CyberWire Daily - BlackByte’s back, as BlackByte 2.0. Iranian cyber ops against Israel. Wipers and cyberespionage as tools in Russia’s hybrid war. Cyber war clauses coming to cyber insurance policies.
Episode Date: August 18, 2022BlackByte is back. Iran suspected of cyber operations against four Israeli sectors. A look at wipers as a tool in hybrid war. A Russian cyber ops scorecard. Josh Ray from Accenture on how dark web act...ors are focusing on VPNs. Our guest is Corey Nachreiner from WatchGuard with findings of their latest Internet Security Report. Cyber war clauses coming to cyber insurance policies. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/159 Selected reading. BlackByte ransomware gang is back with new extortion tactics (BleepingComputer) Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors | Mandiant (Mandiant) Russia-Ukraine cyberwar creates new malware threats (VentureBeat) Global Threat Landscape Report: A Semiannual Report by FortiGuard Labs (Fortinet) Overview of the Cyber Weapons Used in the Ukraine - Russia War (Trustwave SpiderLabs) Lloyd’s sets requirements for state-backed cyber attack exclusions (Insurance Day) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
BlackBite is back.
Iran is suspected of cyber operations against four Israeli sectors.
A look at wipers as a tool in hybrid war.
A Russian cyber ops scorecard.
Josh Ray from Accenture on how dark web actors are focusing on VPNs.
Our guest is Corey Nachreiner from WatchGuard with findings from their latest Internet security report.
And cyber war clauses are coming to cyber insurance policies.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Thursday, August 18th, 2022.
Bleeping Computer reports that BlackBite ransomware has reappeared and represents an enhanced double extortion threat
to personal data.
The gang has launched a new data dump site
with a focus on individual victims.
Bleeping Computer writes,
the data leak site only includes one victim at this time,
but now has new extortion strategies
that allow victims to pay
to extend the publishing of their data
by 24 hours for $5,000,
download the data for $200,000, or destroy all the data at $300,000.
These prices will likely change depending on the size and revenue of the victim.
BlackBite hasn't been without problems of its own.
In its earlier version, the gang's code had flaws that permitted White Hat researchers to develop and distribute a free decryptor.
BlackBite closed that particular hole, and it's unknown whether they're using that improved cryptor in BlackBite 2.0.
This time around, payment seems to be a problem. The Bitcoin and Monero addresses offered for victims to submit payment aren't correctly embedded,
which for now, at least, will impede collection of ransom.
BlackBite, by the way, cynically refers to its victims as customers.
Mandiant reports that UNC-3890, a cluster of activity targeting Israeli shipping, government, energy,
and healthcare organizations via social engineering lures and a potential watering hole,
is playing a role in the low-level naval conflict currently observed between Iran and Israel.
The attribution of UNC-3890 to Iran is in part circumstantial, but Mandiant applies that attribution with moderate
confidence. The evidence falls into four categories. Linguistic, UNC 3890 developers use
Farsi words in their strings. Targeting, there's a focus on Israeli targets, which is consistent
with Iranian interests. The program database or PDB path, this is the same as has been observed in activity by
UNC-2448, which is attributed to the Islamic Revolutionary Guard Corps. Also, the C2 framework,
UNC-3890 uses the North Star C2 framework, which has been an Iranian favorite. The threat actor's
initial approach has typically been via social engineering.
Its interests seem so far to have involved intelligence collection, but this could be
used in subsequent operations that go beyond espionage. Mandian says, while we believe this
actor is focused on intelligence collection, the collected data may be leveraged to support
various activities, from hack and leak to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years.
VentureBeat yesterday summarized expert opinion on the way in which wipers, in particular,
have emerged as a disturbing class of malware during Russia's war against Ukraine.
One of their sources, Fortinet's Global Threat
Landscape Report for the first half of 2022, explained how this had come to be, describing
wiper attacks as a distinctive feature of Russian hybrid warfare. The researchers write,
security researchers believe, but have not always been able to attribute with confidence,
that groups aligned with Russian military goals
were behind many of the wiper attacks in Ukraine during the first half of 2022.
The wiper attacks were not as discriminating as one would wish a proper weapon to be.
Their effects spilled over into countries other than Ukraine, the intended target.
