CyberWire Daily - A look at the cybercriminal underground, its commodity tools, its rising gangs, how it recruits talent and affiliates, and even how it raises investments.
Episode Date: June 29, 2021Legitimate tools are abused as commodity initial access payloads. Hades ransomware is circulating in some new sectors. Criminal markets are sharing more features with legitimate markets, including adv...ertising, recruiting, and even funding rounds. Cybercrime uses cryptocurrency, but the key to success may be location more than technology. Ben Yelin describes insurance companies collaborating on cyber breach data collection. Our guest is Michael Osborn from Moody's on a recent rash of cyber attacks hitting higher education. And Denmark’s central bank is reported to have been a victim of the SolarWinds compromise. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/124 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Thank you. companies collaborating on cyber breach data collection. Our guest is Michael Osborne from
Moody's on a recent rash of cyber attacks hitting higher education. And Denmark's Central Bank is
reported to have been a victim of the SolarWinds compromise.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 29, 2021.
Proofpoint has concluded that Cobalt Strike, the well-known legitimate penetration testing tool,
is becoming increasingly popular as an initial access payload deployed by threat actors.
It's become a commodity tool, more often used by cybercriminals than by state-run advanced persistent threats. Criminal activity using Cobalt Strike peaked in 2019 and 2020
and has fallen off somewhat since, but it remains a problem.
Crediting research by Accenture,
CyberScoop reports that the Hades ransomware gang is coming into sharper focus.
It's recently been targeting consumer goods and services,
insurance and manufacturing, and distribution industry sectors.
It's also added Phoenix CryptoLocker to its arsenal.
Unlike other ransomware groups, Hades does not appear to use an affiliate network.
Attribution remains murky, with various researchers calling it a new group,
and others linking Hades to either Russian or Chinese threat actors.
Criminal markets continue to develop similarities with legitimate markets.
Leifars has shared a new wrinkle in this trend with Fast Company.
Cybercriminal groups are investing in promising new ransomware enterprises.
In much the same way, venture capital firms invest in tech startups.
In exchange for financial support, the criminal backers receive a cut of future profits.
Calls for investment are typically made over secure chat apps like Telegram,
and only investors with proven connections to the criminal underworld are accepted.
So, if you're a prospective
backer of a ransomware gang, not that you would be, of course, but just suppose, you'd have to
show that you'd made your bones, as La Cosa Nostra says in the movies. In this case, you don't do
that by whacking some jamoke, but rather by showing some evidence that you've been involved
in digital crime. Fast Company says that sending a token amount of cryptocurrency
traceable to a ransomware incident or something similar to a certain address
will usually suffice.
Why would you bother either soliciting investment or deciding to invest?
Aren't criminal operations like ransomware effectively self-funding?
They are, for the most part, but they have their startup expenses too,
and even hoods need to eat while they're waiting for the victims to pay up.
Some of those startup costs may include hiring skilled coders who can build or modify the ransomware,
they need infrastructure to process payment and distribute decryptors,
and they need access to deep-pocketed targets.
They could phish for that access themselves, but increasingly they find that it's easier to buy that from criminal initial access brokers who've already phished, stolen, or brute-forced compromised systems.
As far as investors are concerned, LeFar's CEO Andre Crail says it's a way of spreading your risk around.
You can put all your money in one basket or you can diversify, he told Fast Company.
Ransomware gangs are also advertising not only for affiliates, but for tech talent as well, Bleeping Computer reports.
They do that in ways that will be familiar to
people looking for customers or talent in legitimate markets. Show your wares and your
capabilities in the best possible light. Everybody wants to join a winner, and that's the conventional
wisdom in the underground as much as it is up here. So the hoods see a small altcoin transaction as acceptable evidence that you're probably a fellow criminal and not a police officer or an agent provocateur.
That confidence, of course, can't be absolute since the authorities can be wily.
But the crook's instincts are probably more or less sound.
And again, like Cobalt Strike, cryptocurrency is far from being inherently
nefarious. It has plenty of legitimate uses. But cryptocurrency has undeniably acquired a
bad reputation. FireEye's CEO Kevin Mandia told CNBC yesterday that, quote,
it's an enabler that you can break in anonymously and be paid anonymously,
and now you can commit crime from 10,000 miles away in a safe harbor, end quote. Not everyone agrees it's important to note.
