CyberWire Daily - DDoS remains commonplace in Russia's hybrid war. Leaked LockBit 3.0 builder used by new gang. Meta takes down Russian disinfo networks. Lazarus Group goes spearphishing. Cloudy complexity.
Episode Date: September 28, 2022DDoS remains the most characteristic mode of cyber ops in Russia's hybrid war against Ukraine. A leaked LockBit 3.0 builder is being used in ransomware attacks. Meta takes down Russian disinformation ...networks. Lazarus Group is spearphishing with bogus job offers. Joe Carrigan looks at SNAP benefit scams. Our guest is Crane Hassold of Abnormal Security with the latest in advanced email attack trends. And the cloud…is complicated. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/187 Selected reading. Adversaries Continue Cyberattack Onslaught with Greater Precision and Innovative Attack Methods According to 1H2022 NETSCOUT DDoS Threat Intelligence Report (NETSCOUT) Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks (BleepingComputer) Removing Coordinated Inauthentic Behavior From China and Russia (Meta) Russia is spoofing mainstream media to smear Ukraine, Meta says (Protocol) Operation In(ter)ception: social engineering by the Lazarus Group. (CyberWire) How cloud complexity affects security. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
DDoS remains the most characteristic mode of cyber-ops in Russia's hybrid war against Ukraine.
A leaked LockBit 3.0 builder is being used in ransomware attacks.
Meta takes down Russian disinformation networks.
The Lazarus Group is spearfishing with bogus job offers.
Joe Kerrigan looks at snap benefit scams.
Our guest is grain-hassled of abnormal Security with the latest in advanced email attack trends.
And the cloud? It's complicated.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Wednesday, September 28,
2022. DDoS remains the go-to mode of cyber ops in Russia's hybrid war against Ukraine.
the go-to mode of cyber ops in Russia's hybrid war against Ukraine. Concerns about attacks against critical infrastructure may be rising, but other more commonplace cyber attacks remain typical in
the hybrid war. Netscout's DDoS threat intelligence report for the first half of 2022 indicates that
distributed denial-of-service attacks have remained the typical tactic Russian cyber operators have used against targets in Ukraine,
and especially against targets in countries sympathetic to Ukraine.
It's also been one of the characteristic techniques employed against Russian sites.
Netscout's report reads, in part,
As Russian ground troops entered Ukraine in late February,
there was a significant uptick in DDoS attacks targeting governmental departments, online media organizations, financial firms, hosting providers, and cryptocurrency-related firms, as previously documented.
However, the ripple effect resulting from the war had a dramatic impact on DDoS attacks in other countries. Some examples the report points out include
the number of attacks against Ireland increased when it provided services to Ukrainian organizations.
Following its abstention from the UN Security Council and General Assembly resolutions denouncing
Russia's conduct in Ukraine, India noticed a discernible rise in DDoS attacks. Taiwan experienced its single highest number of DDoS attacks
on the same day as Belize after publicly endorsing Ukraine.
When Finland announced that it will be applying for NATO membership,
DDoS attacks increased by 258% year over year.
DDoS attacks connected to Killnet,
a gang of cyber attackers allied with Russia, were directed at Poland, Romania, Lithuania, and Norway.
Russia experienced a nearly three times increase in daily DDoS attacks since the conflict with Ukraine began and continued through the end of the reporting period, according to the report, while the frequency and severity of DDoS attacks in North America remained relatively consistent,
satellite telecommunications providers experienced an increase in high-impact DDoS attacks,
especially after providing support for Ukraine's communications infrastructure.
It's not all DDoS in the hybrid war, however, especially not where criminal interests intersect or coincide with combat support.
There are also signs, for example, of increased ransomware attacks against Ukrainian targets.
Researcher Vladislav Rudetsky reports that the Bloody gang has used the LockBit 3.0 builder leaked last week to deploy malicious code in that country.
Bleeping Computer says that Bloody, a relatively new gang,
doesn't seem to do much development of its own,
preferring to repurpose tools leaked or abandoned by other groups.
Those have included Babook, Conti, and now LockBit.
Meta, the corporate parent of Facebook, Instagram, and WhatsApp, announced yesterday that
it had taken down two networks, one Russian, the other Chinese, for engaging in coordinated
inauthenticity. The networks are unrelated. The Russian disinformation operation, Meta said,
was unusually large, well-constructed, and focused on disseminating Russian propaganda concerning the war against Ukraine.
Mehta stated,
The Russian network, the largest of its kind we've disrupted since the war in Ukraine began,
targeted primarily Germany, France, Italy, Ukraine, and the UK,
with narratives focused on the war and its impact,
through a sprawling network of over 60 websites impersonating
legitimate news organizations. The legitimate news organizations impersonated included Spiegel
and Bild in Germany and The Guardian in the UK. The impersonations were carefully and convincingly
executed and were done so at apparently considerable expense. The stories carried in them, to a considerable extent,
concentrated on disinformation,
charging Ukraine with responsibility for Russian atrocities
committed in Bucha and elsewhere.
