CyberWire Daily - DDoS attacks strike countries friendly to Ukraine. Predatory Sparrow's assault on Iran's steel industry. Callback phishing impersonates security companies. Anubis is back. BlackCat ups the ante.
Episode Date: July 11, 2022More deniable DDoS attacks strike countries friendly to Ukraine. Predatory Sparrow's assault on Iran's steel industry. A callback phishing campaign impersonates security companies. The Anubis Network ...is back. Thomas Etheridge from CrowdStrike on the importance of outside threat hunting. Rick Howard weighs in on sentient AI. And a ransomware gang ups the ante. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/131 Selected reading. Pro-Russian cybercriminals briefly DDoS Congress.gov (CyberScoop) Lithuania's state-owned energy group hit by 'biggest cyber attack in a decade' (lrt.lt) Ignitis Group hit by DDoS attack as Killnet continues Lithuania campaign (Tech Monitor) Russian ‘Hacktivists’ Are Causing Trouble Far Beyond Ukraine (Wired - 07-11-2022) Predatory Sparrow: Who are the hackers who say they started a fire in Iran? (BBC News) Hacktivists claiming attack on Iranian steel facilities dump tranche of 'top secret documents' (CyberScoop) Callback Phishing Campaigns Impersonate CrowdStrike, Other Cybersecurity Companies (CrowdStrike) Anubis Networks is back with new C2 server (Security Affairs) BlackCat (aka ALPHV) ransomware is increasing stakes up to $2.5 million in demands(Help Net Security) Resecurity - BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2,5M in Demands (Resecurity) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
More deniable DDoS attacks strike countries friendly to Ukraine.
Predatory sparrows assault on Iran's steel industry.
A callback phishing campaign impersonates security companies.
The Anubis network is back.
Thomas Etheridge from CrowdStrike on the importance of outside threat hunting.
Rick Howard weighs in on sentient AI.
And a ransomware gang ups the ante.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 11th, 2022. Lithuania's state energy provider Ignitis Group sustained a large distributed denial
of service attack over the weekend, LRT reports. The attacks had been intermittent over more than a week,
peaking on Saturday. Ignitis said that it has now overcome the attacks and that its control
systems were not affected. Tech Monitor says that Kilnet claimed responsibility for the operation.
Lithuania, like the other Baltic states, has strongly supported Ukraine during Russia's war.
like the other Baltic states, has strongly supported Ukraine during Russia's war.
It has recently stopped imports of Russian natural gas and just this morning imposed further restrictions on Russian shipments
to its discontinuous Kaliningrad territory.
Kilnet also claimed responsibility for a DDoS attack
against a website operated by the U.S. Congress,
which experienced brief interruptions of public access between 9 and 11 a.m. Thursday.
Cyberscoop quotes the group's crowing over Telegram,
they have money for weapons for the whole world, but not for their own defense.
The degree of control Russian intelligence services exercise over Kilnet remains unclear,
but the group makes no secret of its determination to support Russia in its war against Ukraine.
Wired has a brief overview of the group's activities,
which have affected targets in Lithuania, Italy, the United States, Romania, and Norway.
Kilnet has declared war against these and other states who've been too sympathetic to Ukraine. For all of its online posturing, Killnet's activities haven't so far risen above a nuisance
level. Flashpoint offers a suitably tepid appraisal of the group's work, saying,
While Killnet's threats are often grandiose and ambitious,
the tangible effects of their recent DDoS attacks have so far appeared to be negligible.
The BBC reports that Predatory Sparrow, a nominally hacktivist group opposed to Iran's regime,
which claimed to have disrupted operations at Iran's Mobarakeh Steel Company on June 27,
has posted videos of fires at the facility it claims were
caused by its cyber attack. Mobarakeh Steel has minimized the effects of the attack,
saying that its operations were not disrupted. CyberScoop reports that Predatory Sparrow has
also dumped a set of documents it calls top secret and which it claims were taken from
the Iranian facilities
during the cyber attack. Those claims, as well as the authenticity of the documents themselves,
remain unverified. Given the long-running tension between Iran and Israel, there's been widespread
speculation in the Israeli press that Predatory Sparrow, which presents itself as an Iranian dissident group,
is operating in the interest of Israeli intelligence services. The Israeli government
has begun an investigation into the source of the stories, which may or may not have derived
from leaks. CrowdStrike on Friday detected a callback phishing campaign that impersonates CrowdStrike and other security
companies. The social engineering effort begins with an email that claims to have discovered a
potential compromise on the recipient's network. The email provides a telephone number and invites
the victim to call and arrange an audit of their workstations. It's unclear what might happen next,
but the call will almost certainly invite the victim
to install malware into their systems under the guise of a security update.
