CyberWire Daily - Blackbyte's new exfiltration tool. Hijacking student accounts for BEC. Zhora calls Russia's cyber campaigns a failure. OldGremlin ransomware is an outlier.
Episode Date: October 21, 2022Blackbyte's new exfiltration tool. Hijacking student accounts for BEC. Zhora calls Russia's cyber campaigns a failure. Caleb Barlow explores new thinking for incident response. Our guest is Jon Hencin...ski of Expel, tracking the latest threat trends. OldGremlin ransomware is an outlier. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/203 Selected reading. Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool (Symantec) Hijacking Student Accounts to Launch BEC-Style Attacks (Avanan) This sneaky kind of cybercrime rules them all (Washington Post) Russia Failing to Reach Cyber War Goals, Ukrainian Official Says (Meritalk) EU supports cybersecurity in Ukraine with over €10 million - EU NEIGHBOURS east (EU NEIGHBOURS east) Gremlins’ prey, secrets, and dirty tricks: the ransomware gang OldGremlin set new records (Group-IB) OldGremlin hackers use Linux ransomware to attack Russian orgs (BleepingComputer) OldGremlin, which targets Russia, debuts new Linux ransomware (Computing) It is one of the few ransomware groups in the world that prefer to target Russian organisations, but this may change experts advise More Russian Organizations Feeling Ransomware Pain (Bank Info Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
BlackBite's got a new exfiltration tool,
hijacking student accounts for BEC.
Zora calls Russia's cyber campaigns a failure.
Kayla Barlow explores new thinking for incident response. Our guest is John Hensinsky of Expel, tracking the latest threat trends.
And old gremlin ransomware seems to be an outlier.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 21st, 2022. Symantec warns that an affiliate of the BlackBite ransomware as a service operation is using a new data exfiltration tool called XByte. The researchers state the XByte exfiltration tool called XByte. The researchers state, the XByte exfiltration
tool is written in Go and designed to upload stolen files to the mega.co.nz cloud storage
service. On execution, XByte performs a series of checks for indicators that it may be running
in a sandboxed environment. This is intended to make it more difficult for security
researchers to analyze the malware. Symantec adds that the BlackBite operation has been steadily
growing since the beginning of the year. The researchers say BlackBite is a ransomware-as-a-
service operation that is run by a cybercrime group Symantec calls Hecimide. The group sprang
to public attention in February 2022 when the U.S.
Federal Bureau of Investigation issued an alert stating that BlackBite had been used to attack
multiple entities in the U.S., including organizations in at least three critical
infrastructure sectors. In recent months, BlackBite has become one of the most frequently
used payloads in ransomware attacks. The researchers conclude that BlackBite has become one of the most frequently used payloads in ransomware attacks.
The researchers conclude that BlackBite is filling a gap left by the dissolution of other major ransomware offerings,
and the fact that actors are now creating custom tools for use in BlackBite attacks
suggests that it may be on the way to becoming one of the dominant ransomware threats.
Researchers at Avanon have observed a
rise in attacks that compromise legitimate college student accounts in order to carry out business
email compromise attacks. The report says, in this case, this same compromised account sent out
numerous messages to a variety of organizations. The university, based in Arizona, is not an Avanon customer, and it's not clear how
the compromise began. Regardless, this represents an effective tactic by hackers. Compromising a
student account can be done quite efficiently. From there, leveraging the legitimacy of that
email account, it's easy to send out multiple of the same messages to a variety of targets.
That makes this an effective way for hackers to send out a wide the same messages to a variety of targets. That makes this an effective
way for hackers to send out a wide spectrum of messages with just one compromise. The fish bait
in this case is plausible and innocent-looking enough, with none of the more unusual appeals
to fear and greed. No, the Martians have landed and the man is out to get you. No, you're secret
to millions in the go-go cannabis market. Not even, I'm your grandson and I've just been arrested by aliens by the
Lynchburg Police Department. None of that stuff. It's the kind of dullsville routine appeal we're
accustomed to following. The phishing emails sent from the accounts appear to be support messages
informing the user that several emails are being held for review.