CNBC also quotes Katie Hahn, a partner at venture capital firm Andreessen Horowitz,
an investor in crypto startups, who says it's a myth that Bitcoin is good for criminal activity.
She says, quote,
crypto is a step-level function improvement above the existing financial system in terms of traceability. The fact is, when crypto is used for illicit activity, it leaves digital breadcrumbs,
and I can tell you that firsthand I used blockchain technology to actually solve crimes. End quote.
Hahn had former experience as a prosecutor.
So it seems not so much the altcoin as the criminal's base of operations that presents the problem.
If the extortionists work with the tacit or explicit permission of a host government,
it's difficult to bring them to book,
which is what Mandia appeared to have in mind when he told NBC that governments had an important role to play in suppressing
ransomware. He said, quote, we have to consider all the tools of diplomacy to back the desired
outcome we want, which is quite frankly to make sure that there's risk imposed to those who take
advantage of cyberspace and the anonymity it offers.
Denmark's Central Bank was among the organizations exposed in the SolarWinds compromise, Reuters reports,
with a backdoor that stood open for some seven months.
The bank told Reuters that there were no signs that the attack had any real consequences.
One hopes not.
And in fact, if those who came in through the SolarWinds backdoor were, in fact, as is widely believed, operators of Russia's SVR,
they may be right.
At least, the SVR probably wasn't directly interested in bank robbery,
since collection of information as opposed to coin is more in their line.
Had the unwelcome visitors been
privateers, of course, things might well have been otherwise.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The FBI recently issued a warning to universities highlighting their vulnerability to cyber attacks.
We often discuss how a ransomware attack, for example, can lead to financial and reputational damage. But what about an organization's credit rating? Michael Osborne is vice president and senior
analyst for public finance at Moody's Investors Service. And he joins us to share how the credit
rating agencies are looking at an organization's cyber defenses. You know, it's similar to warnings of the past, you know, both from the FBI, from maybe other agencies as well, around the risk of, you know, bad actors and wanting to extract information from higher education institutions. particular warning revolves around a certain type of ransomware that affected, I think it's
universities in a certain number of states and some other types of institutions. But, you know,
it's just another reminder that this type of attack is on the rise, that it is a real threat
in higher education, and that it has the potential to affect credit quality, you know, if it were to
ever rise to a very serious level. And that's what we're concerned with at Mo affect credit quality, you know, if it were to ever rise to a,
you know, a very serious level. And that's what we're concerned with at Moody's is,
you know, its ultimate, you know, impact on credit.
What are the types of data that is at risk here with universities? What's the spectrum of
things that could be affected? Yeah, so there's a lot. And, you know,
some of the attacks we've seen
highlight that, you know, you might have student record data, which might be less important than,
say, confidential research or, you know, financial information of students, parents,
maybe the university itself. If a university runs a hospital, now you're talking
about a different level of exposure and vulnerability with patient data records and
potentially life-threatening information. And so it really runs the full gamut. And we've seen
attacks threaten most of that type of information over the last several years.
And how are universities positioned to defend themselves?
Well, I think the number one response seems to be, you know, cyber insurance.
There's a rise in those types of policies.
I think the universities that are sort of large, wealthier, have, you know, some more resources at their disposal are implementing their own, you know, cyber defenses.
And, you know, that could run, you know, a number of different ways.
But, you know, I think for most universities, they don't have access to those types of resources.
So insurance seems to be, you know, one mitigant, at least trying to insulate them from financial harm, hard to insure against reputational harm.
You know, some universities, again, some of the bigger universities, both public and private, are part of various consortiums where they're working with their colleagues in the industry to thwart bad actors.
But they're throwing a lot at it, that's for sure.
And in an environment where the digital infrastructure is more open than it ever has,
with students learning online at, and those networks being exposed
more, you know, it's becoming more important, and it's consuming a larger part of university budgets.
That's Michael Osborne from Moody's Investors Service.
Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
But more important than that, he is my co-host over on the Caveat podcast, which if you have not yet checked out, what the heck are you waiting for?
We're begging you.
Please listen to our podcast.
I don't want to sound desperate or anything, but it's a good show and worthy of your time.
So, Ben, good to have you back.
Good to be with you again, Dave.
