CyberWire Daily - Cyber operations in the hybrid war. Karakurt extortion group warning. Clipminer is out in the wild. GootLoader expands its payloads and targeting. Leak brokers and booters shut down.
Episode Date: June 2, 2022Russian government agencies are buying VPNs. CISA and its partners warn about the Karakurt extortion group. Clipminer is out in the wild. GootLoader expands its payloads and targeting. Carole Theriaul...t has the latest on fraudsters imitating law enforcement. Kevin Magee from Microsoft on security incentives by way of insurance. And leak brokers and booters shut down. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/106 Selected reading. White House: cyber activity not against Russia policy (Reuters)Â Some see cyberwar in Ukraine. Others see just thwarted attacks. (Washington Post)Â ESET Threat Report details targeted attacks connected to the Russian invasion of Ukraine and how the war changed the threat landscape (ESET)Â Ukraine - 100 days of war in cyberspace (CyberPeace Institute)Â Russian VPN Spending (Top 10 VPN) Karakurt Data Extortion Group (CISA) Karakurt Data Extortion Group (CISA)Â US Agencies: Karakurt extortion group demanding up to $13 million in attacks (The Record by Recorded Future) Clipminer Botnet Makes Operators at Least $1.7 Million (Symantec Enterprise Blog) GootLoader Expands its Payloads Infecting a Law Firm with IcedID (eSentire)Â WeLeakInfo.to and Related Domain Names Seized (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russian government agencies are buying VPNs.
CISA and its partners warn about the Karakurt extortion group.
ClipMiner is in the wild.
GootLoader expands its payloads and targeting.
Corralterio has the latest on fraudsters imitating law enforcement.
Kevin McGee from Microsoft on security incentives by way of insurance.
And leak brokers and booters shut down.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, June 2nd, 2022.
U.S. Cyber Command Head and Director NSA General Paul Nakasone remarked earlier this week that the U.S. had provided operational cyber support to Ukraine.
His comments, on which he declined to elaborate,
attracted considerable attention.
The White House yesterday said that the cyber operations
General Nakasone alluded to
marked neither a change in nor a deviation from
U.S. declared policy of avoiding direct combat with Russia.
That's generally one of the points General Nakasone made in his remarks.
The White House statement seems to rely upon the ambiguity of cyber operations,
which remain a gray zone in international conflict.
The Washington Post reviews the ongoing controversy over how effective Russia's
cyber operations have been in its hybrid war against Ukraine. The widespread catastrophic
attacks against infrastructure
many observers had expected haven't materialized,
and that surprised many, given Russia's dress rehearsals for attacks
against the Ukrainian power grid in 2015 and 2016.
Those were apparently successful proofs of concept,
but they haven't been repeated in the present war.
The most significant cyber
action was the successful disruption of Vyassat ground stations, but the effects of that attack
were quickly made good. Some observers see Russian failure, others Russian restraint.
Still others see a different choice of objectives by Russian strategists. ESET's most recent threat report sees a conflict marked by hacktivist and criminal activity
and sees the immunity from cybercrime, especially that Russia has largely enjoyed, as having
significantly eroded.
The Cyber Peace Institute this morning released a study of the conflict in cyberspace, concentrating
on critical infrastructure in Ukraine and the Russian Federation,
essential for the survival of the civilian population and civilian objects,
which are all protected under international humanitarian law,
and targets outside of those two countries that have been impacted by cyberattacks as a result of the war
and its associated economic and geopolitical context.
and its associated economic and geopolitical context.
The researchers concluded that while cyberattacks aren't playing a major role in tactical advances of either side,
cyberattacks are used as a means of destruction, disruption, and data exfiltration. In addition to the widespread use of disinformation, they've led to the destabilization of cyberspace.
They say the conflict has seen a number of cyberattacks on critical infrastructure,
such as communications services and electric power stations,
in violation of international humanitarian law.
They point out that so-called hacktivist collectives have played a significant role during this conflict,
with the primary type of attack undertaken by these actors being hack-and-leak-style attacks by anti-Russian actors and denial-of-service attacks on Ukrainian
allies by pro-Russian actors.
Also, the energy, mining, and financial sectors are seeing significant numbers of attacks,
both in Ukraine and Russia, as governments across the world impose or increase sanctions.
And beyond traditional means of propaganda, cyber attacks are being used to spread disinformation
and control the flow of information relating to the war.
Russia's government apparently is purchasing VPN services, not to subvert them, but rather
for its own use. Top10VPN reports that since the invasion of Ukraine,
236 official contracts for VPN technology worth over $9.8 million
have been made public since the invasion.