Acid rain was particularly unconstrained. Wipers have been seen before,
and Fortinet says that security teams can expect to see them again,
writing,
The attacks in Ukraine have shown how this malware can be used
to degrade and disrupt critical infrastructure capabilities and services
to support broader kinetic warfare goals.
But that is not the only threat.
Shamoon showed how wipers can be used as weapons
of cyber sabotage. And other variants, such as NotPetya and GermanWiper from 2017, showed how
adversaries can use wipers as fake ransomware to try and extort money from victims. Trustwave's
Spider Labs this morning offered an overview of Russian offensive cyber operations so far in the war against Ukraine.
They associate distinct threat actors with the three principal Russian security and intelligence organizations,
the SVR, Foreign Intelligence Service, and the FSB Security Service,
both daughter organizations of the old Soviet KGB, the GRU Military Intelligence Service. The associations
the researchers track are as follows. APT-28, also known as Cozy Bear or the Dukes, which has ties
to the Russian Foreign Intelligence Service, the SVR. APT-29, also known as Fancy Bear or Sofacy,
was traced to the main directorate of the General Staff
of the Armed Forces of the Russian Federation,
which is former GRU Unit 26165.
Sandworm, also known as Black Energy,
was tied to the main directorate of the General Staff
of the Armed Forces of the Russian Federation, the GRU, Unit 74455.
Dragonfly, also known as Energetic or crouching yeti was identified as the
russian federal security service the fsb unit 71330 gamaradan also known as primitive bear
or armageddon traced to the russian federal security service the fsb in november 2021
the security service of of Ukraine successfully identified individuals
behind Gamerodon, confirming their ties with FSB. The study divides Russian cyber operations into
two broad categories, distinguished by their objectives. Some aim at destruction, while
others aim at collection or espionage. The destructive attacks began as hostilities opened on February 24, 2022
and continued into early April.
Cyber espionage began to intensify about a week into the war
and has continued through the present.
Interestingly, some of the cyber espionage has been conducted by privateers,
criminal gangs operating in the interest of the Russian state.
Spider Labs says,
without a doubt, sophisticated cyber weapons are key tools in the arsenal of a modern military, and the amount of global cyber warfare will likely increase in the future.
And finally, Insurance Day reports that Lloyd's Marketing Association has mandated that all cyber insurance policies
must, by March 31st of next year, contain an explicit clause excluding liability for losses
arising from state-backed cyber attacks. That clause would be in addition to the typical war
clauses that have long excluded coverage of losses caused by action in a conventional war.
The requirement for an explicit exclusion of liability for state cyber action
seems to recognize the growing risk of gray zone conflict.
Insurance Day quotes Lloyds as explaining,
It is important that Lloyds can have confidence that syndicates are managing their exposures to liabilities
arising from war
and state-backed cyber attacks. Robust wordings also provide the parties with clarity of cover,
means that risks can be properly priced and reduces the risk of dispute. The ability of
hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the
critical dependency that societies have on their IT infrastructure,
including to operate physical assets,
means that losses have the potential to greatly exceed
what the insurance market is able to absorb.
Read and heed, customers.
As Mr. Tom Waits would say,
the large print giveth and the small print taketh away.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Corey Nochreiner is Chief Technology Officer at network security and intelligence firm
WatchGuard. They recently released their Q1 2022 internet security report,
and Corey Nochreiner joins us with the details.
Ransomware, I think everyone's sick of hearing it. I'm certainly sick of having to talk
about it. We all probably know what ransomware is at this point. But what has been happening over
the past three years is when ransomware started, it was a high volume attack where threat actors
were kind of ubiquitously spamming it to everyone. They didn't care if it was a grandma in Kansas,
They didn't care if it was a grandma in Kansas, the executive of Coca-Cola, or whoever.
They just spammed it in high volume, hoping people would fall for it.
And if they could infect even 0.01% of the folks they spammed, that would be a way of them making ransom. And because they were spamming everyone, they would only ask for, I say only, it's still horrible,
they'd ask for about $500 worth of cryptocurrency.
But what happened over the past seven years is we've gotten pretty good at catching the basic ransomware as an industry and people are more aware of it.
