CyberWire Daily - DDoS trends. Asia sees a Lancefly infestation. Lessons from cyber actuaries. Infostealers in the C2C market. False flags.
Episode Date: May 16, 2023DDoS "carpet bombing." Lancefly infests Asian targets. Cyber insurance trends. Infostealers in the C2C market. A Russian espionage service is masquerading as a criminal gang. KillNet’s running a psy...op radio station of questionable quality. Joe Carrigan describes baiting fraudsters with fake crypto. Our guest is Gemma Moore of Cyberis talking about how red teaming can upskill detection and response teams. And geopolitical DDoS. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/94 Selected reading. 2023 DDoS Threat Intelligence Report (Corero) Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors (Symantec) 2023 Cyber Claims Report (Coalition) The Growing Threat from Infostealers (Secureworks) Cybercriminals who targeted Ukraine are actually Russian government hackers, researchers say (TechCrunch) DDoS Attacks Targeting NATO Members Increasing (Netscout) Following the long-running Russian aggression against Ukraine. (The CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
DDoS carpet bombing,
Lance Fly infests Asian targets, cyber insurance trends,
info stealers in the C2C market, a Russian espionage service is masquerading as a criminal gang,
Killnet's running a PSYOP radio station of questionable quality,
Joe Kerrigan describes baiting fraudsters with fake crypto,
our guest is Gemma Moore of Cyberus,
talking about how red teaming
can upskill detection and response teams.
And geopolitical DDoS.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, May 16th, 2023. Carrero this morning released its 2023 DDoS threat intelligence report
detailing the DDoS landscape and its evolution in the past year.
The research showed a 300% increase from 2021 to 2022
in what are known as carpet bomb DDoS attacks,
attacks which researchers define as distributing traffic across large IP address spaces,
challenging standard victim-oriented detection and mitigation techniques.
Botnet attacks that resemble the patterns of the Mirai botnet have spiked to over seven times the amount of traffic from 2021 to 2022.
Domain name system services were also a much heavier target for DDoS attackers,
seeing double the amount of attacks as occurred in 2020. Symantec reported yesterday that the
advanced persistent threat LanceFly is using a custom backdoor to target government, aviation,
education, and telecommunications sectors in South and Southeast Asia.
Lancefly's custom backdoor, MareDoor, seems to have been around since 2018
and facilitates key logging, multiple C2C communication methods,
and the ability to listen in to local port commands.
MareDoor is injected into the legitimate processes perfhost.exe or svchost.exe.
Symantec assesses that Lancefly may have used phishing emails as an attack vector in a campaign in 2020.
In its more recent activity, however, the initial infection vector was unclear.
The researchers write,
We saw some indications of what the initial infection vector may have been in two victims, though this was not conclusive. The researchers write, Lance Fly's reuse of tools associated with Chinese APTs suggests some connection with those groups,
but Symantec regards the evidence as inconclusive for precise attribution.
Many of those tools have been widely shared.
for precise attribution. Many of those tools have been widely shared.
Cyber insurance provider Coalition released its 2023 Cyber Claims Report,
which discusses trends and evolutions in cyber insurance claims. Data showed that those with even one unpatched critical vulnerability were 33% more likely to experience an incident,
while those using software at its end of life
had tripled the risk of an incident occurring. Phishing threats accounted for over three-quarters
of the reported incidents, with claims related to phishing incidents increasing 29% since the
start of 2022. The overall amount of claims related to cyber, however, decreased between 2021 and 2022 by 17%.
SecureWorks released a threat report this morning discussing the growing threat from
InfoStealers. Logs from InfoStealers that have taken user data continue to see an increase as
time draws on. On the Russian market underground forum, a total amount of logs for sale increased by 150%,
from 2 million in a day in June of last year to 5 million in February of this year.
The overall growth rate for the Russian Market Forum was also rather notable,
with a growth rate of 670% in logs for sale between June 2021 and May of 2023.
Raccoon, Vidar, and Redline remain the most
pervasive info-stealing threats. Legal action against the Genesis market and raid forums has
slowed underground market activity. Telegram has also benefited from this change, as more logs are
being traded over the messaging platform. There is also, according to researchers, an increased need for tools to aid in parsing logs once the data is received.
Tools with this capability are expected to increase in popularity in the future.
TechCrunch reports that the Cuba ransomware gang, most closely associated with the rom-com remote access Trojan,
most closely associated with the RomCom remote access Trojan, is not actually a criminal organization,
but rather a false flag being flown by a Russian intelligence service.
The attribution, which TechCrunch credits to BlackBerry,
is based principally on Cuba's target selection and the timing of its attacks.
Cuba behaves like a well-resourced combat support operation,
its activities closely coordinated with Russian operations across the spectrum of conflict.
Killnet posted an approving link to an online PSYOP radio station
centered around demoralizing Ukrainian and foreign troops fighting in Ukraine.
On its website, Radio Life explains that its mission is
to help Ukrainian military members to make the right choice, except the only decision which will help save their own lives and the lives of their loved ones.