The user is directed to click a link in order to view the blocked emails.
And while they may be dull enough to lull the mark into a false sense of compliant complacency,
Avanon notes that there are still red flags in the emails for those who have eyes to see them.
The tells include things like the destination the
URL would take you to, and of course, the fact that a university email is unlikely to be used
to send out this kind of support message. Ukrainian cybersecurity leader Viktor Zora,
formerly Deputy Chairman and Chief Digital Transformation Officer at the State Service
of Special Communication and
Information Protection, characterized Russia's efforts to achieve strategic results in cyberspace
as a failure. Significantly, in Meritok's account of remarks Zora delivered this week at Mandiant's
Worldwide Information Security Exchange in Washington, the cyber war has been waged more or less continuously since Russia's invasion and
occupation of Crimea in 2014. He credits preparation and lessons learned from eight
years of cyber conflict with Ukraine's successful defense, stating, we worked on strengthening our
capacities to counter these attacks. We were much more prepared in the beginning of 2022 instead of 2014.
We took a lot of lessons from cyber aggression for the last eight years. That is one of the
reasons why the adversary hasn't reached its strategic goals in the cyber war against Ukraine.
He also credited support from and collaboration with friendly international partners with playing an important
part in Ukraine's success. That support seems likely to continue. Not only has Ukraine formed
many enduring partners with friendly foreign agencies, but financial support also continues.
A report by Group IB indicates that old gremlin ransomware remains an outlier.
It's a rare russophone gang that hits Russian targets along with other victims.
Bleeping Computer quotes Group IB's Ivan Pisarev as saying,
Old Gremlin has debunked the myth that ransomware groups are indifferent to Russian companies.
According to our data, the gang's track record includes almost 20 attacks with multi-million ransom demands,
with large companies becoming their preferred targets more often.
Active since March of 2020 and also known as Tiny Scout,
Old Gremlin has recently deployed a Linux variant of its ransomware.
Why it's willing to hit the Russian targets other ransomware gangs normally exclude is unclear.
It may have an arrangement with the Russian official organs.
Those organs may be losing their grip.
Or Old Gremlin may simply be rolling the dice in the hope of big paydays.
Or, and this is good to bear in mind, Russian speaking doesn't necessarily mean Russian.
in mind, Russian-speaking doesn't necessarily mean Russian. There's a Russian diaspora, after all,
and there are plenty of non-Russians who speak the language. We hear from Mr. Putin, for example,
that all those Ukrainian guys are really just Russians. Sure, HIMARS and President Zelensky say otherwise, but when it comes to cybercrime, well, there ain't no disputing that old Vlad Putin.
After the break, Caleb Barlow explores new thinking for incident response.
Our guest is John Hensinsky of Expel, tracking the latest threat trends. Stay with us.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this,
more than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Cloak. Learn more at blackcloak.io. John Hensinsky is Vice President of Security Operations at security firm Expel. They recently released their quarterly threat report,
and I checked in with John Hensinsky for the highlights. I think the biggest call-out is identity is the new endpoint. One of the biggest
takeaways from our report is identity-based attacks, and what I mean by that is
credential theft, credential abuse, or even compromise like long-term access keys
accounted for 56% of all incidents identified by our SOC. So things like business email compromise are a really, really
big threat. And also access into business applications, specifically application data,
accounted for 51% of all incidents. The bottom line here is identity is the new endpoint,
and effective detection and response strategy is more than endpoint detection and response.