CrowdStrike says,
Historically, callback campaign operators attempt to persuade victims
to install commercial rat software to gain an initial foothold on the network.
It's an old scam, and while one might think it played out,
people continue to fall for it.
The impersonation of a security firm is thought to add additional plausibility to the imposture.
CrowdStrike points out with emphasis that
CrowdStrike will never contact customers in this manner.
Nor, one might add, will any other reputable security company. It's also worth noting
that the campaign is purely fraudulent and doesn't involve any compromise of a security firm's
networks. Security Affairs reports that the Anubis network is back, providing command and control
infrastructure for credential phishing that's targeting users in Portugal and Brazil. The initial contact is often by smishing, phishing with a text message, with a link to a
bogus landing page designed to induce users to enter their credentials. And finally, researchers
at the firm Resecurity reported over the weekend that the Black Cat gang is upping its ransom demands.
The gang, a competitor of both the once-and-future Conti and the clearly active Lockabit 3.0,
is now asking its victims for $2.5 million in exchange for stopping all the stuff it gets up to.
While Black Cat is a major player in the ransomware-as-a-service subsector
of the criminal-to-criminal market, it isn't simply engaged in double extortion, but in what
re-security calls quadruple extortion. The researchers explain that Black Cat's approach
includes encrypting the victim's files, the first step, of course, in a classic ransomware attack.
Victims files, the first step, of course, in a classic ransomware attack.
Victims are then offered a key to decrypt their files and restore access to their compromised data.
The second aspect of Black Cat's attack involves data theft and the attendant threat of doxing, of releasing sensitive data.
This is the now familiar double extortion.
The third phase of a Black cat attack is denial of service.
The attackers conduct DDoS attacks to close down the victim's public websites. The DDoS,
of course, will be called off when the victim pays. And the fourth and final phase of quadruple extortion is, according to ReSecurity, harassment. The gang does reputational damage to the victim by calling customers,
business partners, employees, and media to tell them the organization was hacked.
This, too, increases the pressure on the victim to pay. Quadruple extortion is a noteworthy
development in the C2C market. A number of ransomware operators have recently tended to
concentrate on the second phase only,
stealing data, or at least claiming to have stolen data,
and then threatening to release the data if they're not paid off.
It's easier than bothering with encryption.
But Black Cat has gone in the opposite direction, opting for a more determined, more intense approach.
In some respects, the larger ransom demands aren't surprising.
The complexity and expense of quadruple extortion
would seem to warrant a bigger ransom,
if, that is, the hoods are going to realize any return on their investment.
Conti and Lockbit don't think much of Black Cat,
dismissing them as scammers,
which seems cheeky, coming as it does from a bunch of
criminal rivals who are engaged in a form of scamming themselves. Black Cat may have connections
with other criminal elements, notably Darkseid and Black Matter. There's been some suspicion,
in fact, that code overlaps apart. Black Cat may represent a rebranding of Darkseid,
overlaps apart, Black Cat may represent a rebranding of Dark Side after that gang's colonial pipeline hack drew more attention and heat than the old gang was comfortable with.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He is the CyberWire's chief security officer and also our chief analyst.
Rick, always great to welcome you back.
Hey, Dave.
So a few weeks ago, one of Google's AI researchers, a guy by the name of Blake Lemoine,
he got his 15 minutes of fame by claiming that the AI he was working on,
which goes by the name Lambda, a language model designed to converse with people,
he says that it became sentient.
Yep.