State institutions and companies regulated by public procurement law based in Moscow
spent more than any other region, totaling 196 million rubles.
That's about 2.4 million dollars. The users are either government agencies or established
corporations, and they're purchasing VPN services to retain access to sources of information that
Kremlin-imposed censorship has otherwise rendered inaccessible. CISA, the FBI, the Department of Treasury, and the Financial Crimes Enforcement Network
have released a joint cybersecurity advisory on the Karakurt Data Extortion Group,
a gang that extorts its victims by threatening to dox them with stolen information.
Karakurt is opportunistic and gives no appearance of favoring any particular sectors as it selects its victims.
The gang is also a player in the C2C market, where it either purchases stolen login credentials,
relies on the cooperation of criminal partners who've already compromised victims,
or buys access from third-party intrusion broker networks.
The data compromises Karakurt uses to threaten its victims are sometimes genuine,
but often smoke and mirrors, sometimes recycling data from old, known compromises.
The payments Caracurt demands can be as high as $13 million, the record reports.
CISA and its partners advise against paying the ransom,
apart from the general good sense of avoiding feeding a bandit economy.
In this case, CISA thinks Karakurt isn't close to being as good as its word.
The gang seems to hang on to the information it steals, and doesn't destroy the information as it promises.
Symantec's Threat Hunter team, a part of Broadcom's Software, has released a blog post detailing their discovery of a cybercriminal operation utilizing malware tracked as Trojan.ClipMiner.
The threat actors behind this operation have made an illicit profit of at least $1.7 million from the use of this malware in cryptocurrency mining and theft via clipboard hijacking.
The malware is believed to spread through Trojanized downloads of cracked or pirated software.
Researchers suggest that ClipMiner may be a copycat or evolution of another crypto mining trojan called CryptoCybule,
as there are many similarities between the two.
eSentire this morning published an update on GootLoader, a malware loader whose
operators use search engine optimization poisoning to distribute ICE ID malware as its payload.
GootLoader is offered as malware as a service, and it's being adapted to handle other payloads.
A law firm, eSentire says, has been among the recent victims.
And finally, the US FBI, the Belgian Federal Police, and the Netherlands National Police Corps seized and shut down three criminal sites.
WeLeakInfo.to, IPStress.in, and OVHbooter.com.
WeLeakInfo billed itself as a search engine that could be hired to sift through illegally obtained and dumped data. The other two were DDoS for hire services.
Good riddance to all three of them, and bravo for some good cyber police work.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Cyber criminals and fraudsters are known for their brashness. Carol Terrio files this report about a disturbing trend
of baddies imitating law enforcement.
Well, there seems to be no end in sight
of people wanting to make a quit buck
by considering to scam some innocent person
into handing over their life savings.
We've seen romance scams and targeted phishing scams. We've seen disaster recovery
scams and health care scams and business email compromise scams. But I have recently seen a
number of scams involving fake police. So say a police officer calls you, identifies themselves,
and then explains that they think you were targeted in a financial fraud campaign.
While they're talking, you might even look up their name and find out that they do indeed exist.
Problem is that that person on the phone has stolen the real officer's identity in order to con you, the victim, into parting with your hard-earned cash. I mean, on the very week that
I record this, I see that Albuquerque police
issued a warning of a scammer pretending to be a legit officer of the force, that Thailand warned
people to beware of deep fake police video calls, that UK Yorkshire County had a fake detective
calling residents, and that even in my home country of Canada, a perp decided to take the
identity of a bona fide RCMP officer in order to convince people they were a person of interest.
Or, and this happened last year in the UK, an elderly woman gets instructions to take cash and
iPhones to locations around Gloucester and leave them there. The perps, pretending to be cops,
told her the cash and
phones were needed for a police investigation and would be collected by officers. Now, this seems
to be too far-fetched to be true to me and probably to you listeners of the Cyber Wire.
But the thing is, is they often target people who are vulnerable, less informed, or perhaps older. People who have a
smaller social circle of connected individuals, who have cash reserves, and a deep desire to
do the right thing, which includes assisting the authorities upon request. The so-called cop reels
off high-level information, stuff typically gathered from a
public record, just to establish authority and credibility with the victim. And this approach
is insidious to me. Targeting the more vulnerable in our society by swooping in to grab their nest
egg leaves the victim where exactly? Upset,raid? And don't forget, with no financial reserves.
And like, listen, I work in tech and I can barely keep up with all the plethora of scams. So how is
your typical everybody supposed to be vigilant, especially if they're in their golden years
trying to enjoy themselves? Scams like this make my blood boil because they just feel rotten.