This article from Insurance Journal caught my eye, and it's seven major cyber insurers form company to coordinate cyber analysis and risk
mitigation. I think the modern era of ransomware has really been a punch to the gut to a lot of
these insurance companies. Can you unpack what's going on here? Yeah, so obviously, we've seen
an increase in cyber attacks. And it's not just the high-profile incidents.
It's also just an increase of incidents generally, so it's costing insurance companies a lot more to cover cyber incidents.
So because these claims are on the rise, a bunch of leading insurers, they mentioned AIG, Access, Beasley, Chubb, the Hartford Liberty Mutual, and Travelers have formed their own company, a separate company,
to pool their data and expertise and take collective action to address this problem.
So they've created this entity called Cyber AccuView.
And that new entity is going to compile data, enhance value, and service to policyholders.
That's what they say they're going to do.
So what does that actually mean?
Could this put them in the crosshairs for any coordination that could attract regulators' attention?
Probably not.
I would not think this is some sort of—
It seems as though they're coming at this from a position of good faith.
I think it is a position.
It's more like a consortium of experts trying to
solve a problem that seems to be pretty unsolvable at this point. I think the issue is that companies
increasingly want cyber insurance, but insurance premiums have gone up so high that, you know,
because of these incidents, that people can't afford the types of insurance policies
that would insure them against ransomware attacks.
And as a result, companies feel that they're not in a position to offer cyber insurance
because it's so expensive for them to try and cover.
Yeah.
And we already have a form of insurance like that, Dave.
Yeah, you know, I'm glad you brought that up because
this strikes me, or I guess I have been wondering for a while, is cyber insurance headed the same
way that flood insurance has headed? In that it is a type of insurance for which a private
organization cannot make money. The pay too, the payouts are too high
relative to what you can possibly charge for the policies.
So what you end up with is a government-backed insurance program
that isn't particularly good.
In fact, bad would be a word I'd use to describe our flood insurance system.
Right, I mean, and I will tell you,
Bad would be a word I'd use to describe our flood insurance system.
I mean, and I will tell you, you know, I live in an area that my community has been affected by this.
We got remapped into a flood zone.
And it was expensive.
It's both expensive but also bad coverage.
I mean, you pay a lot for insurance that really doesn't cover very much. And I wonder if we're headed that way
with cyber insurance because of the big payouts. Yeah. I mean, I think the situations are quite
analogous where the likelihood of the risk has gotten significantly higher and the damages,
so the consequences of that risk has also gotten substantially higher that it is really impossible to cover.
So, I mean, that's why I think the formation of this consortium is potentially a good solution.
They can get kind of the best experts in the room to come in, figure out what best practices would be, figure out, you know, by consulting law enforcement regulators, how you can ameliorate the problem in the first place,
stop the proliferation of these cyber attacks,
and then come up with innovative risk solutions,
insurance practices on the back end if something does happen.
I think that's kind of the best that these companies can do
because I think they're really at a loss.
They found a dead end here.
It is not profitable for them to cover this insurance, but also all of their clients are coming to them saying we need cyber insurance.
So, I mean, I think they're kind of just desperately searching for a solution here.
I mean, I think they're kind of just desperately searching for a solution here. You know, we recently just had President Biden meet with President Putin and cyber was at the top of their list of things that they talked about.
politicians to bring this up in a diplomatic way to say, look, you got an industry here that's dying because of what's going on with these cyber attacks. You got to put the pressure on
our adversaries overseas. Yeah. I mean, I think this could be a big part of this newly formed organization is they have
an interest in policies that
mitigate cyber attacks.
So they have
the
power and authority
vested in them by the fact that there are
seven large insurers, allows
them probably access to
regulators and lawmakers
to go in and say,
we are trying to help on the back end to make sure that there is a profitable way to cover cyber incidents.
Right.
But we also need you to help us on the front end.
So what are you doing at the regulatory level?
What are you doing in terms of international diplomacy to prevent cyber attacks from happening in the first place?
You're not going to prevent every ransomware attack through diplomacy or through regulation. It's just not going to happen.
Cyber criminals are getting smarter. They are not all acting on behalf of foreign governments.
So it's not going to ameliorate the risk entirely, but it should be part of your broader effort to kind of redefine this
entire field.
Because I think this field of cyber insurance is having this reckoning that flood insurance
had perhaps a generation ago.
Yeah, yeah.
All right.
Well, an interesting move for sure.
Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Justin Sabe, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Thank you. you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.