They were often amplified by Russian social media channels,
including accounts belonging to Russian diplomatic missions,
and they also engaged in pushing petitions
designed as astroturf support
for Russian interests. Given the amount of care, talent, and expense devoted to establishing and
maintaining the inauthentic networks, it's noteworthy that the stories they pushed lacked
legs. They did not achieve widespread acceptance, and they were generally dismissed soon after publication as disinformation.
That experience may suggest the limitations of coordinated inauthenticity. It tends to be less
successful when it seeks to persuade than when it aims simply to confuse. Researchers at Sentinel-1
warn that North Korea's Lazarus Group is using phony crypto.com job offers to distribute macOS
malware. The researchers aren't sure how the lures are being distributed, but they suspect
the attackers are sending spear phishing messages on LinkedIn. Sentinel-1 notes that this campaign
appears to be extending the targets from users of crypto exchange platforms to their employees
in what may be a combined effort to conduct both espionage and cryptocurrency theft.
So apparently it's a twofer combining espionage with financially motivated crime.
This isn't Pyongyang's first use of bogus job offers as fish bait,
and it's unlikely to be the last.
And finally, what's the internet
weather forecast? Cloudy with a high probability of complexity. A study by Venify has found that
81% of organizations have sustained a cloud-related security incident within the past 12 months,
while 45% experienced four incidents over the past year. The report says, the underlying
issue for these security incidents is the dramatic increase in security and operational complexity
connected with cloud deployments. And since the organizations in this study currently host
two-fifths of their applications in the cloud, but expect to increase to 57% over the next 18 months,
this complexity will continue to increase. Kevin Bocek, Venify's Vice President of Security
Strategy and Threat Intelligence, stated, attackers are now on board with businesses'
shift to cloud computing. The ripest target of attack in the cloud is identity management,
especially machine identities.
Each of these cloud services, containers, Kubernetes clusters, and microservices needs an authenticated machine identity, such as a TLS certificate, to communicate securely.
If any of these identities is compromised or misconfigured,
it dramatically increases security and operational risks.
it dramatically increases security and operational risks.
Bocek added that part of the problem is a lack of consensus on who is responsible for the security of cloud-based applications,
stating,
Security teams want to collaborate and share responsibility with the developers who are cloud experts,
but all too often they're left out of cloud security decisions.
Developers are making cloud-native tooling and architecture decisions that decide approaches to security without involving security
teams. And we can already see the results of that approach. Security incidents in the cloud
are rapidly growing.
Coming up after the break, Joe Kerrigan looks at Snap Benefit scams. Our guest, Crane Hasselt of Abnormal Security, has the latest in advanced email attack trends.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The team at Abnormal Security recently released their H2 Threat Report, detailing the latest
advanced email attack trends, including increases in business email compromise, the evolution
of financial supply chain compromise, and the rise of brand impersonation in credential
phishing attacks.
Crane Hassold is Director of Threat Intelligence at Abnormal Security.
Yeah, so I think one of the big things that really caught my eye
was the more frequent use of social media brands in phishing attacks.
And while social media, using something like LinkedIn or Facebook or even Instagram
and things like credential phishing attacks have been around for a number of years.
What's really interesting is now we're starting to see the use of these brands in other types of attacks as well.
Things like just plain old BEC attacks, business email compromise attacks.
What's really interesting, we've started to see some groups start injecting things like LinkedIn into their initial lures to make it look like
they're trying to get a LinkedIn invoice paid for or something like that.
And so we're starting to see this transition into using more robust or comprehensive pretexts
within the initial emails that a lot of these cybercriminals are sending to their targets.
And what do you suppose is driving this increase? I mean, is it fair to call it sophistication?
