CyberWire Daily - An international hunt bags Qakbot’s infrastructure. Anticipating remediation. Adversaries in the middle. More effective phishbait. Air travel disruption was a glitch, not an attack. Hybrid war update.
Episode Date: August 30, 2023An international operation takes down Qakbot. Chinese threat actors anticipated Barracuda remediations. A look at adversary-in-the-middle attacks, making phishbait more effective and the emergence of ...a new ransomware threat. Narrative themes in Russian influence operations. My conversation with Natasha Eastman from (CISA), Bill Newhouse from (NIST), and Troy Lange from (NSA) to discuss their recent joint advisory on post-quantum readiness. Microsoft’s Ann Johnson from Afternoon Cyber Tea speaks with Cyber Threat Alliance President and CEO Michael Daniel about the current state of cybercrime. And when toilet bowls are outlawed, only outlaws will have toilet bowls. Listen to the full conversation with Natasha Eastman, Bill Newhouse, and Troy Lange here: A joint advisory on post-quantum readiness. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/165 Selected reading. Operation Duck Hunt bags Qakbot. (CyberWire) FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown (Federal Bureau of Investigation) Qakbot Malware Disrupted in International Cyber Takedown (US Department of Justice) Law Enforcement Takes Down Qakbot (Secureworks) Qakbot: Takedown Operation Dismantles Botnet Infrastructure (Symantec) Chinese APT Was Prepared for Remediation Efforts in Barracuda ESG Zero-Day Attack (SecurityWeek) Phishing-as-a-Service Gets Smarter: Microsoft Sounds Alarm on AiTM Attacks (The Hacker News) The Lure of Subject Lines in Phishing Emails - How Threat Actors Utilize Dates to Trick Victims (Cofense) The Emergence of Ransomed: An Uncertain Cyber Threat in the Making (Flashpoint) Cancelled flights: Air traffic disruption caused by flight data issue (BBC News) Russian Offensive Campaign Assessment, August 29, 2023 (Institute for the Study of War) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An international operation takes down Keckbot.
Chinese threat actors anticipated barracuda remediations.
A look at adversary-in-the-middle attacks, making fish bait more effective and the emergence of a new ransomware threat.
Narrative themes in Russian influence operations.
My conversation with Natasha Eastman from CISA, Bill Newhouse from NIST, and Troy Lang from NSA to discuss their recent joint advisory
on post-quantum readiness. Microsoft's Anne Johnson from Afternoon Cyber Tea speaks with
Cyber Threat Alliance president and CEO Michael Daniel about the current state of cybercrime.
And when toilet bowls are outlawed, only outlaws will have toilet bowls. I'm Dave Bittner with your CyberWire Intel
briefing for Wednesday, August 30th, 2023. Yesterday, the U.S. Justice Department announced the takedown of the Kakabot botnet,
led by the U.S. FBI. It was a multinational action with participation from France,
Germany, the Netherlands, Romania, Latvia, and the United Kingdom.
The basic approach the agencies followed was first to obtain lawful access to the infrastructure and redirect traffic to servers the Bureau controlled.
Any computer redirected to the server received an uninstaller file that removed the CACBOT malware. The U.S.
attorney for the Central District of California explained CACBOT's place in the criminal economy,
stating, according to court documents, CACBOT, also known by various other names including
QBOT and PinkSlipBot, is controlled by a cyber criminal organization and used to target critical industries worldwide.
The CACBOT malware primarily infects victim computers through spam email messages
containing malicious attachments or hyperlinks.
Once it's infected a victim computer, CACBOT can deliver additional malware, including ransomware.
CACBOT has been used as an initial means of infection by many prolific ransomware groups in recent years,
including Conti, Proloc, Egregor, R-Evil, Metacortex, and BlackBasta.
The ransomware actors then extort their victims,
seeking ransom payments in Bitcoin
before returning access to the victim computer networks.
