CyberWire Daily - Cyber escalation in a hybrid war, and some notes on the markets, both gray and C2C.
Episode Date: November 17, 2023Scattered Spider prompts warnings from CISA and the FBI. Phobos ransomware is an affiliate crimeware-as-a-service program. A "hack-for-hire" contractor. “Scama” in the C2C market. Our guest is Lee... Clark from the RH-ISAC with a look at Holiday Season Cyber Threat Trends. Tim Eades from Cyber Mentor Fund shares recent trends in cyber venture capital, with tips on finding a good match. And the tempo of cyber operations in Russia's hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/220 Selected reading. FBI and CISA Release Advisory on Scattered Spider Group (Cybersecurity and Infrastructure Security Agency | CISA) FBI warns on Scattered Spider hackers, urges victims to come forward (Reuters) U.S. officials urge more information sharing on prolific cybercrime group (CyberScoop) A deep dive into Phobos ransomware, recently deployed by 8Base group (Cisco Talos Blog) Understanding the Phobos affiliate structure and activity (Cisco Talos Blog) Elephant Hunting | Inside an Indian Hack-For-Hire Group (SentinelOne) How an Indian startup hacked the world (Reuters) Scama: Uncovering the Dark Marketplace for Phishing Kits (Vade Secure) Ukraine Tracks a Record Number of Cyber Incidents During War (Bank Info Security) Russia will target other countries for web attacks, Ukraine cyber defence chief warns (The Irish Times) Sandworm Linked to Attack on Danish Critical Infrastructure (Infosecurity Magazine) Why cyber war readiness is critical for democracies (Help Net Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Scattered Spider prompts warnings from CISA and the FBI.
Phobos Ransomware is an affiliate crime-as-a-service program.
A hack-for-hire contractor? Scammer in the C2C market.
Our guest is Lee Clark from the RHI SAC with a look at holiday season cyber threat trends.
Tim Eades from the Cyber Mentor Fund shares recent trends in cyber venture capital with tips on finding a good match,
and the tempo of cyber operations in Russia's hybrid war.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, November 17th, 2023.
CISA and the FBI have issued a joint cybersecurity advisory outlining the activities of the Scattered Spider cybercriminal gang. The advisory states, Scattered Spider, also known as Star Fraud,
Unk3944, Scatter Swine, and Muddled Libra, engages in data extortion and several other
criminal activities. Scattered Spider threat actors are considered experts in social
engineering and use multiple social engineering techniques, especially phishing, push bombing,
and sim swap attacks to obtain credentials, install remote access tools, and or bypass
multi-factor authentication. The threat actor targets large companies and has been known to utilize the Black Cat Alfie ransomware alongside their usual TTPs.
The joint advisory represents a call for information sharing as much as it does a warning against the activities of this particular threat group.
Scattered Spider has taken an unusual interest in its victims' internal corporate communication channels,
like Slack, Microsoft Teams, and Microsoft Exchange.
They do so in order to monitor for signs that their activity has been detected or suspected,
and the group has also shown a propensity to attempt to join conversations about remediation efforts.
Reuters reported earlier this week that the FBI has, for several months, known the identities of about a dozen members of Scattered Spider, and some observers have wondered why the
Bureau hasn't been more aggressive in making arrests. The FBI bridled at the criticism,
CyberScoop reports, saying in a media call about the advisory,
just because you don't see actions being taken,
it doesn't mean there aren't actions being taken.
So, as true believers say of Bigfoot and the Loch Ness Monster,
absence of evidence isn't evidence of absence.
But in this case, the Bureau has a point.
Not all law enforcement is immediately visible to the public.
In any case, good hunting, FBI.
Cisco Talos has published a study
of the Phobos ransomware affiliate program
alongside an analysis of the ransomware itself.
The researchers found five commonly used Phobos variants,
Eking, Eight, Elby, Devos, and Faust.
They are, for the most part, distributed to targets through the smoke
loader Backdoor Trojan. The researchers explained why Phobos seems to be a criminal affiliate
program, stating, there is some indication that Phobos may be a ransomware as a service
due to the variation in email addresses we observed. Each Phobos variant from VirusTotal was associated with at least a dozen emails
that were provided to victims to maintain contact,
and some had close to 200 unique email addresses
with various domains.