And what sort of techniques are you seeing the bad actors use here? Yeah, one thing to call out is, you know, we're starting to see
this concept of MFA fatigue attacks come to light more and more. Like this was mentioned
in the details about the Uber incident where, you know, attacker just submitted MFA push requests
to a victim to gain initial access. So one of the interesting data points that we saw in a report was 14% of identity attacks against cloud identity providers
satisfied the multi-factor authentication requirement by continuously sending push
notifications. So to break that down a little bit, an attacker is able to compromise a username and
password combination, but to get past that second factor, push notifications, they're just
continuously sending those MFA push requests until they get accepted by the victim.
And what are your recommendations for that? I mean, is a hardware key the answer or user education? What do you recommend? nine factors provide the best protection. But if FIDO-only factors for MFA are unrealistic
for your organization, what we typically recommend is disable email, SMS, voice,
and time-based one-time passwords. Instead, opt for push notifications.
But with a little bit of caveat there, the one thing that you're definitely going to want to do
is consider limiting push notifications to one per minute to reduce the likelihood of brute forcing.
But then what you're also going to likely want to do is configure MFA or identity provider
policies to restrict access to managed devices only as an added layer of security.
So if vital factors are unrealistic, opt for push notifications, but set it up and configure
it in a way where it's not susceptible to brute forcing, and then only managed devices
can be added
as an additional security layer.
And what about the human side of this?
I mean, I'm thinking of that employee
who's just getting peppered with those requests
and eventually in exasperation,
just hands it over to make it stop.
Yeah, it's a really interesting point
because when you think about it,
it's like when I'm continuously sending a target, those push notifications, they're going to do one of two things.
Hit yes to make it go away or continue to hit no.
I think the biggest call out here is just there's probably a component of employee education and awareness training.
But again, I kind of default back to the software and configuration that we can do to make these things not susceptible.
back to the software and configuration that we can do to make these things not susceptible.
That's why I called out, if you can look at your identity provider and limit the amount of notifications or push notifications they can receive within a given timeframe, maybe that's
one way to reduce the likelihood here as well. The other thing that these identity providers can do
is also make it easier to report, hey, we're seeing some fraud here. I'm going to report this.
So one of the things that we see in our data is sometimes if a victim or target feels as though
they're being targeted, identity providers like Duo make it really easy to say, hey, this is
suspicious and report it. And so the next thing you're going to want to consider is when an
employee reports suspicious push notification activity, what does the response process look
like? Is IT following up? Do you have a SOC or
a security operations center that knows how to reach out to contact or do a quick investigation
to make sure that nothing's amiss? And I suppose making it so that those reports from employees
can be as frictionless as possible. Absolutely. Absolutely. Make it easy to report, but also
follow up with the employee. Hey, we saw some interesting, weird activity. You reported
something suspicious here.
Is everything okay here?
And then there can be some additional investigation.
But bottom line, you're right.
Make it easy to report,
but also thinking about,
for the mobile developers
behind these identity providers,
really good UI UX to make it obvious
and easy to report that suspicious activity
is going to be key.
Was there anything in this version of the
report that was unexpected or surprising for you? There's one really good call out on the ransomware
side of the house. When we're talking about identity-based attacks, we're dealing a lot with
cloud and any providers and applications like Microsoft 365. One of the interesting data points
that we found was that ransomware threat groups and their affiliates all but abandoned the use of visual basic replication macros and Excel 4.0 macros to gain tack factor in about 55% of all pre-ransomware incidents.
In Q2, what we found was that number fell to 9%, a decrease of 46 percentage points. Now,
the reason we think that happened in terms of what was the cause, what was the reason behind
that shift is, well, we believe that that change is likely in response to Microsoft's announcement
that they would block macros by default in Microsoft applications. So really, Microsoft made a big announcement, we're going to stop, we're going to
make it harder, we're going to stop this particular attack vector. What we saw is those ransomware
threat groups and affiliates acknowledge that and start shifting their focus and efforts using
different techniques for initial access. So based on the information that you all have gathered here,
what are your recommendations
for folks to better protect themselves? Yeah, I think a couple of things. Multi-factor
authentication, if you're not doing it, we're MFA everywhere. And if you can't,
if FIDO factors are unrealistic, push notifications with the right configuration or key.
