CyberWire Daily - Cyber conflict and cyberespionage. Social engineering as a turnstile business. Inside a social engineering campaign. A warning about fraudulent unemployment claims.
Episode Date: October 14, 2020Reports of cyberattacks against Iranian government and, possibly, economic targets, are circulating, but details are sparse. Norway accuses Russia of hacking parliamentary emails. A cybercriminal gang...’s secret is volume. A social engineering campaign singles out victims with US IP addresses. Joe Carrigan on a million dollar REvil recruitment offer. Our guest is Paul Nicholson from A10 Networks with a look at the "State of DDoS Weapons". And the US Treasury Department warns banks to be on the lookout for signs of unemployment fraud. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/199 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K code N2K. Government and possibly economic targets are circulating. Details are sparse. Norway accuses Russia of hacking parliamentary emails.
A cyber criminal gang secret is volume.
A social engineering campaign singles out victims with US IP addresses.
Joe Kerrigan on a million dollar R-Evil recruitment offer.
Our guest is Paul Nicholson from A10 Networks with a look at the state of DDoS weapons.
And the U.S. Treasury Department warns banks to be on the lookout for signs of unemployment fraud.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, October 14, 2020.
Iran's National Computer Emergency Response Team acknowledged today that two Iranian government agencies had come under cyber attack,
which had been successfully confined to those two organizations.
The Jerusalem Post notes that the disclosure came after rumors of the disruption
circulated widely in social media.
Iran's official news agency, IRNA, said the attacks had been contained,
done limited damage, and were under investigation.
Unconfirmed reports from U.S.-operated Radio Farda and other sources
said the attacks hit Iran's ports and shipping organization,
as well as a port in Bandar Abbas,
and that some financial services may also have been affected.
Norwegian Foreign Minister Ina Eriksson-Soride
announced that Moscow was responsible for a recent attack
on Norway's parliamentary email system.
The BBC quotes the foreign minister as saying,
quote,
based on the information available to the government,
it is our assessment that Russia stood behind this activity,
end quote.
Moscow dismissed the statement as a serious and willful provocation.
The attack, detected in August,
gave the intruders access to parliamentary emails
in an apparent cyber espionage incident.
Those of you of a certain age will remember the radio ads
for discount electronic stores or men's clothing establishments whose prices were so low
that they, they, they were just insane. The proprietor would ask, they ask me, what's your
secret? And I tell them, volume. It's like that with social engineering sometimes. FireEye today
released an account of the activities of FIN11, a financially motivated APT, that is, a criminal gang.
Fin11 isn't the Maison Louis Vuitton of malware.
Their stuff isn't particularly advanced or sophisticated.
No, Fin11 is more the Crazy Louie's Nuthouse of malware.
What Fin11 lacks in sophistication, Fin11 makes up in volume.
The outfit runs as many as five large-scale fishing expeditions a week.
They've been around for a while, since 2016 at least,
which makes them venerable by criminal standards.
Their targets were initially chosen from the financial, retail, and hospitality sectors,
but over the past year, FIN11's target list has expanded to the point
where few sectors or geographical regions have escaped attention. FIN11 has shown an evolution
that exemplifies the way the criminal underground has changed over the last few years. FireEye says,
quote, recently FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands.
The group's shifting monetization methods, from a point-of-sale malware in 2018 to ransomware in 2019 and hybrid extortion in 2020,
is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion.
FireEye also notes that recent FIN11 activity seems to overlap with that of the TA505 criminal group,
but they caution that this doesn't mean the two groups are the same,
and in fact their assessment is that they're distinct operations.
What it does mean is that the
two groups are partaking of another criminal trend, buying services from a commodity criminal
provider of hacking tools and services. And their secret? Volume.
Digital Shadows describes an SMS-based campaign that uses highly personalized clickbait to induce its victims to follow the
proffered link. It was originally known as the USPS texting scam, but it's expanded beyond
messaging that impersonates the US Postal Service. Other services, notably Amazon, FedEx, Cash App,
Netflix, various adult entertainment services, and of course payment card or financial services,
the usual bric-a-brac of the online scam.
A lot of smishing this year has used fear of the COVID-19 pandemic to lend urgency to its appeals to fear.
That's not the case in this recent wave.
Instead, it relies on more or less plausible impersonation of a shipper's customer service messaging
to tell the victim, for example, that an attempt has been made to ship them a package
and that for some reason or another, usually an unstated reason,
the shipment requires the recipient's immediate attention.