In some instances, ICQ and Jabber
were used as the main contact address.
That shiftiness of email addresses
is one mark of a ransomware-as-a-service operator.
Cisco Talos says, while it's possible that there is a single group behind Phobos,
it would be uncommon to have a threat actor change their contact email address so often.
We assess that Phobos is likely closely managed by a central authority
that controls the ransomware's private decryptor key.
Reuters, working with researchers at Sentinel-1, has published a report on Appen, an Indian
technology company that's allegedly offered hack-for-hire services for more than a decade.
Shane Huntley, head of Google's threat analysis group, told Reuters that hackers tied to Appen targeted tens of thousands of Gmail accounts.
Huntley said,
These groups worked very high volumes, to the point that we actually had to expand our systems and procedures to work out how to track them.
SentinelOne states,
Appen is considered the original hack-for-hire company in India, offering an offensive security training program alongside
covert hacking operations since at least 2009. Their past employees have since spread to form
newer competitors and partners, evolving the Appen brand to include new names, while some have spread
into cybersecurity defense industry vendors. Appen was so prolific that a surprising amount of current
Indian APT activity still links back to the original Appen group of companies in one form
or another. Campaigns conducted by Appen have revealed a noteworthy customer base
of government organizations and private businesses spread globally. It's worth noting that reports
don't characterize Appen as a criminal organization.
It's more like a training, testing, and lawful intercept shop. As the case of NSO Group and
others like it have shown, the customers can be, to say the least, problematic with respect to
malware proliferation. Researchers at Vade describe the underground market for sophisticated phishing kits, or
SCAMA. Crooks can now use tools to scan phishing kits for malicious code.
Vade states, SCAMA sellers often attempt to exploit customers by embedding malicious code
in their packs. Because of this common practice, tools like ResStealerFinder have emerged to protect hackers and enable them to secure their phishing pages.
ResStealerFinder detects malicious content in webpages, scanning for vulnerable, sometimes obfuscated code and unknown links that may present in scamma packs.
The tool is effective at finding hidden code that a devious scamma seller might use.
effective at finding hidden code that a devious scammer seller might use.
And finally, Ukraine warns friendly nations to expect to receive Russia's unwelcome attentions in cyberspace. Victor Zora, deputy chairman of Ukraine's State Service of Special Communications
and Information Protection, told Iriscon this week that CERT-UA logged over 2,000 cyber incidents in the first 10 months of
2023, which represents no decline from the total tracked throughout 2022. The attack's principal
goal this year has been espionage, some of it intended to collect for immediate tactical
purposes. Closed-circuit video systems, for example, have been targeted with the aim of collecting information on the results of drone and missile strikes.
The activity hasn't been entirely confined to cyber espionage.
Attacks against operational technology systems have also been observed,
with InDestroyer 2, InController, and Cosmic Energy deployed by the GRU against Ukrainian electrical power distribution systems.
The Irish Times reports that Zorro warned that other governments could expect similar attacks
from Russia and from other authoritarian and outlaw regimes. He said, while cyber attacks
have been often considered a weapon of the future until recently, experience of the ongoing war has
clearly shown the whole world that the future has come. We can the ongoing war has clearly shown the whole world
that the future has come. We can say for sure that cyberspace has become a real warfare domain.
There are no boundaries that can stop cyber attackers. Zora urged that countries prepare
themselves for a coming extension of cyber war, and the threat isn't exclusively Russia,
either, in his view. He said, it's just a
matter of time before other authoritarian regimes start their cyber wars against the West. It's
crucial now for everyone to realize the degree of danger posed by the combined use of conventional
and cyber warfare. Democracies should immediately adapt their military doctrines to address emerging cyberspace-based threats.
Cyberattacks should be treated in the same manner as conventional military aggression and should result in a similar response.
Russian operations against countries it considers unfriendly are no novelty.