And he claimed that Lambda could pass the Turing test.
Now, I know you are a huge fan of Alan Turing, the guy who wrote that original paper that described the test. So,
what's going on here, Rick? Help me understand. Well, you're right that my all-time favorite
computer science hero is Alan Turing, right? In addition to the work he did on artificial
intelligence in the 40s and 50s,
he also mathematically proved that the modern day computer could be built as a machine,
a Turing machine, he called it back in the 1930s. Not to be confused with the Turing test that we're
talking about here, a Turing machine, right? So, and remember, we didn't have computers back then,
but every computer we use today is a Turing machine, and we have him to thank for that.
And let's not forget about his code-breaking efforts at Bletchley Park during World War II, breaking the German Enigma code.
His efforts probably helped save, what, 20 million lives and shorten the war by years.
But the Turing test is one of the first tests ever developed to determine if a machine can think.
You know, it reminds me of a segment from that great movie, The Imitation Game, which had Benedict Cumberbatch, more recently known as Doctor Strange.
But in this movie, he was playing Alan Turing.
Is that what we're talking about here?
Oh, my goodness, yes.
This is a fantastic movie, and I'm so glad that you brought that scene up.
I've been telling people for years that the scene is the best explanation I've ever heard
that describes the Turing test and what we thought artificial intelligence meant back in the 1940s.
Let's listen to a piece of it.
Of course, machines can't think as people
do. A machine is different.
The interesting question
is, just because something
thinks differently from you, does
that mean it's not thinking?
We allow for humans
to have such divergences from one another.
You like strawberries. I
hate ice skating. You cry
at sad films. I am allergic to pollen.
What is the point of different tastes, different preferences, if not to say that our brains work
differently, that we think differently? And if we could say that about one another,
then why can't we say the same thing for brains built of copper and wire?
It's to you.
Wow, Cumberbatch is so good in that scene,
and a great movie overall, but this scene in particular, really good stuff.
Yeah, you know, I'm so with you on that,
and if our listeners haven't seen that movie yet,
stop what you're doing, do not pass go, and consume that story.
It's fabulous. But when Turing described in that scene the Turing test from his paper Computing Machinery and Intelligence published in the 50s is what this Google engineer is talking about.
He claims that his Lambda could pass the Turing test.
Now, Rick, I have been a fan of this kind of thing since the first time I played with Eliza on an old Apple II, right?
Like I was hooked from that point on, which is like 80 lines of code or something.
And I mean, it convinced me, 13-year-old me.
Sure, yeah.
Me too.
You know, 40-year-old me, it convinced me.
So what does this mean?
I mean, are we just years away from, you know, Skynet becoming self-aware and destroying the world?
Yeah, well, yeah, we might be a few years away from that event, right?
You know, since Turing's work, the AI research community has developed more robust definitions for determining if machines can think.
You know, some optimistic forecasters say that the singularity, that moment when a software wakes up and can fend for itself, is like 25 years away.
More pessimistic forecasters say it's at least 100 years away.
Still, if the Google engineer's assertion is true that Lambda can pass the Turing test, that's a pretty significant milestone.
I mean, we've been circling this moment for about five years or so.
I mean, when you close your eyes and squint a little bit and try not to be too critical, you could say that voice assistants like Alexa come pretty close.
You know, they're not there yet, but you can see it's right around the corner.
I can't help thinking if part of our natural impulse as humans is to keep moving the goalposts.
This reminds me of way back when they would say, well, the humans
are the only species that uses tools.
And since then, we found all kinds of animals use tools, right?
So we had to find different ways to define humanity.
And I wonder if we're going down that same path here.
But it's going to be fascinating to follow for sure.
Well, I've been criticized about this before, right?
You know, and I'm not an artificial intelligence researcher by any means.
And I'm sure there's better tests than the Turing test, right?
But if I'm conversing with a voice assistant and I can't tell if it's a human or not, that's pretty close to me.
And it's probably more in line with what Alan Turing had when he was researching this stuff back, you know, 100 years ago.
And does it matter?
It doesn't matter.
That's it.
That's the key, I think.
It doesn't matter really that much.