SecureWorks researchers call the group that
operate CACBOT the financially motivated Gold Lagoon Threat Group. As is often the case,
the threat group is tracked under several names. Symantec calls it BatBug. The botnet malware
itself has been in action since 2007. It has a modular structure that supports a variety of activities, but it's been
especially useful for ransomware attacks. Secureworks also emailed an overview of what
they've observed with respect to CACBOT recently, while the botnet was in its salad days.
It was global in scope, Secureworks wrote. We observed 10,000 infected machines in 153 countries connecting to the C2 server over a four-month period.
About 5,000 of the infected machines were connected to a domain and so can be inferred to have resided in business environments.
The business infestations were probably of greater interest to the criminals.
The U.S., Germany, and China represented the
three most targeted countries. Symantec reports that Kakabot was especially active between January
and June of this year, when it relied principally upon spam for its distribution. Kakabot's operators
are based in Russia. That explains the lack of arrests in this case, and it also explains why Kakabat was able
to operate with impunity. It was tolerated and probably enabled by the Russian authorities.
Cooperation with criminal organizations is commonplace among Russian security and intelligence
services. They're left free to operate as long as the victims aren't Russian, or as long as their
crimes abroad don't harm Russian interests.
But may they be brought to justice eventually. Well done, FBI and all international partners.
Last week, the FBI released an alert warning that Barracuda's email security gateway appliances
remain vulnerable to compromise by suspected Chinese government threat actors.
Yesterday, Mandiant described how that exploitation was proceeding.
The threat group responsible, UNC-4841, is both adaptable and responsive to defensive measures,
readily altering its tactics, techniques, and procedures to maintain persistence in the face of defenders' attempts to expel it.
In this case, UNC-4841 anticipated remediations in advance.
Mandiant expects the group to continue to seek ways of compromising edge devices.
The Microsoft Threat Intelligence team has warned of a rise in adversary-in-the-middle
phishing attacks, the Hacker News reports.
These attacks are launched via phishing-as-a-service offerings, Microsoft said in a post on the
platform formerly known as Twitter.
This development in the phishing-as-a-service ecosystem enables attackers to conduct high-volume
phishing campaigns that attempt to circumvent MFA protections at scale. The researchers
add, circumventing MFA is the objective that motivated attackers to develop adversary-in-the-middle
session cookie theft techniques. Unlike traditional phishing attacks, incident response procedures
for adversary-in-the-middle require revocation of stolen session cookies.
adversary in the middle require revocation of stolen session cookies.
CoFence warns that users should be wary of emails that have dates in their subject lines,
especially if the emails reference late faxes, missed voicemails, overdue invoices, payroll,
and other themes generally involving the need for immediate interaction.
The researchers explain, in over two-thirds of the emails with dates in their subject line,
the listed dates are before the email is accessed.
This is not surprising as it has long been assumed that threat actors are doing this to create a false sense of urgency.
The dates in email subjects can now be added as a suspicious indicator.
If the date in a subject line is before
the date the email is accessed, then the email should be examined with additional scrutiny
and time should be taken rather than allowing the threat actor to take the initiative
and pressure victims into quickly interacting. Flashpoint is tracking a new threat actor called
Ransomed that conducts data theft and uses a new tactic
to coerce victims into paying the ransom. Flashpoint says Ransomed is leveraging an
extortion tactic that has not been observed before. According to communications from the group,
they use data protection laws like the EU's GDPR to threaten victims with fines if they do not pay the ransom. This tactic marks a
departure from typical extortionist operations by twisting protective laws against victims to
justify their illegal attacks. The group sets ransom demands between 50,000 and 200,000 euros,
relatively low compared to the fines typically imposed under GDPR. It's worth noting
that this tactic depends on the victim concealing the breach, which could lead to even heftier fines
if this comes to light later on. Wrapping up a loose end from earlier this week,
whatever caused the UK's National Air Traffic management system's problems earlier this week,
the BBC reports that the government's preliminary investigation has effectively ruled out a cyber attack.