There's usually a shipping number, bogus, of course,
but tacked on for greater detail to lend plausibility to the imposture that's tossed
in for good measure. What's not bogus is the recipient's name, and that can really lend
plausibility. These are the steps in the attacks Digital Shadows describes. First, the victim
receives a message with a suspicious four- to six-digit link. Second, the incautious victim clicks the link and is
redirected to a.io domain. Third, that domain fingerprints the victim and connects to another
domain. Fourth, the victim, if located in the U.S., is redirected to a phishing page.
If the victims are determined to be outside the U.S., they're simply redirected to a legitimate
Google page. If the user has an IP address located within the U.S. they're simply redirected to a legitimate Google page.
If the user has an IP address located within the U.S. before they're redirected to the phishing page,
they're briefly connected to a tracking domain.
The phishing page is usually a phony survey.
After the victims complete the survey, they move to the final page,
which asks them for personally identifiable information. Those are FULs in hacker speak,
so that they can receive a free prize for completing the survey.
But as is so often the case,
the prize is the victim's data and the winners are the hackers.
Finally, the COVID-19 pandemic has induced a large number of unemployment claims
and the U.S. Treasury Department warns banks
to watch for signs of a correspondingly large rise
in unemployment fraud.
Among the signs,
the Treasury Department's
Financial Crimes Enforcement Network points out
are large wire transfers,
especially transfers to offshore accounts.
Wire transfers can be as convenient as they are risky,
unlike credit card fraud, where the victims have some recourse.
Once a wire transfer goes through, it's gone, baby, gone.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating. Too icy. We could book hot yoga. Too sweaty. We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.com or contact your Marlin travel professional for details. Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Researchers at A10 Networks recently published a report on the state of DDoS weapons.
Joining us with some of their findings is A10 Networks' Paul Nicholson.
Okay, so with this report, we actually publish it every quarter,
and it's basically an informational resource for security professionals
to look at potential weapons which could hit their network.
So it's a slight difference than some of the other reports out there because we call it the DDoS
Weapons Report because these weapons are potential weapons which could be used to attack your network.
As well as that, we also normally highlight some of the more interesting findings and try and relate them to topical events
where we can as well. What are you tracking in terms of the evolution of DDoS? Do things continue
to grow? Yeah, so we look at, you know, as I say, amplification and reflection attacks are the
biggest types of attacks we see. So some of the usual UDP services which come out on top in the report every quarter. So for example,
with PortMap, we see 1.8 million potential weapons out there which could be used
to launch these types of spoofing attacks. And then after that, SNMP, SSDP, DNS resolvers, and TFTP servers.
So they round out the top five.
But what we find is interesting is you might have heard there was a recent attack on Amazon
revealed in their Q1 report.
And that was the same type of attack, a UDP attack,
but it was using not one of the top five weapons.
It was actually using one called CLDAP
or Connectionless Lightweight Directory Access Protocol.
And when I talked about these top weapons we see,
there's like 1.8 million of them out there.
With the CLDAP ones from our honeypots and our sources,
at the time we were seeing only 15,000.
So the size isn't always an indication if it's going to be used for the largest attacks of the day.
So what are your recommendations in order for organizations to best protect themselves against this?
What sort of things do you suggest?
One, you have to know your environment.
You have to also, if you're going to a cloud environment, very important right now is to know that cloud environment as well.
And your level of responsibility in terms of what's secured by the cloud or hosting provider versus what your responsibility is.
As I mentioned, that CLDAP example earlier illustrating that.
And then, you know, with the DDoS attacks become aggressive is the way to go because it will reduce the
operational impact of having it. It'll be more accurate and it'll give you a better chance to
make sure that you can defend against these. That's Paul Nicholson from
A10 Networks.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hey, Joe, it's great to have you back.
Hi, Dave. How are you?
Good, good, good, good, good.
So we have an article here from Forbes by Simon Chandler,
and it's titled, Our Evil Ransomware Gang Offers $1 Million as Part of a Recruitment Drive.
Unpack this for us here, Joe.
Right now, I'm putting my pinky up to the corner of my mouth.
$1 million.
is that this group, the REvil ransomware operation,
has deposited this $1 million in Bitcoin in a Russian-speaking hacker website.
And they are announcing that they're looking for people
to help with their operation.
They're recruiting people, Dave.
