they're up to date, they have the latest database of malicious domains, they will be blocked.
Sherrod DeGrippo: Awesome. That's good to know. Thomas, Dinesh, two fantastic threat researchers and threat hunters here at Microsoft, thank you so much for joining me and giving us this threat landscape update. It was great to talk to you.
Thomas Ball: Likewise. Thanks for having us.
Dinesh Natarajan: Thank you so much. [ Music ]
Sherrod DeGrippo: Welcome back. I am joined now with Kaja Ciglic, senior director of diplomacy at Microsoft. Kaja, thanks for joining us on the "Microsoft Threat Intelligence Podcast."
Kaja Ciglic: Thank you for having me.
Sherrod DeGrippo: So, I am really interested to talk to you because you're working on something with the UN Cybercrime Treaty. And a lot of my listeners know that crime threat intelligence is something that I am highly focused on. It's one of the things that I think is most interesting on the landscape. So, if there is policy coming, what should we know about this UN Cybercrime Treaty?
Kaja Ciglic: There's so many things. So, this is one of those policy development that will impact everybody everywhere. It is a document that's been negotiated at the United Nations, so, hence, the UN Cybercrime Treaty, and it is fairly broad in scope. It was originally proposed by Russia in 2017.
Sherrod DeGrippo: Well, that's concerning -
Kaja Ciglic: I know.
Sherrod DeGrippo: Because headquarters of digital crime is proposing a cybercrime treaty. How should we think about that? It's not great.
Kaja Ciglic: It's not great.
Sherrod DeGrippo: Okay, agreed.
Kaja Ciglic: So -
Sherrod DeGrippo: That's concerning, yeah.
Kaja Ciglic: Yeah, that's concerning. They first proposed it in 2017 and then the negotiations started 2019. And we are now sort of at the end. The original proposal that Russia put forward was even more concerning than what we have on the table now. So, I think collectively both civil society, governments and industry were able to have quite an impact on the text. But it was very clear that from the start Russia had its own agenda. The agenda wasn't to try and limit cybercrime, it was much more to try and limit freedom of expression, to try and effectively impose its own view of how the internet should work on the rest of the world. We currently have a cybercrime treaty that it's sort of EU/US kind of based, not at the United Nations, the Budapest Convention. And that one is the one that collectively sort of - I'm going to say the democracy-loving participants and people who want to put human rights at the center of the fight against crime on the internet, we're modeling our negotiating position on. But because the original text was so bad, where we ended up is not a perfect place by no definition effectively, but, in August, nevertheless, the countries - all of the countries, it was adopted by consensus, so, +190 countries voted to adopt this convention. It's obviously a compromise. And we are now - this was in the committee and now it's going to the General Assembly for a final vote in the next couple of weeks or so. And then each country needs to put it in its own legislative process domestically. So, 40 countries need to transpose it to ratify it for it to become law. And 40 is not a high number I think. So, we'll see how it goes.
Sherrod DeGrippo: And when will that be happening? When would we hear something?
Kaja Ciglic: So, the final vote will be before the end of the year, so before the end of 2024. And then the transposition will really depend. I think some countries will act quickly. I'm going to assume countries like Russia that like it will try to like do it quickly and encourage its allies to do the same. Some countries, for instance, the United States, will probably take a longer time or, hopefully, never adopt a treaty. But it will really depend. I think the thing that we think is fairly concerning is the appetite for countries to have something. And if we think about, you know, the Budapest Convention is a treaty, but it's a small - it's about 70 countries are signed on to it and sort of use it to cooperate. The rest of the world doesn't have anything. So, what we think what's going to happen is going to be the countries who believe they don't have a mechanism to actually work with each other to try to prosecute criminals often also don't have the capacity. So, in Africa or sort of more developing countries, I think they are likely to be quick to adopt.
Sherrod DeGrippo: So, let me ask you a little bit about that. The first thing that comes to mind for me as somebody who focuses so heavily on crime is one of the frustrations that we have are these ransomware actors that we cannot get to. They are beyond extradition. They don't ever really have to face justice. Many of them are living incredibly lavish lives off of ransoms that they have taken from the West, ransoming hospitals, ransoming schools, ransoming significant parts of our infrastructure, critical systems, critical services. What does this treaty mean if it's adopted for bringing some of these ransomware actors to justice? Is that possible?