And finally, Russian propaganda in the active theater has taken a tactical turn,
apparently aimed at undermining Ukrainian morale while simultaneously shoring up Russian domestic resolve.
The Institute for the Study of War confirms five themes the Ukrainian Main Military Intelligence Directorate is pursuing.
First, Ukraine is conducting mass mobilization regardless of age, gender, or health.
The West is losing faith in Ukraine.
The Ukrainian counteroffensive is
failing. The Ukrainian government is utterly corrupt. And Russia has improved standards of
living in the territories it's occupied. That high standard of living in the occupied territories is
so high they even have indoor toilets, which is why the occupying troops have been stealing those and sending them home.
There are some things it's impossible to resist, after all.
The standard of living is so high in the newly annexed territories that they've got stuff they can only dream of back in small-town Lokomotivne or Magnitogorsk, like toilet bowls and other things.
or Magnitogorsk, like toilet bowls and other things.
And hey, if you believe these five things,
there's this bridge in Minsk.
No, wait, this is the 21st century, not the early 20th.
There's an NFT on a server in Chelyabinsk you might be interested in buying.
No, really, it's like in this blockchain and everything.
So step right up.
Coming up after the break, my conversation with Natasha Eastman from CISA, Bill Newhouse from NIST, and Troy Lang from NSA to discuss their recent joint advisory on post-quantum readiness.
Microsoft's Anne Johnson from Afternoon Cyber Tea
speaks with Cyber Threat Alliance President and CEO Michael Daniel
about the current state of cybercrime. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
For the past few years, there have been warnings coming at a steadily increasing pace that organizations,
and indeed we as a nation, need to prepare ourselves for the coming wave of quantum computing,
systems with the computational power to render modern encryption methods obsolete.
CISA, NSA, and NIST jointly published a fact sheet titled Quantum Readiness,
Migration to Post-Quantum Cryptography.
I'm joined today by experts from each of those organizations.
Natasha Eastman is chief of CISA's Post-Quantum Cryptographic Initiative.
Troy Lang is chief of encryption production and solutions at NSA.
And Bill Newhouse is a cybersecurity engineer at NIST.
Natasha, can I start with you? For you and your organization,
how would you describe the state of things? So I think we're at the beginning. From a
critical infrastructure standpoint, organizations are at a spectrum. Some, and particularly some
sectors, are well aware of this technology and where it's going, and they're thinking about
how to incorporate it into their products, into their security. And for others, this is very much
a new thing that they're just starting to learn about and starting to prepare for.
Troy, how about you? Yeah, I agree. We're very early on in the journey here. What I'm heartened
by is that the Department of Defense has clearly taken this very seriously.
They've made some investments to make sure we're getting after making sure that national
security systems are quantum resistant.
And with the issuance of National Security Memorandum No. 10 last year that compels departments
and agencies to get a plan together shows that we're early on, but we're getting a good
head start on this.
And Bill, from your perspective, where are we right now?
Well, NIST put out draft algorithms last week, the FIPS 203, FIPS 204, and FIPS 205. And that's
a culmination of seven years of cooperative work across the globe with cryptographers to identify what can be created that is quantum resistant.
And so that's a nice seven-year process.
And now we get closer to the realization of these algorithms in today's technologies.
And then when that happens, testing that makes them available to the federal government for use becomes part of the process.
So we're getting ahead of the ability to use this stuff because it's going to be complicated
to do those things and to figure out where you're using quantum vulnerable cryptography
that needs to be replaced, that offers, that if you continue to use quantum vulnerable
cryptography, you're putting data at risk, getting ahead of that curve.
So it's early days, but it's late days in some respects
on the work towards these algorithms that we're going to be moving to.
You know, both Natasha and Troy, I'm curious,
do you suppose there's a possibility that we could experience
a Sputnik moment when it comes to quantum,
where one of our adversaries would suddenly announce to the world
that their capabilities are perhaps farther ahead than we had thought that they might be?
I'll leave the speculating on our adversaries to Troy.