So nowadays, ransomware has gone to what I call big game ransomware, where rather than just ubiquitously spamming it out,
where rather than just ubiquitously spamming it out,
the bad guys kind of will find a certain type of target, a type of organization that really has high real-time need for their data.
So healthcare, if you don't have patient records, you can't do surgery.
Manufacturing, if you can lock up the human interface devices
that deal with the manufacturing network, you stop the manufacturing line.
Government and even service providers that have a lot of customers, they would target them and they would do more manual, sophisticated attacks to breach their network.
And instead of just installing ransomware to one victim, once they broke into the network, they would spend time
to position the ransomware everywhere and synchronize, turn it on all at once. And so
that's why it's called big game. They're going after certain big companies. And when they infect
you, it infects most of your computers, as many as they could get to in their earlier infiltration
of your network. And that really locks up those organizations. And it's turned
ransomware into the situation where you hear about these big companies getting hit, and they're
getting ransoms of $5 to $15 million. So the reason I say all that is in previous reports,
ransomware has been going down. In every report before Q1, you know, throughout 2020,
our ransomware stats have been lowering quite a
bit. In fact, drastically, because we think the high volume ransomware has not been a big,
successful for them, and they've moved to big game. But that is what changed in Q1. For the
first time in quite a while, ransomware rose significantly. In fact, just in the first quarter of 2022, we've already seen 80% of the
ransomware that we saw for the entire year of 2021. So the takeaway is ransomware is definitely
picking up. We believe this is probably due to a few things, but one of them is just perhaps
they're starting to go back to that ubiquitous spammed target. So this is likely not the big game.
This is them spamming it out again.
Was there anything in the report that you found particularly surprising or unexpected?
I would say the ransomware definitely comes up.
It's not surprising.
That's one of the biggest things.
I will say something I'm not surprised about, but I wasn't looking for it in this report,
was the return of Emotet.
I don't know if your listeners have heard of Emotet, but Emotet is a well-known botnet.
Of course, a botnet is a piece of malware that bad guys try to infect a ton of computers with it
and then control all of those computers together through a command and control channel.
Emotet, just about a year ago, the main group behind Emotet had their botnet taken down by the authorities globally.
I think it was the US FBI and many others took down Emotet's infrastructure.
And while that was fantastic, we were very happy about that, and that lowered Emotet for a while.
We did release a blog post a month after, which is why this doesn't completely surprise me,
that, hey, fantastic that they took down this botnet, but don't think Emotet is gone.
And the reason we say this is botnets tend to trade on the underground.
Sometimes botnets have been evolving over years.
Sometimes source code of certain botnets have leaked
and those turn into slightly new variants of botnets that share source.
Even when a group like Emotet doesn't sell the source of their botnet,
they often will actually sell the binaries and the platform for other attackers.
So in our blog post about a year ago, we warned that, hey, it's great that they took this takedown,
but at some point another group is going to form
or maybe the ones that weren't caught will reform
and you should expect it to return,
but with slightly different variants.
So while the return wasn't entirely surprising,
I didn't expect it in Q1 that we actually saw Emotet
all over our report again.
So Emotet has
definitely returned. We have a number of different top 10 lists, some based purely on volume,
some based on how many different customers the malware touches, which we call widespread.
And Emotet was on those lists three different times. And each one was a slightly different variant.
So just for your listeners, when we say there's Emotets returning,
it could be three different groups with slightly different adjusted variants of Emotet.
But the main takeaway is Emotet is back, kind of as we expected a year ago.
We love that the authorities, when they do take down these command and control channels,
they often will catch and arrest some of the group members too. That's a fantastic thing, but you should
never expect the bot to go away just because of that. So what's the takeaway here? Well, the
takeaway is to use more proactive malware detection. Obviously, WatchGuard has products I could talk
about that have this, but there's others out there. But besides signatures, now there's more proactive detections. There's things like machine learning that has new ways to more
proactively, even without a researcher, tell that a brand new piece of malware is actually malware
based on lots of big data indicators that's seen in previous infections. There's behavioral analysis, which is very hard for evasive malware to get past
because malware can change the way it looks on a binary level,
but it can't change what it does in order to do its bad stuff.
So behavioral analysis is where we literally run it
in a safe sandbox environment
and look for the bad behaviors to catch it.