Kaja Ciglic: I think it will be as possible as it possible now. Right? I think states have tools available to cooperate already on cybercrime. They just choose not to use them. They choose - in - particularly in certain jurisdictions or in certain countries, they choose not to prosecute criminals because it's not in their interest and particularly if they often attack abroad and not in their -
Sherrod DeGrippo: Right.
Kaja Ciglic: Domestic jurisdiction. Right? And it's effectively a source of income. And, in particular, if the cyber criminals are associated or affiliated to the national security services in some of the countries, I think this is true for Russia a lot of the times, it's true for China sometimes, it's true for Korea sometimes as well, I think then they really have no interest in going after these actors. Right? And I think the treaty provides a framework that countries can leverage to request access, request cooperation, request an exchange. But unless countries are willing to do it, they will still not do it. So, it's a framework. Hopefully, countries can use it, but it's not going to solve very much, which is why we think it's not necessarily fit for purpose.
Sherrod DeGrippo: Got it. So, what's interesting you mentioned were some of these developing countries. We certainly see things like 419 scams, the famous Nigerian prince scams coming out of places like West Africa, Nigeria, Morocco, Liberia, some of those developing Western Africa countries. Do you think they might treat it differently than Eastern Europe and Russia, for example?
Kaja Ciglic: I think they might. I think there is an element of the treaty in there that talks about the need and creates a tool - a vehicle I guess for technical assistance, effectively capacity building -
Sherrod DeGrippo: Ohh.
Kaja Ciglic: For the countries that need it. So, I mean, there is a lot of that already that countries voluntarily provide. So, for example, the U.S. has a capacity building program, I feel Australia has a very strong capacity building program as well targeted to law enforcement. But much more needs to be done there as well. I think that where the treaty helps, it helps - it gives them like a template where they can be like, "Okay, we can transpose this international law," hopefully, with some human rights safeguards in place, but also for it to be effective to work and for it to work in a way that it's not going to negatively impact either the industry or human rights activists or security researchers. It needs to kind of come with training. And, hopefully, that is something that countries, if they go down the road of adopting and ratifying, actually do.
Sherrod DeGrippo: So, let's talk about those groups a little bit. I see one of the points that was brought up by one of our colleagues is avoid expanding the definition of cybercrime to broadly encompass online content, undermining human rights and including freedom of expression and the right to privacy. So, how do we make sure that one country doesn't interpret that as precluding freedom of expression while another country follows a more traditional Western idea of cybercrime? How does that work?
Kaja Ciglic: Yeah, I think - and this is the challenge with the treaty at the moment, it gives quite a lot of power to the domestic legislative environment as well so - without necessary the appropriate standards being applied. So, we're hopeful that if this goes through, if it gets ratified rather by different countries, it also comes with specific mechanisms where it's effectively a guidance mechanism that would be developed. We have a very similar model at the Budapest Convention as well that sort of drives - it has human rights safeguards, it has interpretation of different articles of the treaty in there as well. You know, talking about security researchers, the Budapest Convention also does not include specific protections for security researchers, but it does have them in sort of these explanatory document that is associated with it. So, countries can then - can look at it and be like, "Oh, we should maybe not prosecute them. I feel they're trying to do good. It's not a crime." And, so, that's the concern at the moment with the UN treaty is that it has nothing like that really as well so it's just words on paper and they could be interpreted a particular country wants to.
Sherrod DeGrippo: Okay, that's concerning. That does sound scary, especially with, I know Microsoft, for example, has such huge partnerships with security researchers, bug bounty hunters, even, you know, anything within the vulnerability exploit and research world, Microsoft is heavily involved obviously through our MSRC organization. So, that's something that I'm sure would be interesting of interest to listeners. There's another piece of it that I see as well that says preserve the right of technology providers to challenge government demands for data on behalf of their customers. So, in the United States, we have been through some things such as Carnivore, such as CALEA, such as national security letters, such as FISA. So, we have been in a place in the United States where we've been fighting that battle for a long time. What does this UN Cybercrime Treaty say about those things?