I think the important thing that we're thinking about here is that it's not like the minute
that a cryptanalytically relevant quantum computer appears, that all cryptography is broken
across the globe. The information and particular cryptographic implementations will still have to
be targeted. But I think what we need organizations to understand and what we are seeing is that
information is being taken today that is considered secure, possibly for use and
breaking later. So organizations have to start thinking about it earlier than a, you know,
crypton analytically relevant quantum computer is actually here. Troy, over to you.
Yeah, I mean, there's no way to predict when the breakthrough is going to happen. And what you
kind of talked about there with the Sputnik moment, it's kind of like my worst nightmare scenario. Hopefully, we won't
find ourselves there. I don't believe that we will. But nobody can predict with any accuracy
when that day is, when it's going to be first turned on and fired up. But we have to take it
seriously because I think if you take a look at the amount of investments that's being made just
in commercial industry, there is a lot of investment and research that's going into this. In my mind, it's inevitable it's going to happen. And we need to
be prepared for that because it'll be devastating if we are not. You know, Natasha, let me switch
back to you here. For the folks in our audience who are responsible for defending their own
organizations, what would be your advice coming into this transitional period here? Any tips or words of wisdom for them?
Yeah, and I think there's two things that we focus on, right?
And the first is thinking about creating a plan, right?
What are the different parts of the organization that need to be a part of that?
There's the element of inventory.
There's the element of how you are working with your vendors. There's the development
of your IT. This is not just a team's board of organizations, but internal to an organization.
What does that team look like that's going to get your organization ready? And the second is
the foundation. How is an organization thinking about the data that they own and what data that they own is, number one, protected by cryptography today?
Number two, needs to be protected by cryptography?
And three, what is the secrecy lifetime of that data?
And so is that something in that system that protects that data?
Does that need to be upgraded or where is that priority within the organization?
Troy, how about your thoughts? Same topic there.
Yeah, so, you know, a lot of interesting parallelisms.
As I'm listening to Natasha talk about, you know, industrial control systems, we have a lot of the same challenges with weapons platforms.
You know, you put out a submarine to sea, it doesn't come into port for an oil change every 3,000 miles.
So that planning is
a critical component of what we're doing. And the first foundational part is understanding what your
overall inventory looks like. And so while we represent pretty significantly different sectors,
we have a lot of same overlap and a lot of the same issues that I think cut across all domains
is understanding what is your exposure, understanding what are those
things that you care most about. And then again, I can't emphasize this too much that starting to
plan now, you know, as we talk about driving towards a 2035 or 2034 date, that may seem like
it's a long way off. But when you think of the enormity of the inventory that's out there that
needs to be addressed, there's a lot of work to do between now and then. Natasha, I want to give you the final word here. To what degree should
security professionals have a sense of urgency when it comes to this? Yeah, I think, you know,
this has been a theme throughout the entire discussion. You know, the preparation needs
to start now. You know, the work that needs to be done is not easy,
nor is it things that can be done overnight. So, you know, security professionals really need to
think about starting their team, getting their inventory done, starting to think about how
they're working across development lines, you know, working with their vendors, and what that
timeline looks like. So, you know, when we think about urgency, is it something that we need
everyone running around with their hair on fire?
Not necessarily,
but we also need them thinking about getting this started today so that by the
time we are thinking about a crypt analytically relevant quantum computer
coming on board, that they're ready.
Our thanks to CISA's Natasha Eastman,
NSA's Troy Lang and NIST's Bill Newhouse for joining us.
The joint fact sheet is titled Quantum Readiness, Migration to Post-Quantum Cryptography.
You can find it on CISA's website.
Do check it out.
There's an extended version of this conversation that will be dropped into your CyberWire podcast feed.
You can also find it on our website.
We hope you'll check that out as well. Microsoft's Anne Johnson is host of the Afternoon Cyber Tea podcast
right here on the Cyber Wire network.
She recently spoke with Cyber Threat Alliance
President and CEO Michael Daniel. Here's a segment from their conversation.
