CyberWire Daily - An update on the Hive ransomware takedown. More DDoS from Killnet. Advisories from CISA, and an addition to the Known Exploited Vulnerabilties Catalog.
Episode Date: January 27, 2023An update on the takedown of the Hive ransomware gang, plus insights from CrowdStrike’s Adam Meyers. If you say you’re going to unleash the Leopards, expect a noisy call from Killnet. Our guest i...s ExtraHop CISO Jeff Costlow talking about nation-state attackers in light of ongoing Russian military operations. CISA has released eight ICS advisories, and the agency has also added an entry to its Known Exploited Vulnerabilities Catalog. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/18 Selected reading. Cybercriminals stung as HIVE infrastructure shut down (Europol) U.S. Department of Justice Disrupts Hive Ransomware Variant (U.S. Department of Justice) Director Christopher Wray’s Remarks at Press Conference Announcing the Disruption of the Hive Ransomware Group (Federal Bureau of Investigation) Taking down the Hive ransomware gang. (CyberWire) US hacks back against Hive ransomware crew (BBC News) Cyberattacks Target Websites of German Airports, Admin (SecurityWeek) Delta Electronics CNCSoft ScreenEditor (CISA) Econolite EOS (CISA) Snap One Wattbox WB-300-IP-3 (CISA) Sierra Wireless AirLink Router with ALEOS Software (CISA). Mitsubishi Electric MELFA SD/SQ series and F-series Robot Controllers (CISA) Rockwell Automation products using GoAhead Web Server (CISA) Landis+Gyr E850 (CISA) Mitsubishi Electric MELSEC iQ-F, iQ-R Series (CISA) CISA Has Added One Known Exploited Vulnerability to Catalog (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An update on the takedown of the Hive ransomware gang,
plus insights from CrowdStrike's Adam Myers.
If you say you're going to unleash the Leopards, expect a noisy call from Killnet.
Our guest is ExtraHop CISO Jeff Koslow, talking about nation-state actors in light of ongoing Russian military operations.
CISA has released eight ICS advisories, and the agency has also added an entry to its known exploited vulnerabilities catalog.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 27th, 2023.
We begin, as we said we would yesterday, with the story of the international operation that took down the Hive ransomware gang's infrastructure.
The U.S. Department of Justice has announced that a joint U.S. and European operation has taken down the notorious ransomware gang.
Thursday morning, Hive's site was replaced with a notice stating,
The Federal Bureau of Investigation seized this site as part of coordinated law
enforcement action taken against Hive Ransomware. The European participants were, in addition to
Europol, police in the Netherlands and Germany. The action was called Operation Dawnbreaker.
The U.S. Department of Justice characterizes Hive as a ransomware-as-a-service operation
that made heavy use of double extortion in its crimes.
Hive was also notorious in its target selection, hitting, among other victims, hospitals and schools.
Its attacks against hospitals, in some cases, disrupted delivery of care.
The FBI has been quietly at work against the gang since last summer,
infiltrating Hive, taking decryption
keys and enabling Hive's victims to avoid paying the ransom the gang demanded. FBI Director
Christopher Wray said at a press conference yesterday, last July, FBI Tampa gained clandestine
persistent access to Hive's control panel. Since then, for the past seven months, we've been able to exploit that
access to help victims while keeping Hive in the dark, using that access to identify Hive's victims
and offer over 1,300 victims around the world keys to decrypt their infected networks,
preventing at least $130 million in ransom payments, cutting off the gas that was fueling Hive's fire.
Reuters quotes Deputy U.S. Attorney General Lisa Monaco as saying,
using lawful means, we hacked the hackers. We turned the tables on Hive.
No arrests were announced, the Wall Street Journal notices. Director Wray said at his
press conference, however, that Operation Dawnbreaker continues and is moving on to its next phase.
Any arrests would presumably come in that subsequent phase,
but most, if not all, of the perpetrators are in Russia
and so may be effectively out of reach.