So make sure you're using some sort of anti-malware protection,
whether it's network or endpoint based, that has those more proactive detection techniques.
And the final thing there is also EDR. In a lot of endpoint solutions, which a lot of people call
it AV, but nowadays it's endpoint protection and endpoint detection and response, EDR is that
endpoint detection and response. Besides just
trying to prevent the malware from reaching the endpoint, endpoint detection response will
actually pay attention to things that are happening on your computer as they happen.
So if malware does start to run and maybe is trying to use malicious PowerShell or something
like that to do something bad, EDR can quickly stop that from happening.
So definitely look at anti-malware solutions that have proactive detection
and consider EDR endpoint detection response,
which comes with a lot of endpoint protection suites out there nowadays,
including WatchGuard.
That's Corey Nochreiner from WatchGuard.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Josh Ray.
He is the Managing Director and Global Cyber Defense Lead at Accenture.
Josh, always great to welcome you back.
Dave, thanks so much for having me.
You and your colleagues have been looking at some activity on the dark web
and some particular things that those folks are focusing on.
What can you share with us today?
Yeah, Dave, this is, I think, going to be interesting for folks across all industries and especially those security companies that are
producing VPN security products. And what we've seen is really a significant increase and kind of
upward trend of targeting VPN type of vulnerabilities as the primary target. And while this is not
necessarily, you know, completely new, it's a significant uptick because of really the demand
for these VPN exploits has really increased. We've seen the demand increase in 2021,
2021, which has obviously just led to here in 2022, actors developing much more, many more exploits for those vulnerabilities.
Why do you suppose we're seeing, you know, VPNs and why now?
Why do they have the crosshairs on them?
Yeah, I mean, I think as folks know, you know, once you have VPN access, you're basically trusted inside the network.
And I think the demand is obviously starting to drive this.
And just about a month ago, I was talking to Paul Mansfield, who looks at this quite a bit.
And he saw that one particular user offered up half a million dollars for a VPN exploit.
And that is not insignificant money when you're talking about trying to gain access
to a particular type of technology and end target.
What is your advice to folks out there who are making good use of VPNs
in terms of just making sure they're on top of this?
Well, I think obviously having visibility into this space
to understand what is being targeted is first and foremost.
But I was talking to one of our folks that does our adversary simulations,
and he was kind of walking me through an example or a hypothetical
where you come up against a particular target and maybe they have
their perimeter really locked down. And then you start to kind of think about different ways. And
this is how a threat actor would also think. To target a subsidiary, and again, we've talked a lot
about third-party risk together, but again, it kind of brings it to light here. By targeting a subsidiary, you can then very easily piggyback on that VPN connection to the end target or the mothership.
And this is a-segmentation,
because even our own adversary team, when they come up against a segmented network that
really has some very strong ackles in place, it makes it really difficult for the threat
to move laterally.
So that would be, I think, one specific thing that I think net defenders could do to help
defend against this type of threat, along with the increased visibility into what the threat actors are looking to do and the wares that they're
trying to sell. Can we just quickly just address VPNs in general? I mean, I think it's one of those
categories that while folks recognize the necessity of it in many situations, because there are operators out there who aren't the best,
it also, VPNs can suffer from that reputation as well. Yeah, that's correct. I mean, you know,
the product security component is obviously very important, right? But I think also when you're
talking about, you know, doing the kind of the care and feeding and the hygiene. But just to know that, you know, there are threat actors out there
that are willing to pay top dollar now
for exploits to particular types of vulnerabilities.
And we've seen it again across all products suites.
So no vendor is really immune from this.
And they're using this as a means
to target organizations across all industries.
So I think it's definitely something that, you know,
really warrants continued focus and attention
from the net defense community.
Are there particular questions that folks should be addressing
with their VPN suppliers?
Well, first and foremost, I think, you know,
that whole thing around software bill of materials,
and we've talked about that,
understanding kind of what their continuous, you know, patch cycles are,
making sure that, you know,
they've got a very close relationship with their VPN providers
and asking them questions like,
hey, are you looking at some of these emerging threats in the darknet?
And what are you doing to help, you know,
take compensation measures to defend against it?
All right.
Well, Josh Ray, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.