Today, I am joined by Michael Daniel, President and CEO of the Cyber Threat Alliance,
an organization focused on cyber intelligence sharing across the digital ecosystem.
Michael has been the President and CEO of the Alliance since early 2017. Prior to this,
he served as the U.S. Cybersecurity Coordinator under the Obama administration. Michael has
decades of leadership experience in the U.S. federal government and is a leading expert on
ransomware and the disruption of cybercrime. He is also co-chair of the U.S. Joint Ransomware
Task Force and is a leader on the World Economic
Forum Partnership Against Cybercrime.
Welcome to Afternoon Cyber Team, Michael.
Thanks for having me.
Really happy to be here.
So the big picture, right?
You know, I think it's still a little under-known about cybercrime and people don't understand
what a big multi-trillion dollar business it is.
And it's not just some, you know, hooded just some hooded figure that we like to see hacking an individual computer
by sitting in a basement in some remote part of the world.
There's actually large cybercrime organizations that have CEOs and CFOs,
and they have leadership, and they have HR people.
They have everything you could think of that a large corporation has.
What challenge does this new sophistication, this evolution from small-time crime to them actually becoming big business bring to the industry as a whole?
Yeah, and I think you're absolutely right to sort of focus on that.
People's image of the hacker is still that dude in the hoodie living in his mom's basement, and that is not what we're facing as the cybercriminal adversaries.
I think that with that sophistication, it means that they can be much harder to defend against.
They have access to a much wider array of tools. They have access to a lot more financing to
support development of tools so they can be more sophisticated when they need to be.
They don't often need to be. They
don't often need to be, unfortunately. And as a result, it means that these networks are much
more challenging to tackle and they're much harder to defend against as a result. It also means that
the problem, and you said it, I mean, the problem is actually, you know, very large. You know,
obviously, exact estimates about the size of the criminal
underworld are hard to come by, but certainly the size of the cyber criminal industry, if you will,
is certainly measured with words that start with B's, right? Billions, if not into the trillions.
And so it's a huge, enormous, sprawling business. And it also means it's much harder to disrupt
because it's much
more resilient. And simply arresting one person here or there is not going to really put a dent
in cybercrime. And so as a result, it means that we're going to have to build new ways of tackling
it. I read an article this week that talked about how whilst ransomware payments were down a little bit in the year 2022, they've actually increased again in the first half of 2023.
So can we talk about the numbers?
How big of a problem?
You said ransomware and business email compromise are the biggest, but what impact is ransomware in particular having on organizations across the globe?
And what's new about it, right?
What do you think is new from a defense standpoint or a tactic standpoint from the actors?
Well, I think there's a couple of things that are new.
One is, as I was just mentioning, like the level of aggressiveness
and the willingness to sort of engage in that double and triple extortion, right? And even getting into
threatening individuals, like sending harassing texts and making harassing phone calls to
executives and executive spouses at target companies. Those tactics, they've gotten a lot,
the best word I can use for it is darker and more sort of criminal,
blatantly criminal and not sort of with this fiction that like, ah, this is kind of this
victimless crime and it's just kind of this white collar money thing. You know, they're making it
much more personal. And so that's been a big, I think that we're starting to see more and more
of that. It's a big problem because it can cause a huge amount of disruption,
both to an individual organization, but also at a societal level. If you have a major school system
that is the subject of ransomware, right, and the kids can't go to school, that has a big impact on
a community, right? Everyone in that community is affected as a parent, as a student.
It can even have effects up to the national level, as we saw with Colonial
Pipeline back in 2021.
Don't forget to subscribe to the Afternoon Cyber Tea podcast hosted by
Microsoft's Ann Johnson.
It's right here on the Cyber Wire Network. Cyber threats are evolving every second,
and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to
partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the Cyber Wire Thank you. world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people. We make you smarter about your team
while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin
and senior producer Jennifer Iben. Our mixer is Trey Hester, with original music by Elliot Peltzman. The show was
written by our editorial staff. Our executive editor is Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.