All right.
Well, listen, before I let you go,
you have just added four new members
to the CyberWire's hash table group this week.
Real quick, tell us what the hash table is
and then who's coming on board.
That's right.
As you know, we have a roster of experts
who regularly visit the CyberWire hash table
to discuss important issues of the day.
Really, the secret is they're mostly there to keep me honest when I go off on strange tangents, as I'm like to do.
Right. So you can see who they all are on the CyberWire web page.
We have over 30 of them.
And the new folks include Ite Mair.
He's the senior director of security strategy at Cato Networks, and he's a
recent CSO from Insights. That's a Rapid7 company. We have Vikrant Aurora. He's the new CISO at the
Hospital for Special Surgery in New York. That's going to be interesting, a little extra commentary
on that part of the world, all right? Yeah. We have Kurt John, the recently announced global CSO at the Expedia Group,
but he's the former CISO for Siemens in the Americas.
So we'll get that industrial control system expertise
on the table.
That's great.
And then last but not least,
William McMillan,
also recently announced SVP of security product
and program management at Salesforce,
but he's just recently stepped
down as the CISO for the CIA. So we're bringing in all kinds of expertise here to the CyberWire.
Those are some big guns there you got there, Rick. Some big guns.
They don't know what they're in for.
That's right. That's right. Well, you can find out more about all of that over on our website,
thecyberwire.com. It is part of CyberWire Pro. Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Thomas Etheridge.
He's Senior Vice President of Services at CrowdStrike.
Thomas, it's great to have you back.
I want to touch base with you today on threat hunting.
I know this is something you and your team focus on there at CrowdStrike.
What sort of things can you share with us today?
Yeah, absolutely. Threat hunting is something that we focus in on to be able to provide capabilities to look for a needle in a stack of needles. And that really is what threat hunting
is all about. We've seen threat actors take advantage of operating system capabilities and the ability to remain stealthy
within an environment, bypass old traditional EDR controls, and remain persistent in an environment
in order to carry out their tradecraft. The best way to defend against those types of tactics is
through the capability in threat hunting.
What are some of the specifics here in terms of things people should be implementing?
A couple of things.
Smaller organizations that maybe have a smaller security organization and that don't have the ability to perform threat hunting exercises on their own should really consider outsourced
or third-party threat hunting
organizations, or at least ask your managed service provider if that is a service that's
provided with the offering that they deliver. Larger organizations can take advantage of threat
hunting and outsourced threat hunting as well, because many organizations, when they perform
threat hunts, will do so during normal business hours, Monday to Friday.
They might run a threat hunt or two every month or every quarter.
Outsourced threat hunting capabilities may be able to provide differentiated threat hunting 24-7, 365, around the clock, which is typically when threat actors are most active in off-business hours.
Yeah, that's a really interesting point there.
You know, I wonder for folks who are kind of standing on the sideline here and haven't
really engaged with threat hunting, what's your message to them?
Outsourced threat hunting is really meant to complement your existing security team
and organization.
They can be integrated in critical areas of the business, look across the telemetry
that we have within your own environment, but also compare that to telemetry that they might
be seeing in other parts, other services that they're offering to other customers that maybe
are in the same vertical or geography that your organization is. So doing threat hunting on a
broad scale really provides additional benefits
and advantages that go beyond what you might be able to provide with your own team.
So looking at some of the basics here, I mean, can we start at the beginning? Why do threat
hunting at all? Dave, I think the answer is pretty straightforward. We've seen a 45% increase in
interactive hands-on keyboard intrusion activity
in the telemetry that we collect in our platform over the last year. Threat actors are very adept
at using stolen credentials. They move quickly. We've seen breakout time down in the 98-minute
time frame for e-crime threat actors that we track with our intelligence
organization. The increase in the use of malware-free attacks allows organizations,
allows threat actors, I should say, to remain stealthy and persistent and be able to go
undetected with traditional security tools. So threat hunting is a huge differentiator
in understanding and getting that visibility
and being able to remediate and respond to incidents when they happen.
All right. Well, Thomas Etheridge, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabe,
Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Bilecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. to innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.