If you're really worried about ransomware attacks, what our data shows is attackers are shifting from using
macros to initial access and are instead opting to use things like disk image files, shortcut LNK
files, and HTML application HTA files to gain initial entry at a super high level without going
too much into the weeds. Think about the self-installation attack surface within your
environment, particularly on the Windows operating system. Think about zipped executables and things that can just be double-clicked by your employees.
And then think about the preventive controls and the detection controls that you have in place.
And also, there's employee awareness and education as well.
That's John Hensinsky from Expel. There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro
and sign up for Interview Selects,
where you'll get access to this and many more extended interviews. And it is always my pleasure to welcome back to the show, Caleb Barlow. He is the CEO at
Silete. Caleb, welcome back. I want to touch today on incident response. I know this is something
you've been focused on lately and some interesting ideas you want to share.
Well, first of all, it's great to be back, Dave. What I want to talk about is this new concept of,
you know, if we think about how we respond to incidents today, it's really scenario-based management, right?
We build our runbooks.
They might be around everything from, you know, ransomware to an insider threat to a
malware incident.
And, you know, at the end of the day, those runbooks are often kind of a checklist of
procedures and actions that guide our response effort.
And this approach comes from the fact that up until recently,
most of the common threats an organization would encounter
could be, well, predicted.
I mean, if you think back even before cyber,
it's fire, flood, labor issue,
or maybe some form of a natural disaster, right?
And our response to cybersecurity incidents has been similar,
but it's a little bit different in that the reality is we're up against a human adversary that can pivot and jog. And these are what the folks at Harvard University call novel risks, meaning that they're an unpredicted crisis and cyber by its very nature is a novel risk. So what I want to talk about is starting to kind of the advanced class here
of moving from scenario basis to capacity basis
and how we think about incident response.
All right, well, let's dig in here.
What do you mean by capacity?
Well, so runbooks are obviously still important, right?
And I don't want to diminish the need for them.
But more advanced teams are moving towards this capacity-based model to handle crisis, even events
they've never imagined. So unlike a scenario-based model that's, you know, typically this sequential
checklist, right, for a predictable threat, a capacity-based approach is really about emphasizing
key capacities you need to respond and maintain
resiliency. And those really break down into four key areas. So the first, of course, is incident
response skills. Big surprise, right, Dave? The second one, though, is crisis communications. And
crisis communications is totally different than corporate communications. Knowing what to say,
how to say it, who to inform
both internally and externally as you move through that crisis. And having that ability,
that capacity, whether it's an internal resource or an external resource to be able to do it,
on demand, right? That knows you, that knows how to talk about what's going on,
even if you don't totally understand it yet. The third piece of this, of course, is cyber legal, which is different than your in-house
counsel, folks that understand the 52 different breach disclosure laws across the U.S. and even
more internationally. And the last, and this is kind of the new kid to the party, is business
resiliency skills. Functions like like how do we switch to
remote work? How do we manage downtime at the plant or the data center and keep the business
running? So if we build capacity in those four areas, not only do we have the ability to move
through our traditional kind of scenario-based runbooks better, but we also have the ability to handle the unknown.
What's keeping people from using this already? I mean, does capacity cost more?
No. What's keeping people from doing this, honestly, Dave, is most people aren't even practicing their runbooks, right? I love reading runbooks. Your listeners have heard this before.
I find them fascinating. And the first thing I look at is I flip to the very end and look at the update
schedule. And 99% of the time, the runbook has never been updated in 10 years. And it was probably
written by a consultant. And what that says to me is this is useless. This hasn't been used. It
hasn't been exercised. So I think the thing people have to realize in this is this is very analogous to learning how to swim. You can read all the books you want. You can write down your steps of how to swim. Jump in the pool. Start moving your arms and legs. But unless you practice it, you're going to drown.