Kaja Ciglic: It makes it worse.
Sherrod DeGrippo: It makes it worse. Wow.
Kaja Ciglic: Yeah, because, like I said earlier, it depends so much on what the national legislation is. And the text at the moment, again, without this human rights standard, like safeguards and without the legal process provisions as well, effectively says that a prosecutor in country X could go to the company in the country - not necessarily, you know, at the moment we have this agreement where they try to get to data or get access to services, they need to go to the headquarters and there is sort of a process with the government where the company is headquartered as well involved. Under the treaty - under the new treaty, they could just go to a guy that works for Microsoft in -
Sherrod DeGrippo: Ohh.
Kaja Ciglic: Country X that has access to the data and request access from that person. That person would not necessarily be allowed to tell Microsoft that they asked them for the data or the country that is impacted. So, that's very concerning.
Sherrod DeGrippo: Sometimes I wish that this was a video podcast so that people could see my face right now. I am disgusted by hearing that. That's horrible.
Kaja Ciglic: It's not great.
Sherrod DeGrippo: That's really bad. So, something else that I see in here is that, you know, clamp down on safe havens by strengthening extradition measures within the convention to ensure cybercriminals cannot evade prosecution and accountability. That is the world that we live in today is we really see criminals easily hide in their home countries. There are jokes in the threat intelligence and research community about taking a holiday on your yacht in the Black Sea because these threat actors know they can't leave their countries. So, they live really large there, they spend a lot of money, they have yachts, they have luxurious lifestyles. As long as they stay in their home country, there is no risk to them.
Kaja Ciglic: Yeah.
Sherrod DeGrippo: So, we kind of feel like there is a bit of clamping down maybe that needs to be done in that direction while still maintaining human rights, freedom of expression and things like security research. So, what are we looking at here? Like what should we know about this? Because, for me, the more I think about it and look at it and talk to you about it, I'm obviously not a legal background person, I'm a computer nerd that, you know, types all day, I am kind of shocked that this seems on its face to someone who works in this world for the past 20 years of my career, I'm like, "Oh, this sounds real bad. I don't like it."
Kaja Ciglic: Yeah, I feel you have the right impression. Now, I think that what would solve a problem that we have with cyber criminals would be a much narrower treaty, right, that would actually just talk about cybercrimes just very narrowly defined. They wouldn't have this, "Oh, just like it's whatever you interpreted in national law," because if you have much more concrete definitions that are the same across different countries, it's much easier to just be, "Okay, so this is a crime in country A, it's a crime in country B" and they might not still not be interested in country B to extradite and prosecute the person, but at least we all have a common agreement this is a crime. And if, as in this case, when it gets expanded and this sort of broad, vague language also about, you know, any - it could potentially include any crime that sort of ever touched the computer, but it's not defined or clear or what that means, people will not use it. And, so, that's the real problem. I think there's so much potential in particularly on equipping the emerging economies and trying - and ensuring that they have the tools to prosecute criminals as well. But we ended up with, particularly because we started with the Russian text, is not really doing any of that.
Sherrod DeGrippo: Yeah, I am more and more concerned the more we talk. It's definitely a concern. And, so, for me, I don't consider cybercrime just ransomware. I see the full ecosystem that's required, whether you're actually initial access broker, you're delivering ransomware, you're an affiliate or you make pages, you make landing pages and that's all you do. Something like one of our threat actors, Storm-1101, they just make phish kit landing pages and that's it. But they are a big part of the ransomware ecosystem because those landing pages lead to credential theft, those credentials are then sold in packages. The person buying them then might resell them or do an initial access sale from them. It's a huge ecosystem that's not just one threat actor group doing ransomware.
Kaja Ciglic: It is very specialized.
Sherrod DeGrippo: It's very specialized and operationalized as you know, Kaja, like these groups are professionals, they are organized, they use Jira, they use ticketing systems, they use software development, they host their things on software development, they use Agile. These are very well-equipped and well-organized threat actor groups. So, it sounds like this potential UN treaty that might be coming up needs some work. Is Microsoft advising policymakers at all on this? Do we have a position where we can influence?