The GRU's Sandworm has been active against electrical power distribution systems in Denmark,
and this is the sort of activity against which Zora warned Iriscon.
So, as CISA would say, shields up.
Coming up after the break, Lee Clark from the RHI SAC has a look at holiday season cyber threat trends.
Tim Eades from the Cyber Mentor Fund shares recent trends in cyber venture capital with tips on finding a good match.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Lee Clark is cyber threat intelligence writer and analyst at the Retail and Hospitality Information Sharing and Analysis Center, the RHI SAC. They recently released findings from their 2023 holiday season cyber threat trends report, and I checked in with Lee Clark for the details.
Cyber threat activity is top of mind for most of our member organizations during this time of year.
Commonly known malware like LokiBot, QButton, Emotet used to rank really high in terms of what our members shared as threatening their organizations.
Those have virtually disappeared for the current season, right?
The other big divergence is in the past, we saw a
lot of chatter about Log4J, right? But as organizations quickly moved to patch that,
it's fallen off the list completely, right? Whereas it used to hold a very prominent spot.
That, of course, has been overtaken by other critical vulnerabilities that have emerged over
the course of the year, including MoveIt and Citrix Bleed, right? A couple of trends stay largely the same, right?
Credential harvesting, phishing, imposter domains,
and especially various types of fraud
all remain consistent escalating threat star membership
during the holiday season.
What are you tracking in terms of trends?
Do you have a sense?
Are things improving or getting worse?
Or are we staying the same?
Where do we stand there?
I don't know about a value judgment like better or worse,
but I do know we're seeing changes over time, right?
So we see prevalent malware like QBOP, Agent Tesla, Formbook, Emotet.
We see those malware falling in prevalence of reporting over time, right?
And what we see rise in that place are members tracking more on MITRE ATT&CK, TTPs, tactics, techniques, and procedures, right?
So we see that tracking coming in a lot more heavily,
which suggests that our membership overall
is improving their sophistication
and being able to detect and mitigate these threats.
Now, a couple of big changes
that we don't quite have hard data yet on,
so this is more qualitative than it is quantitative,
is we see an explosion right now
in three key areas, right? The first being QR code phishing, the second being imposter domains,
and the third being extortion attacks. What used to be termed ransomware attacks, but we're sort
of moving away from calling them ransomware because they tend to be exted ransomware attacks, but we're sort of moving away from calling them ransomware
because they tend to be extortion-based attacks now instead of encrypting attacks, right?
Can we dig into each of those individually? Why do you suppose that those are receiving
the attention that they're getting from the bad actors?
receiving the attention that they're getting from the bad actors?
Sure. So QR code phishing is an easy way to trick victims into going outside of their organization's security architecture, right? If you send someone a phishing email with a QR code,
they scan it with their personal cell phone and it takes them to a fake login screen asking them for tool credentials,
right? This is a great way to get around any internal security controls because you have now
essentially tricked your target into using their personal device to enter professional credentials,
right? So, any security controls that the enterprise may have in place aren't going to
protect the individual's personal phone, right?
That's one reason we see this blowing up in terms of prevalence.
The other side of this is that scam activity overall is getting more sophisticated,
more organized, and more aggressive.
It's more professionalized, right, in terms of call centers
and even pay schedules and benefits packages more professionalized, right, in terms of call centers and even pay
schedules and benefits packages for scam operators, right? If we move to imposter domains,
we see imposter domains in two ways, right? The first imposter domains are targeting enterprise
employees. It's sort of a sub, there's an overlap with QR code phishing in that we see
imposter pages for major vendor software login. These typically are seeking to steal credentials,
right? That's targeting the enterprise. The second type we see is actually targeting the guest or
targeting the customer. And that's usually looking for payment data or loyalty points, things of that nature,
right? We see that exploding in prevalence because, again, the professionalization and ease
of developing scam operations. But standing up that phony infrastructure is very low effort.