In the five minutes we were able to listen to it, the radio station was blasting Quiet Riot's Come on, Feel the Noise, but the broadcast abruptly fell silent. The station also broadcasts in Ukraine via VHF radio channels
and created a telegram channel on May 7th of last year that saw no posts until yesterday,
when they dumped approximately 50 messages meant to demoralize Ukrainian service members
and other Ukrainians engaged with the channel.
The big question, of course,
is why would the station confine itself to quiet riot? Were Mungo Jerry and Screamin' J Hawkins
unavailable? And finally, to return to trends in distributed denial of service attacks,
DDoS actions against selected targets in NATO member nations have risen since Russia's invasion of Ukraine.
Presently, Netscout reports Finland, Hungary, and Turkey are receiving most of this malign attention.
Easy and deniable, and the kind of activity you can hide under a false flag.
Coming up after the break, Joe Kerrigan describes baiting fraudsters with fake crypto.
Our guest is Gemma Moore of Sybaris, talking about how red teaming can upskill detection and response teams.
Stick around. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1 thousand dollars off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Gemma Moore is co-founder and director of Cyberus, a pen testing, red teaming, and cloud risk management organization.
I spoke with her about how pen testing and red teaming can be an opportunity to upskill your detection and response teams.
So red teaming sort of lives in the same stable as penetration testing, but it's actually quite a different approach.
So penetration testing, we tend to look at technology and we're looking at can we find all the vulnerabilities in this network or this system or this application,
tick them all off, give you a remediation for each of them.
Red teaming is very different because we're looking at pretending to be the adversary,
pretending to be the attacker and using the same type of techniques.
And what that means with red teaming is that we, the red team,
have an objective to meet, and it might be gain domain admin,
it might be gain access to a customer database, something like that.
And we can use all sorts of techniques,
including sort of social engineering against people,
misusing processes, and of course, vulnerabilities
in technology to sort of join an attack chain together to achieve our objective. So we're
touching on a lot more breadth of area than a penetration test does, but also with less detailed
coverage, if that makes sense. And what's the opportunity here then for the the members of your team to take advantage of this and
up their game well this is something that not a lot of people appreciate when they think about
red teaming um red teaming um there's a lot of sort of uh zeitgeist about red teaming i suppose
and it's the cool thing to do and you know you you get the red team in to come and you know give
your defenses a kick but the big opportunity is actually getting, in a safe way, your defenders to work out how well their processes work, how well their controls are functioning.
As an analogy, if you were thinking about wrestling, you know, it's one thing learning all the wrestling moves and the wrestling techniques on your own in your room. It's quite another when you come up against a partner who is
wrestling against you and trying to take advantage of weaknesses in your technique.
So, you know, if you are training your blue team, for example, your responders,
sort of only in theory or only against sort of very restricted sets of behaviors that they expect of other people,
you'll find that they won't have the sort of adaptability or the flexibility to, you know,
change their processes on the fly when an adversary is doing something they don't expect.
And red teaming really lets you exercise that type of flexibility and work out actually,
you know, if there was an incident, if there was a breach that you were trying to head off, would you be able to do that?
I suppose in some ways, it's a little bit like trying to think like an attacker rather than
think like a defender. And that's the opportunity that you have with blue teams. So a lot of blue teams,
let's take a really simple example. Let's look at malware or an antivirus alert.
So you'll have an antivirus alert and you'll almost certainly have a control which
quarantines a file or shuts down that file, that piece of malware that you found in your network.
And you'll have a blue team or an instant responder sort of triaging that alert and saying, right, there was malware, it's been shut down, it's quarantined,
you know, that particular issue is contained. The sort of join up that often blue teams don't have
in their own minds is the threat is not the file, the threat is not the piece of malware.
The threat is the person that sent the malware in, that tried to get it into
the network, that tried to, you know, gain someone's credentials or get some malware running
on a workstation, whatever it was. And just because your control has stopped that particular
piece of malware does not mean that the threat has gone away. It does not mean they're not going
to try again. And it doesn't mean they're not going to try something different. So that's a
sort of an aspect that often you can exercise in red team where you can't normally do that without the help of someone
taking on the role of the adversary. Is there a certain amount of diplomacy that goes into this
as well? I mean, I'm thinking that by its nature, this is an adversarial process, but in the end,
everyone is on the same team. Yes, getting people on side is really
important. We'll quite often find that we start off a red team engagement with a bit of reluctance,
maybe from some people on the customer side or a bit of apprehension. And it's natural because,
you know, they are worried about, you know, what's going to happen if, you know, it turns out,
you know, we can't see anything. Are we suddenly bad at our jobs? Or, you know, what's going to happen if it turns out we can't see anything? Are we suddenly bad at our
jobs? Or what's going to happen if we don't manage to contain the outbreak? Are they going to be
blamed? Are we going to be in trouble? So there's definitely a minimum amount of diplomacy. But what
I would say is that a lot of the time, if you are open to running the red team in the right way, you can get people on side. And most of the time, what we managed to end up with is an exercise
where everyone, including the people, including the blue team, have actually found it quite fun.