Tom Kellerman, Senior VP of Cyber Strategy at Contrast Security,
yesterday emailed comments on what it
would take to bring ransomware under control, stating, the real challenge lies in the protection
racket that exists between cybercrime cartels and the Russian regime, which endows them with
untouchable status from Western law enforcement. We must recognize that the majority of the
proceeds from ransomware allow for Russia to offset economic sanctions.
We might also mention the gang's usefulness to Moscow as privateers and auxiliaries.
So it will probably be difficult to collar the Hive's worker bees,
unless, of course, they should flee mobilization and land in a place with an effective extradition treaty,
or, say, choose a foreign vacation spot unwisely.
Where's a bad guy to go nowadays?
Azerbaijan, perhaps, or Cuba, if you can get there.
Chad might be a possibility, but like Cuba, it's not really walkable.
Later in the show, we'll hear from Adam Myers from CrowdStrike for his take on the takedown, so be sure to stick around for that.
Turning briefly to the cyber phase of Russia's war against Ukraine, a Russian patriotic and criminal hacktivist group has conducted more DDoS attacks against targets in Germany, Security Week reports.
Security Week reports. Germany's BSI security organization said the attacks hit in order of priority airports, the financial sector, and federal and state administrations. The BSI
attributed the attacks to Kilnet, the hacktivist group that's functioned as an auxiliary to Russian
security and intelligence services. The agency found the attribution difficult, given Kilnett's practice of broadcasting
a call-to-hack that invites like-minded people to join in, but concluded that the attacks were
indeed the work of Kilnett. As has generally been the case with earlier operations by the DDoS
specialists, Kilnett's attacks were quickly contained, produced minimal disruption, and
amounted to little more than a nuisance.
The cyber attacks appear to have continued Russia's policy of punishing Germany for its decision to deliver Leopard 2 tanks to Ukraine.
We conclude with some advisories from the U.S. Cybersecurity and Infrastructure Security Agency.
CISA released eight industrial control system advisories yesterday.
CISA also added CVE-2017-11-357 to its known exploited vulnerabilities catalog.
Federal civilian executive branch agencies have until February 16th to check their systems
and apply updates per vendor instructions.
So feds, get patching.
One last note before we go.
This has been Data Privacy Week,
and it all wraps up with this Sunday as Data Privacy Day.
We'll be publishing a full set of advice and reflections
from industry experts this afternoon.
Keep an eye on the cyberwire.com,
and greetings to all of you on the occasion.
May what should be private stay private.
And be careful out there.
Coming up after the break, CrowdStrike's Adam Myers has insights on the Hive ransomware gang takedown. Our guest is ExtraHop CISO Jeff Koslow with insights on nation-state attackers in light of the ongoing Russian military operations.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
The war that Russia is waging against Ukraine drags on, and that leaves many wondering what
the long-term impacts may be for
the global cybersecurity landscape. Jeff Koslow is Chief Information Security Officer at ExtraHop,
and I spoke with him about the outlook for security professionals this year.
We find ourselves in a shifting political landscape with all these actors. If you were
previously aligned with Eastern Bloc countries, however you're previously aligned with uh eastern block
countries however you're working on that things have changed a little bit power dynamics have
definitely changed and you might be like just even as a citizen right i feel like a lot of the attacks
right now are coming from groups cyber groups who are getting together to do just to try and take over things or cause nuisance to
other countries that they're not necessarily aligned with, maybe to create a little bit
of favor. A lot of these groups are out there just
conducting cyber attacks, somewhat of a nuisance. And I expect
in 2023 that these will ramp up a little bit. If you need to curry
favor with a new geopolitical ally out there,
what can you do? You can do some
in the old times they called it privateering, where you would actually go
off and you were under the blessings of a state, but not necessarily
noticed anywhere. And I feel like that's a lot of what's
happening right now is small groups under the auspices of,
well, as long as we do it against other countries,
it's going to be okay
and we're not going to get prosecuted for it
and we'll see what happens.
And I think those actors are getting a lot more sophisticated
because they have had the opportunity
to have some free reign in some of these countries.
And that's where I suspect that some of these attacks will ramp up
and some ransomware groups or groups who are just dedicated to committing nuisances
are going to get better and better as their tools evolve.