And as any company that's ever tried to do a domain takedown on a typosquatting domain
will tell you, it's not always the easiest thing to get taken down. There are legal questions as
well as interpersonal politics between different organizations and telecommunications providers,
right? And the last one, even if Klopp hadn't exploited the move at vulnerability over the course of 2023 to carry out extortion attacks against however many, I think we're up to more than 700 organizations now, I'd still be reporting an explosion in extortion attacks targeting the retail, hospitality, and travel sectors. Of course, we're not getting it as heavy as sectors like healthcare or education are,
but we're getting our fair share still.
It's a sort of global trend that we're no exception to.
It tends towards extortion because encrypting requires additional time,
effort, and resources on the part of attackers
whenever you can move straight to the phase of pay me the money or I publish your data, right?
It's an easy attack to carry out
once you get your initial access,
which often you can purchase from an initial access broker
instead of doing the initial compromise yourself, right?
What are the take-homes for you
in terms of the things that you hope people
get out of this report?
Sure. So, the key takeaways we're hoping our members see is that communal defense, right,
what we call protect as one, as a sort of slogan at the ISAC, helps drastically in strengthening individual enterprises, right? Sharing security control
recommendations as well as indicators, compromise, tactics, techniques, and procedures, anything
technical, but as well as policy level recommendations in between these organizations
that operate in similar spheres. It helps defense both at the community level and at the individual enterprise level,
right? And these trends that we see changing and reporting in the threat landscape affect
organizations regardless of their specific niche in the market, right? Because these attacks tend
to be opportunistic in nature. They're not
targeting companies for the sake of targeting that specific company in most cases. So, in engaging
this kind of communal defense and staying aware of what these key changes are and implementing
the mitigations that are recommended by our subject matter analysts who were so gracious with
their time and effort to help us with the report.
For this period of the 2023 holiday season, which as every holiday season is going to see a significant surge in threat activity, this type of communal defense can really be a massive
advantage for organizations. That's Lee Clark from the RHICEN.
And joining me once again is Tim Eads.
He is the co-founder of the Cyber Mentor Fund and also a serial entrepreneur in the cybersecurity space.
Tim, always a pleasure to welcome you back.
Dave, great to be here.
I want to check in with you today on the state of VCs and where you see us heading
when it comes to fundraising in the space.
Yeah, it's definitely an interesting time to be fundraising
over the last, I guess, the first year of the pandemic,
everybody got high valuations, raised big funds,
had to put the money to work.
Valuations got out of whack.
The correlation to revenue was really out of control.
Then over the last year, everybody came out with seed deals
and seed funding.
Some VCs are not built for engaging with the entrepreneurs as seed people.
I think sometimes they think they can, but I think there's a DNA.
Seed funds are really good at seed funds and working with entrepreneurs.
There's definitely a dynamic that first part of the pandemic, massive funds raised, massive valuations, massive money going around.
Over the last 18 months, just about every fund in cyber started off with, I do more in seed, I do more in seed.
But like I said, certain funds don't really have the dynamic or the ability to relate to entrepreneurs in the same way.
I think when you're doing seed deals,
you have to be really operationally focused to help the entrepreneur because particularly the first time ones, it's a struggle.
It's a lonely job.
It's a really hard job, and you need somebody that is,
we talk about all the time, is shoulder to shoulder with you,
helping you do it, helping you with things like comp plans or even right off the bat, like EIN numbers so you can actually trade in California or getting a general counsel, working with building a financial model.
These kind of early stage stuff, some funds are not built for.
And sometimes I think there's a missed opportunity for the entrepreneurs because
they've got to be careful who they partner up with because you're getting married. You're
getting married for a long time. What sort of questions should an entrepreneur be asking
of their potential investors here to make sure it's a good match?
Here's what I would ask. I mean, mean in no particular order but i'll give you my
top three or four i would absolutely do references right um and see you know where you know what
worked and what didn't work in the person in the past in the questions that i would ask is what
as a subplot to that one is what do they take outside the boardroom and what do they keep
inside the boardroom do they know what to boardroom and what do they keep inside the boardroom?
Do they know what to take offline and when to take it offline?
Does the board member come to the board meeting with the last board deck and conscious of the last board meeting and what you said you were going to do? Corey Malloy is one of the best
investors in Silicon Valley. And he always did that for me. And he would turn up at the last,
you know,
at the current board meeting with the last couple of board decks
to try and keep you honest on the current one.