This is just like a business for these guys.
Is this like LinkedIn for bad guys?
That's what the hacker forum is. It's LinkedIn for bad guys. But when you're a malicious actor,
you have to demonstrate that you're capable of paying people for being part of your operation.
And what they've done here is essentially put into escrow a million dollars in Bitcoin and said,
look, we can do this.
We have the money to pay you. We are not scamming you, which is a really big risk for people when they're looking to do nefarious things in the dark net, right? There's all kinds of ways to
get scammed out of your money or your time on that and do work for someone for free. Nobody
wants to do that. So these guys have said, well, here's a million dollars in Bitcoin. We're just going to put it up here
and you can see it and we'll pay you from it.
Who are they looking for?
What kind of talent are they going after?
They're looking for affiliates
who would be responsible
for getting into organizations
and infecting them with ransomware.
And actually, our evil is building
this ransomware as a service enterprise.
And they're saying that they'll receive 20%, 20% to 30%, while you, as the guy that broke in to the place and infected them with ransomware, you'll get 70% to 80% of the payout.
Ransomware is tough work, you know, breaking in.
So if you can have other people do it and then just collect, you know, 20% to 30% while other people do the work. It's like being a
franchisor, right? So I was going to say, yeah, it's like opening your neighborhood McDonald's.
Exactly. Except for ransomware. That's exactly what this is. They are looking for franchisees.
It is exactly like a business. We talk about how these people run their organizations just like
businesses. There are people in there for sales. This is recruiting. This is like HR.
There are people who do management. And there are people who do tech support for these companies.
These, not companies, organizations. These are criminal organizations. I say company like it,
it's run like a company, but it's not a company. It's a legitimate businessman.
One of the things they're looking for is they're looking for people with experience and skills in penetration testing, right?
Which means they're looking for people to break into businesses.
Yeah.
Well, I mean, it strikes me that a million dollars is not chump change, no matter what form it's in, in Bitcoin or other ways.
I suppose, I mean, I guess it's a small possibility, but there's a possibility that this could all be a ruse by law enforcement, right?
I mean, to try to hook people in.
That happens sometimes on these dark web forums.
Unlikely.
That is possible.
But the problem is that if you're doing this completely like the Onion Network, the Onion Router Network tour, then you're going to have a hard time finding the people who have
done this. And if you send them Bitcoin and they immediately change that to another currency to
evade detection, that's also going to be hard to find. So I don't think law enforcement is going
to take a million dollars, put it up and say, you know, we're going to try to catch some bad guys.
Maybe they're going to do it if it's seized money. You know, they've seized money from people.
Bitcoin's all seized. They really don't care what happens. Maybe. I mean, that's a good point,
Dave, that this might not be hackers, but I think it is the, are evil. I think that's been confirmed in the story. Yeah. Yeah. I mean, I, yeah, yeah. I guess what I'm getting at is that, you know,
that's sort of the rolled into all of this is that, that element of know, that's sort of the, rolled into all of this is that element of risk,
that cost of doing business, that there is a risk. You always have to be looking over your shoulder.
Absolutely. And I guess, I mean, to the main point of this whole story, that in order to get people
to trust them, that's why they have to put the million bucks up in the first place. That's
exactly right. Yeah. You know, this is something I could never do. Not because it's wrong, right?
And because I, I mean-
You're fully capable of doing things that are wrong.
That's not what I meant to say.
Not just because it's wrong.
Right, okay.
Let's say that instead.
Not just because it's wrong
and because you've been destroying
people's businesses and lives.
But I know myself,
I could never live in constant fear
of somebody tapping me on the shoulder
and going, Mr. Kerrigan, you're under arrest for the hacking.
Okay.
Great.
Right.
You're the guy who always rewound his VHS tapes before you return them to the rental store.
Yeah, exactly.
You want to sleep at night.
Exactly.
I want to sleep at night.
And I would not be able to sleep at night under these conditions,
regardless of how many millions of dollars in Bitcoin I had in some exchange somewhere.
Or in my own hard wallet.
It wouldn't be comforting.
Yeah, yeah.
All right. Well, the article is over on Forbes, again, written by Simon Chandler.
It's Our Evil Ransomware Gang Offers $1 Million as Part of Recruitment Drive.
Joe Kerrigan, thanks for joining us. It's my Evil Ransomware Gang Offers $1 Million as Part of Recruitment Drive. Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Have it your way.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Faziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.