Kaja Ciglic: We have from the start of the negotiations been part of them. I think it's actually for all the bad things. It was actually a very good thing that happened with the negotiations for the first time where the UN and the countries actually included not just the private sector, but civil society as well and brought security researchers in to talk sort of on a regular basis during the negotiations. So, from that perspective, it's been - I think it was - it's been the best.
Sherrod DeGrippo: Oh, okay.
Kaja Ciglic: They've never done it before. So, it's been a great step forward in terms of engaging. The problem is that they've not always listened. And I think that would be a different outcome if we started with a different text. Right? Or if we started even with a blank page versus a really bad text from the Russians because then you basically had to negotiate out all of the bad stuff. And that took forever, obviously. But - and took a lot of political chips as well. But I think we are now at a stage where, you know, it's been adopted in the committee, it's going to most likely - I think it's highly unlikely that everything would change. If we adopted in the United Nations General Assembly by the end of the year where we have an opportunity to influence collectively I think as a - as the industry, as companies, but also as individuals that some want to make sure that cybercrime goes away is working with individual countries to get them either not to ratify the convention or to very clearly adopt the appropriate safeguards, human rights and others, when they ratify it. That's kind of where we are at the moment.
Sherrod DeGrippo: I think that that's very wishful and hopeful. I hope that we can get to that point. And I want to read something from our colleague Amy Hogan-Burney, who I love working with her, I've done a lot of work with her RSA. We should really get her on the podcast at some point, too. But she has this fantastic paragraph, it's two very powerful sentences in a post that she made on LinkedIn. And it's this, "The risk is that the treaty will not be a tool for prosecuting criminals, but rather a weapon that allows for intrusive data access and surveillance instruments. The result could be an international agreement granting authoritarian states the power to suppress dissent under the guise of fighting cybercrime," which is the opposite of what all of us in the threat intelligence and research and security community want, is we want the free expression, we want freedom of dissent, we want the cybercrime prosecuted, extradited and things like that. And we know from, you know, the practitioner side, we know we're never going to solve this whole problem. Just like you never solve, you know, burglary. These things are going to continue to some degree. But, right now, it's like we've brought a stick to a gunfight. We don't have anything that's really arming us. And this honestly sounds like it's taking us back a little bit.
Kaja Ciglic: I think it is. I think the reason why it's taking us back is basically that it gives a platform for all of these bad ideas -
Sherrod DeGrippo: They are bad ideas.
Kaja Ciglic: Where basically the idea is international institution that is respected. Right? Before, you had authoritarian states domestically treated human rights activists dissent this way, but it was in their domestic jurisdictions. And, sort of globally, we at least paid lip service to the fact that, you know, we want a free, open, secure internet. And it's at all of the big agree - international agreements, it always talks about free, open, secure internet. And this is the first time where you have some of these ideas - the bad ideas actually zipping into a document that is then endorsed by 196 countries. And even if the democracies choose to interpret it in a good way in their domestic jurisdictions, it's still without a lot of engagement I think in sort of the emerging economies in particular. I think it will just ensure that the bad ideas spread.
Sherrod DeGrippo: Well, that is really terrible. Okay, so, Kaja, I have kind of a question for you and let me know if it's in this UN Cybercrime Treaty at all. Anything about banning ransomware payments or how ransomware payments should be handled? Nothing like that in here?
Kaja Ciglic: Nothing either.
Sherrod DeGrippo: Okay, good to know. I know that that's a hot, hot, hot topic amongst us in the crime intelligence world. A lot of people have a lot of strong opinions on it. If you have an opinion on it, go ahead and hit me on X/Twitter @sherrod_im and tell me what you think about banning ransomware payments. Kaja Ciglic, senior director of Digital Diplomacy, thank you so much for joining me. This was very eye-opening. I was not aware of this. And I'm excited that the listeners are going to get to understand some of this stuff that most of us don't really ever get to learn about.
Kaja Ciglic: Thank you for having me once again. [ Music ]
Sherrod DeGrippo: Thanks for listening to the "Microsoft Threat Intelligence Podcast." We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more and subscribe on your favorite podcast app. [ Music ]