So what to take offline and whatnot.
So references, but ask about questions like online, offline,
how involved are they in the board meetings,
how involved are the previous board decks they bring into it,
things like questions around that, how they engage with you
outside the board meeting. Do they come see you do you go walk see them do you have walk and talk meetings
you know how do you get along with them outside of the meeting and how coachable are them Pete
Sinclair is an old friend of mine he and I was on my board at Stouffville my second company
and we would walk all the time all the time time, and around and around in Menlo Park.
So that would be another one.
References, obviously, like that.
Go back in time and understand the domain expertise.
So the second one will be domain expertise.
Do they know cyber, in my case?
How deep do they know cyber?
Are they on the technical side, on the good market side?
Do they have history?
Do they have a Rolodex?
Do they really know? Are they on the technical side, on the good market side? Do they have history? Do they have a Rolodex?
Do they really know the subject matter?
Or are they just skimming the tops of the waves?
If they're skimming the tops of the waves, I would probably avoid it, just simply because there's going to be a time where you want to have a conversation about the market and
the market dynamics and market transitions.
And there's too much of an uphill battle to try and educate that. The third one would be fund dynamics.
What fund are they on? Are they in the first fund? How far through are they through that fund?
One of the things that entrepreneurs don't do enough of is ask about where they are in that
fund. Let me give you an example. Let's say they're on fund two,
and it's a $200 million fund, but they've already invested $130 or $140 million of it.
You've got to be careful because the fund dynamics will start impacting their investment decisions
and follow-ons and reserves, particularly if you take it all the way to the top and say,
hey, I'm at $170 or $200 million fund. You don't really want to be, my advice,
and I'm sure people will call me out on it,
you don't really want to be the last deal in a fund.
You would rather be the first five or six deals in a fund
at the front end of it.
Just because you have a whole length of time of investment,
there's a whole dynamic there.
Those would be my top three.
Yeah.
of time of investment. There's a whole dynamic there. Those would be my top three.
Yeah. Do entrepreneurs sometimes make a mistake of thinking that the folks who are investing in
them are going to have more available time than they actually do?
That's another great question. Man, you're on a roll.
That's a great test for an entrepreneur on this stuff. Do they work at weekends?
Can you get hold of them? When can you get hold of them? Can you this stuff, right? Do they work at weekends? Can you get hold of them?
When can you get hold of them? Can you shoot them a text?
Do they respond?
A friend of mine raised a bunch of money recently, and they met an investor on a Friday, and they got the term sheet by like the – I think they got the term sheet on the Tuesday or the Wednesday.
But the VC really played know-how to our friends and got in.
But that's because that particular venture capital person is always available, always around kind of guy.
And it's a great test.
You know, as you go through the funding process, you know, and you're raising money or you're starting to engage in, you know, the San Antonio shop or whatever you want to call it,
get to see them at weekends. Get to see them off out of hours and see what they're like,
see how they interact with people. And they will see that on you too, because they need to see how
your work ethic is and your responsiveness and everything else. That's a good two-way play.
Yeah. I always say, and this is certainly not an original thought on my part but go out to dinner
and see how they treat the wait staff
I do that too
when you're walking around Los Altos
which is where my office is
I want to see how they see the little old lady
crossing the street, how they treat the wait staff
you know
do they make room for people
I do that for people that I hire too
let's go for a walk.
Yeah.
All right.
Well, Tim Eades, thanks so much for sharing your insights.
Great to be here, Dave.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. With TD Direct Investing, new and existing clients could get 1% cash back. Great!
That's 1% closer to being part of the 1%. Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with Ashir Malhotra from Cisco Talos.
We're discussing their research and findings on Kazakhstan-associated Eurotrooper
disguises origin of attacks as Azerbaijan.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and
podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most
influential leaders and operators in the public and private sector, as well as the critical
security teams supporting the Fortune 500 and many of the world's preeminent intelligence and
law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest
investment, your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Ivan.
Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by
our editorial staff.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.