I think it's sophistication. I think it's also adaptation. I think it is, you know,
we see this constantly throughout the years where you see different threat actors trying new and sometimes really obscure things
to see what will stick and what won't stick. But I think when you look at something like,
when we see the emergence of trends like this sort of at a larger scale, when more and more actors
start jumping on this bandwagon, we know that a lot of these cybercriminals will communicate with each
other in underground networks. And so it seems to me that there's been a proven success rate
to using some of these different pretexts in the initial attacks. And so when we see something like
the emergence of an overarching trend like this,
it sort of, you know, speaks to me that it seems to be working at least, and they're getting enough
ROI to make it worth it for them to continue using it. So what are your recommendations then
for folks to best protect themselves against this? Yeah, so, you know so whenever we're looking at cyber attacks today, most people think of
cyber attacks as these technically sophisticated things, when in all reality, more and more
commonly, they're nothing more than behavioral exploitation. And we're seeing more and more of
these attacks that are using nothing more than just basic text to try to
persuade a target or an employee to do something they wouldn't otherwise do. So first and foremost,
making sure that you have defenses in place that are able and equipped to defend against this sort
of new age of cyber threats that aren't technically sophisticated. They're not using, you know,
malicious attachments. They aren't always using malicious links. It's just pure social engineering. So making sure that you have defenses in place that
are equipped and able to defend against those attacks. And then also making sure that you have
good processes in place to make sure that if a request does come in from someone who may be
impersonating an internal employee or even an external third
party, which we've been seeing more and more of recently, to make sure there's a process in place
to validate those requests. And what kind of things are we talking about specifically? I mean,
to what degree are there technical solutions and to what degree, as you mentioned, you know,
is this a matter of just putting procedures in place to make sure that,
you know, for example, more than one set of eyes get put on something before a check is written?
Yeah, absolutely. So from a technical perspective, it's all about sort of changing the way that we
think about email defenses. You know, it used to be, you know, in the old days, about 20 years ago,
when, you know, email defenses first started evolving, it was all about using these static indicators of compromise to identify malicious artifacts.
But now, because those don't really work based on this new age of cyber threats, it's more about using things like machine learning and AI and behavioral analytics to look at identities and relationships and language that's being used
and sent from the sender to the receiver, and making sure that those, you know, from especially
when we're talking about things like impersonation attacks, which are a majority of the attacks that
we see today, you know, those are the tactics and techniques that we can use to identify those
malicious emails when they come in.
The general public doesn't really know about those types of threats, even though they are easily
the number one cause of financial loss for businesses all over the world. And so we've
been seeing this transition from technical attacks like malware-based attacks, ransomware, I think it's all the news,
to things like more pure social engineering attacks like social engineering. I think that's
definitely going to continue becoming more and more of a problem over the next few years.
But one of the things that we have started seeing, which I think is an interesting trend within BEC
threat landscape, is we've started to see a transition away from
the internal classic executive impersonations towards more external third-party impersonations
in these BEC attacks. That's something that we've seen really since the beginning of this year.
Starting in January, more than half of all of the BEC attacks that we've seen have impersonated
external third parties, which is really notable considering the fact that since its inception,
BEC has essentially been known as CEO impersonation attacks, CEO spoofing attacks.
And to see these threat actors really start evolving into impersonating external entities
obviously shows that they're likely
making more money from those attacks. And it also sort of goes against the training that we tell
people to look out for when it comes to things like BEC, because most BEC security awareness
training focuses on, look out for that weird email from the CEO that's asking for gift cards.
But now you have these more sophisticated
attacks that are impersonating known vendors that are compromising email accounts and using
language that is totally normal, doesn't include those spelling and grammatical errors, makes them
much more realistic and much more impactful when they are successful.
That's Crane Hessold from Abnormal Security
discussing their recently released H2 Threat Report.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting story came by.
This is from the Baltimore Banner, and it's written by Brenna Smith.
And it's about a woman who got almost $3,000 of her SNAP benefits, which is the modern version of food stamps.
So these are—
Supplemental nutrition and payment?
Sounds good.
Right.
But, yeah, I mean, basically it's for people who need a little help from the state.
I think generally these are federal funds that get distributed to the states,
and then these days they get sent to people on basically what amounts to a debit card.
Right. So what's going on here? It's called an EBT card, an electronic benefit transfer card.
Yeah. So the woman in this story is named Renee, and she's only using her first name. Yeah. And
she is a nursing assistant who has children and needs these
SNAP benefits. By the way, SNAP stands for Supplemental Nutrition Assistance Program.
Okay. It's like you said, essentially food stamps, but we don't have stamps anymore. Now we have
these EBT cards. Right. She got her benefits turned off for some reason and had to reapply
for them. And when she reapplied for them, they gave her back benefits,
which resulted in a substantial balance on her card.
Okay.
Now, something that's interesting in this story
is that she starts seeing news stories on her feed
about people having their benefits scammed away from them or something.
And there's a whole other can of worms there that I want. Why is she
starting to see these things? She's probably doing searches for it when she went through the process
of getting her money back. It could be. But she goes and she checks her balance and she finds out
that she's missing about $3,000 in benefits, 2,700 bucks. Wow. She calls the police and the police,
this is in Baltimore County, Maryland.
The police do not assign this to a police officer.
They assign it to a person who's in the academy.
Okay.
A recruit, essentially.
Yeah.
He is now a police officer.
His name is Timothy Valis, and he's been assigned to investigate the case, but he was assigned back when he was in the academy.
Yeah.
I think that's interesting. I don't know why that happens.
And I would have questions for Baltimore County Police
as to why that happens.
Is this a regular practice?
Did you send it to this person as a training?