But unless you practice it, you're going to drown.
And the same is true for a cybersecurity incident.
We've got to move past the traditional runbooks into building this kind of muscled capacity.
So think of this, you know, I'll use a bad sports team analogy, right? You know, think of an American football team and kind of that defensive line.
They probably have watched the film and understand all the plays of their, you know plays that they're going to see from the offense.
But if the offense throws something new into the mix, they have the capacity, because they've practiced as a team, to know how they need to move differently and change things up immediately when they see something new.
And that's kind of the same thing we've got to realize here with cybersecurity is we've got to build that capacity. Who ultimately has ownership of this?
Well, let's put it this way. I don't think we, you know, in some cases you have a business
resiliency officer and you're starting to see that appear at large corporations.
But I think at the end of the day, the chief information security officer now has a seat
in the boardroom.
And part of having that stripe means that you don't get to just kind of focus as a security
wonk on the IOCs and what's going in the SOC.
You've got to start to stretch out to your peers and start talking about business resiliency.
If you know that the data center in Topeka
is vulnerable, and you know that data center could go down pretty easily, and you also know that
if you saw a major incident, you're going to shut it off. You're going to disconnect it.
Then, man, you better be working with that business team to understand how you maintain
resiliency. Where do you fail over?
You know, a great example would be in a hospital, right? If a hospital loses access to the electronic medical record system, can they operate on paper? And how long can they operate on paper? And have
they tried it? You know, those are the types of things where that CISO has got to start stretching
their legs in the boardroom and realize their ultimate job isn't just to protect the company, it's to keep the company running.
Let me push back a little bit on that because a lot of the CISOs I talk to will say that
they are a member of the C-suite in name only. That, yeah, there's a C at the beginning of their
title, but the board really does not consider
them at the level of the other folks. I mean, if they're taking this level of responsibility,
is this perhaps an opportunity for them to say, look, look at these responsibilities,
you know, you need to elevate my position? Well, I think it's exactly right. It is an
opportunity. And let's be, you know, a little bit overly direct and blunt. If they're not stepping up to this, if all they're doing is staying in the security swim lane and things are running well and they keep the information secure, well, they probably don't belong in the boardroom because they don't understand the inner workings of the business, what's moving next, where the business is vulnerable, what key things have to happen. I mean, you've got to start to participate in those board meetings. And, you know, here's a key test, right? When it's time
for the CFO to review the finances of what's going on in the organization, which of course is a topic
in every boardroom meeting, you know, in every kind of quarterly business review, is the CISO
asleep or, you know, looking at their email, or are they paying attention and asking questions?
sleep or, you know, looking at their email, or are they paying attention and asking questions?
As long as we start to act more like the latter, and we start to understand how we maintain business resiliency, then that CISO deserves the C in their title.
All right.
Well, Caleb Barlow, thanks for joining us. Thank you. with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado. Cozy up with the familiar flavors of pistachio
or shake up your mood with an iced
brown sugar oat shaken espresso. Whatever you choose, your espresso will be handcrafted with
care at Starbucks. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Before we close today, a quick thanks to everyone who came out to our Women in Cybersecurity reception Thursday night
at the International Spy Museum in Washington, D.C.
It was thrilling to see so many of you in person and to witness women in every stage of their cyber careers
reuniting with old friends and making new ones.
A special shout-out to our senior producer Jennifer Iben
for planning and coordinating the event,
and we hope to see all of you again next year.
Be sure to check out this weekend's Research Saturday
and my conversation with Dick O'Brien from Symantec's Threat Hunter.
And my conversation with Dick O'Brien from Symantec's Threat Hunter team. Thank you. podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brendan Karp, Eliana White,
Puru Prakash, Liz Urban, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Maria Varmatsis,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Catherine Murphy, Janine
Daly, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Leave alerts and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.