And that's a natural thing, that their tools will evolve and get better.
That's where we find ourselves early this calendar year, I think.
Are there things that you and your colleagues there at ExtraHop are tracking specifically?
Are you seeing any shifts with the various data that you all keep tabs on?
We've noticed a few upticks shortly after the attack, like most other people.
Shortly after the physical attack started, we've noticed a bit of
things, but essentially
what we're seeing is a lot of
work towards
again,
sort of nuisance attacks and some
of these low-level attacks that
are constantly there. They're just
ramping up a little bit, and they do seem to be coming
from different areas.
It's hard to distinguish some of the
dedicated attacks and prototype
attacks. These groups are getting better at it,
trying to figure out what and how they're going to do or how they're
going to conduct future attacks. And so you see some of these things
and it's a little hard to tangle what
is the beginning of attack and what is a real attack
given the resources that some of these groups have.
Are we seeing that any of these groups are distracted
by what's going on between Russia and Ukraine?
In other words, perhaps they don't have the bandwidth
for their criminal activity because they're taking care of things
for their homeland.
I think that's exactly it.
I think that, again, to curry some favor or to say that, you know,
I want to align with this particular geopolitical ally,
and therefore I will direct my resources towards whoever the enemy du jour is today
to curry a little bit of political favor. And I think that those attacks
and campaigns are being waged in different areas. It's a little hard to tell where exactly those
are aimed from moment to moment as the alliances shift and as things kind of settle out. I think
we might see more sophisticated actors dedicating their attacks
in certain areas. For folks who have the responsibility of defending their own
organizations, do you have any tips or words of wisdom for how they should be
fine-tuning their own defenses given this reality? There is a lot of low-hanging fruit out there. I believe that many of these attacks
will be coming from dedicated resources.
And if you think about,
if my job is to be a nuisance or just disruption,
not necessarily even to make any money,
but if my goal is disruption,
the enemies of my new allies,
there's a lot of things you can do.
And there's a lot of older infrastructure.
This is one of the things that we see all the time
is old legacy infrastructure gets attacked.
And if it hasn't been patched in a while
and it's not up to date,
as are many, an example might be,
you know, transportation.
If you could disrupt the trucking industry
in a certain country or the shipping industry or the train or the rails
or something like that. And many of those systems run on legacy systems.
If you can disrupt that, you can do an awful lot of damage really quickly.
And that's the goal of some of these actors. And so
my advice to any sort of defender is modernize
as much as you can.
Get off some of the old legacy equipment.
We've seen an awful lot of legacy protocols out there that should have been discontinued years ago.
Telnet or SMBV1 being used across the internet and things like that.
These are just too easy to disrupt and attack and take over.
And I expect as these groups get better and better,
they will be targeting some of these legacy protocols with some attacks that have been known for quite some time.
And these could have a large consequence
on anybody who hasn't modernized their infrastructure.
That's Jeff Koslow from Extra Hot There's a lot more to this conversation
If you want to hear more, head on over to the CyberWire Pro
and sign up for Interview Selects
where you'll get access to this and many more extended interviews.
Continuing our coverage of the FBI's takedown of the Hive ransomware group,
earlier today I spoke with Adam Myers,
head of intelligence at CrowdStrike,
for his insights on the operation.
Well, I think ultimately it's good when we see an adversary get disrupted,
but one of the things that we have to be careful of with this is that while it is a setback,
they will still continue to probably operate.
There are no arrests or anything like that,
so they'll probably figure out a way to get back up and running
in a relatively short order.
Can you give us some of the background here on this particular group, the things that
you and your colleagues there at CrowdStrike have been tracking?
Absolutely.
So we've been tracking them since mid-2021, and they are known for hosting something that
we call a dedicated leak site.
hosting something that we call a dedicated leak site.
And what that means is that they are doing data extortion and they'll steal sensitive information from a target
and they will threaten to release it if they don't get paid.
And when that ultimately happens,
that is kind of how they generate their money.
But they also are obviously tied to ransomware as well.