I don't know.
I want to know the answer to this.
But Officer Valis now has not been very helpful
for this in this case.
And this woman took matters into her own hands and started finding out where the card was used, where the benefits were being spent.
Because the Department of Human Services in Maryland was saying, we're not seeing any fraud on this.
Okay.
Right?
So she says, well, where are my benefits being spent?
You have records of that. And she has actually gotten in her car and driven to the stores and asked to be shown the security footage.
Even one time going to a local police department and saying they won't show me the footage unless I bring a police officer in.
And that police officer out of his jurisdiction, the crime occurred out of his jurisdiction.
But he went, gave her a police escort and said, let's see the footage to the people at the CVS.
And they showed her the footage.
And in this footage, she sees people buying large amounts of Similac.
Now, this all harkens back to my interview with Mallory Safaste from Hacking Humans episode 209, where we talk about these benefit scams and we talk about the
Similac scams that are going on. Right. So these people are probably quickly monetizing the money
that they've stolen from this woman, the benefit money they've stolen from her, by exploiting other
people who are experiencing the Similac shortage or the formula shortage that was happening over
the summer.
Yeah.
These bad guys are making money coming and going.
So I want to focus on an element of this in the time that we have here,
which is that my understanding is that the cards that people get,
basically the equivalent of an ATM card, a debit card,
the versions that at least people in Maryland get who are eligible for these benefits
do not have chips in them. They don't have chips. They are 100% correct.
Magnetic strip cards. So it's the magnetic strip and a pin. And that is how this woman
got her funds stolen. Someone had put a skimmer. In a 7-Eleven.
Yeah. And that is something that
Officer Valis found. Right. He said, we found a skimmer at the 7-Eleven. Yeah. And that is something that Officer Valis found.
Right.
He said, we found a skimmer at the 7-Eleven.
Did you shop at the 7-Eleven?
She goes, I did, but I don't remember when
and I don't remember what I spent.
And he says, well, that's where we found the skimmer.
So these guys found the skimmer
or put a skimmer in 7-Eleven,
skimmed the benefits card information,
and then they moved down to,
or they may have been down in Prince George's County,
Maryland, which is a little bit further south, and that's where they bought the Similac.
Yeah. Now, what's interesting about this is I don't know what a chip costs to put on a credit
card, but every single credit card I get in the mail now has a chip, and every single debit card
I get has a chip. But for some reason, the state of Maryland is not putting these get in the mail now has a chip and every single debit card I get has a chip. But for some
reason, the state of Maryland is not putting these chips in the benefit cards and people are losing
money because skimming doesn't work on the chip cards anymore. So who are the bad guys going to
target? They're going to target the people who receive benefits on these cards with no chips on
them. And it's hurting the most vulnerable population, people that need to eat. And this is unconscionable, Dave.
As a taxpayer in Maryland, I'm upset about this.
I don't understand it either.
And I suppose the easy explanation would be that it probably costs a few cents less or maybe a few bucks less per card to not have the chips in it.
My thought is why are there even cards available that don't have chips in them? Yeah,
that's an excellent question. I just think it should be a regulatory thing that those have
been deprecated and you shouldn't be able to make new ones. Right. You shouldn't be using
old technology for benefit cards. Right. Why don't poor people get the benefits of the security
elements that the rest of us get as a regular part of doing our business with banks and so on
and so forth. If a bank provided me with a card that didn't have some sort of chip in it, I'd be
like, what is this? Yeah, I'm not doing business with you. Right. But folks who are in need,
they don't have that option. They don't have a choice. Right. And so in this case,
they're not being looked out for. I'm with you. I find this very troubling and...
I find it troubling for a number of reasons. One, you're hurting people, right? Their benefits are getting stolen from them. Two,
you're enriching criminals. That's all that the state is doing with these chipless cards.
Somewhere to the tune of a couple hundred thousand dollars so far. And that is only going to go up.
That's not going down.
And in Maryland, they don't reimburse folks who've had their funds stolen.
There are some states that evidently do that.
Right.
But our state does not.
Our state is saying that because the funds are federally provided, we can't use federal funds to reimburse stolen funds.
Yeah.
Other states are reimbursing stolen funds with state money.
Yeah.
I think California is doing that, but Maryland is not going to do that.
Seems to me like there are many, many areas here where we could do better,
not the least of which is providing people with the basic security that most people enjoy.
I'm left scratching my head why that's not happening.
It just doesn't seem right to me.
Yeah, I'm sure it would cost less than the couple hundred thousand dollars of benefits that have already been stolen.
Yeah.
And the coming storm of benefit theft is going to be huge.
Yeah.
This is only going to get bigger.
Yeah.
All right.
Well, Joe Kerrigan, thanks for joining us.
My pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karpf, Eliana White, Our amazing CyberWire team is Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.