So dear listeners, may I ask that you look after your elders, particularly those that like to dabble
online, maybe share too much on the socials, have really easy to crack passwords, and especially
those that assume that everyone out there is a super kind soul. Because it turns out there are a few tiny rotten apples out there
and they're looking for someone exactly as I've just described.
This was Carol Terrio for the Cyber Wire.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Kevin McGee.
He is the Chief Security Officer at Microsoft Canada.
Kevin, it's always great to have you back on the show.
One of the things I think it's safe to say here in 2022 is that there has been a lot of movement in the cyber insurance world. Some of it's been reactive, some of it's been proactive.
I just want to check in with you on some of the things that you've been tracking with the folks
that you interact with. Thanks for having me back, Dave.
One of my predictions on Rick Howard's CSO Perspective podcast for this year
was that cyber insurance rates would start to go up
and that that would be a catalyst for positive societal change
in addressing overall cybersecurity risk.
And I think we're starting to see that.
One, there's ample evidence that cybersecurity rates are going up as we're starting to normalize and understand what the risks associated with cyberattacks are.
But two, that's starting to be a catalyst for change.
And what I mean by that is when insurance companies started penalizing people for bad behavior driving and they started rewarding people for avoiding accidents, not getting speeding tickets or whatnot,
this became an incentive for real road safety.
Vendors started building safety features into their cars and trucks.
Consumers started to begin to evaluate their purchase decisions
on how safe the product was,
but also on how easy it was for the vehicle to insure
or how much it would cost to insure that vehicle.
So we're starting to
see, I believe, cyber insurance rates not only normalize to our industry because there's not
those decades of data like the car industry, but also be that quantifiable amount that we can
communicate to the business that's always really wanted us to put a dollar amount on risk and we've
never been able to do. So are we headed into a time where we are able to do that?
I think so. I think we're getting there, and it's just a year-over-year accumulation of data.
So we're seeing, as ransomware is becoming much more rampant, we're seeing the double tap,
where there's extortion really driving the amounts that insurance companies are paying out increase.
So in 2021, U.S. insurance carriers are reported to have increased direct written premiums by 92%,
according to the Wall Street Journal last week. So that's up considerably over the 65% from the
previous year and 47% in 2019.
So these premiums are starting to be raised.
We're also seeing that the insurers are covering less and less.
So you have to maybe have two or three different policies
to cover what you had previously before.
So what this is driving is greater discussions
between the security teams and the business.
It's finally that catalyst to really have a CFO-level,
board-level discussion about enterprise risk
and what the true value of that risk is.
And again, I feel it's starting to put a number
on what the cost of doing or not doing things
within your organization to be cybersecurity are.
And a great example of that is a lot of insurance companies
are asking that
basic security controls be put into place, such as multi-factor authentication. This is driving
real-world action. I'm seeing more and more uptake in multi-factor authentication, not because it's
the right thing to do or it's something we should do, but the catalyst for that movement is we have
to get compliant in terms of our application for cybersecurity insurance.
So in that case, I think it's a good thing for our industry and just the cyber risk landscape that we're seeing globally as well.
Do you think there's a danger that some areas may not be insurable?
I think about flood insurance, which the private sector has gotten out of.
The backstop we have is the federal government where really all that's available is not very good insurance that's expensive, but it's the only option you have.
Is there a possibility with the ever-increasing rates of ransomware that we could be headed in that direction? I really worry about that as well, because we're starting to see now litigation play out in court
where it's being decided, you know, what is going to be covered? What is an active war in the
cybersecurity world? What will be covered? So we're going to see a lag because of the legal
process that it takes to really sort these things out of two, three years in many cases
that will decide whether some industries are insurable or not going forward based on the results.
I think at this time, with just all the geopolitical conflict, some of the challenges we're seeing with nation-states attacks and whatnot,
there's got to be a backlog in the legal system of trying to interpret and decide, you know, what is an act of war?
Who is the threat actor?
What if it's a proxy, not a nation state?
How does that play out?
Is it a criminal element?
Is it not?
We're going to see, I think, an incredible amount of thought put into this over the next couple of years by legal minds, which will then translate into real world action in a lot of cases.
legal minds, which will then translate into real world action in a lot of cases. And I fear many of the same things that you just mentioned, that some areas of the economy just may not be insurable
for a short period of time or maybe a long period of time and require government intervention in
order to maintain their services. All right. Well, Kevin McGee, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand,
Liz Ervin, Elliot Peltzman, Trey Hester,
Brendan Karpf, Eliana White,
Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll
see you back here tomorrow. Thank you. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.