There's a notorious ransomware known as Hive Ransomware,
which is used to encrypt files.
So it's a kind of combination of both the encryption of the files
and then the extortion of the data, the weaponization of the data.
of the data, the weaponization of the data.
When you look at the information that the FBI, the DOJ, the Secret Service, and some partners, friends in Europe, have published about this, there's some interesting aspects
here that it seems to me like FBI had access to some behind-the-scenes stuff with Hive
for quite some months now.
Yeah, it seems that there were some servers that were being hosted here in the U.S.
that the FBI was able to get access to.
And in addition to monitoring the threat actor,
they were able to even recover some of the cryptographic keys reportedly.
From your perspective, is it surprising that Hive wasn't on to that, that the FBI could
have been in there doing their things and from what we see here, doing so undetected?
Well, I mean, it is a lot of work to maintain the infrastructure and to have enterprises have
security operation centers
and they have IT security personnel
that are just focused on protecting the enterprise.
An organization like Hive doesn't necessarily have those resources.
They are more operating in offensive mode,
so it's entirely likely
and certainly it is evidenced by what happened yesterday,
that they weren't paying attention to that.
And one thing to think about with Hive is that this is what we call
a ransomware as a service.
And so they are operating the backend platform,
and then they have a number of affiliates that will use that platform
to conduct their ransomware
activity.
By affiliate, I mean somebody that is going to, they decide they want to be engaged in
ransomware.
So they seek out groups like Hive.
They get access to the platform, which gives them the ransomware tool, and in many cases,
the data leak site, which is run by Hive.
And in some cases, also these ransomware as a services also run the negotiation portal
for the negotiating with the victim.
And these affiliates, for the privilege to use the platform, they typically pay 15% to
20% on the ransom demands to the Hive group.
So they kind of get a piece of each ransom that runs through their platform.
And they also have to pay a fee, kind of like a platform fee to even have access to the platform.
How big a player is Hive here?
When you look at the global ransomware market, where do they sit?
They, you know? It oscillates.
We have quite a bit of coverage in our one thing that we call the e-crime index,
but also we have intelligence reporting that shows the changes week over week for our customers.
that shows the changes week over week for our customers.
And so Hive, and this varies from week to week, obviously,
but I can tell you that in the most recent week that Hive didn't really play as big of a role
as some of the other ones, Lockbit, ALF, or Alpha, as we call it,
also known as Black Cat, ALF, or Alpha, as we call it, also known as Black Cat, and Royal were some of the ones
that were way more active in the last week.
And this changes week over week.
Sometimes these affiliates will move between different platforms, different ransomware
as a service platforms.
So it's kind of tracking the platform is part of what we do,
but also tracking those affiliates and which platforms they're using is also important.
To what degree do you think that this affects that global ransomware market?
Are some of the other ransomware-as-a-service providers looking over their shoulders a little more intently now?
I imagine that they're probably doing some hard thinking.
One, about hosting any infrastructure in the United States,
because that clearly probably was a factor here.
But also looking at how can they better secure their platforms and their systems.
But I think also they're more focused on generating revenue.
Something like this may be a setback,
but it's not necessarily fatal.
As I said earlier, if there were no arrests,
then they're still out there, they're still operating,
and they'll rebrand and they'll figure out a way to get past this.
I think a lot of their affiliates,
as long as it didn't impact their ability to make money,
probably don't care that much.
Adam Myers is head of intelligence at CrowdStrike.
Adam, thanks so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Roya Gordon from Nozomi Networks.
Research Saturday, and my conversation with Roya Gordon from Nozomi Networks. We're discussing vulnerabilities in BMC firmware that affect IoT and OT device security. That's Research Saturday.
Check it out. The Cyber Wire podcast is a production of N2K Networks, proudly produced
in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Maria Vermontis, Ben Yellen, Nick Vilecki, Millie Lardy, Gina Johnson,
Bennett Moe, Catherine Murphy, Janine Daly, Jim Hochheit,
Chris Russell, John Patrick, Jennifer Iben, Rick Howard, Peter Kilpie, Simone Petrella,
and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.