Ultimately, there'll always be cases where, you know, there will be someone who doesn't want you
to be doing an adversary simulation because they don't want you to be checking their work or looking at what they're doing or what have you. But it's
quite rare, actually, that that happens. A lot of the time, focusing on, you know, reducing blame
because blame culture doesn't help anyone in these situations, emphasizing the positive outcomes of
this. So, you know, if you're a stretched response team, and a lot of
response teams are stretched, you know, they have limited resources, they have limited tooling,
and they have limited time. A lot of them are in a fairly high pressured situation a lot of the time.
One of the big positives of this type of engagement with the blue team, you know,
towards the end or during a red team, however it happens to be going, one of the big positives is
you can make a really good case for a business case,
for extra budget, for extra resources, for extra training.
And ultimately, that benefits everyone.
That's Gemma Moore from Cyberus. And joining me once again is Joe Kerrigan.
He is from Harbor Labs and the Johns Hopkins University Information Security Institute.
Hello, Joe.
Hi, Dave. Dave? An interesting article came from Cointelegraph, which is, I guess, kind of a place where you get information about cryptocurrency and stuff like that.
And I will admit that I tend to shy away from these sorts of things,
tend to shy away from crypto stuff in general, for better or for worse.
Right.
But this story caught my eye here.
This is about Kraken building a fake crypto account to try to bait some fraudsters.
Right.
This is the kind of thing you and I talk about over on Hacking Humans all the time.
What's going on here, Joe?
There is a YouTube and Twitch streamer who goes by the name of Kitboga, K-I-T-B-O-G-A.
Okay.
And the article also refers to him as Kitbot, which I'm just going to call him Kit.
I don't, Kitboga is kind of hard for me to say.
Okay.
So I'm going to call him Kit.
But he is remarkably good at scamming scammers, at scam baiting.
I see.
Is the practice.
So what he does is he calls into these people that are conducting a scam.
It's like the IRS scam or whatever.
Yeah.
And he's done things like redeemed gift cards in front of them
while they're telling him
to just give them the numbers
he redeems it before they can
and they see all the money fly away
and they get really frustrated
it really hurts these bad guys feelings
he kind of turns the tables on them
he does
he doesn't do anything remarkably sophisticated
he's not hacking into
their systems. He's not, he's just trolling them. Yeah. Which is great. Wasting their time. Wasting
their time because every second they spend on the phone with this guy is a second they're not
scamming, you know, your mom or your dad. Right. Right. They're not doing that. Yeah. So it's good
work that he's doing. Well, Kraken reached out to him. Kraken is a cryptocurrency
exchange. And they gave him access to some environment that for all the world looks like
it's a Kraken, a real Kraken environment. And they made it look like he had half a million dollars
in Bitcoin in his account. And he calls up one of these scammers, and the scammer is trying to get him to put the money into his Bitcoin wallet, which, by the way, was also a Kraken wallet.
Which, if you're a scammer, why do you have a wallet on Kraken?
I don't understand that at all.
But it was.
It's not a wallet.
Again, I say this wrong frequently. You don't get a wallet on Kraken,
you get an address. The wallet is Kraken's wallet, and the address is associated with your account.
So Kraken controls the keys, and as a cryptocurrency exchange, they're the ones that
actually own the crypto. Think of it like a bank. You put your money in the bank, they're holding
your money. But when it comes time to transfer the money away, this interface that Kraken has built for him allows him to just try to transfer money in.
And what he does is he puts a typo in there and makes it look like he has just burned a half a million dollars worth of Bitcoin.
And burning is when you send it to an address where nobody has the private keys.
Oh. million for the Bitcoin. And burning is when you send it to an address where nobody has the private keys. It's just, you can do that with any cryptocurrency that uses public and private keys, which is all of them. So you can burn coins by sending them to essentially a random address.
And when they're gone, they're gone. Then they're gone. You can't get them back unless you can find
the private keys that can generate that address, which is remarkably difficult to do.
Okay. When I say remarkably difficult, understand impossible.
Right. But you can't do it.
Yeah. So this guy gets infuriated with him.
The bad guy. The bad guy.
Because he sees half a million dollars go into the, I was going to say ether, but that'd be a bad pun.
Right. It would be a bad. He sees
half a million dollars go to some unknown crypto wallet. Right. And he's asking him, why didn't
you just copy and paste the Bitcoin address? Because that's what you should have done. And
he's like, well, I didn't enter it. I entered it right. The bad guy's already counting the money.
Right. He sees, he gets in there and he, what happens, the first thing these bad guys do
when they're doing these kinds of scams with anything,
with a crypto exchange, with a bank account or anything,
is they have you install something like TeamViewer,
which is a remote access system
for doing remote tech support.
Or, you know, maybe if you're,
if you have a license and your parents need tech support,
you can have them use it.
So he gets to see what's going on on Kit's screen.
And he sees that Kit is logged into Kraken, and he sees that Kit has half a million dollars in there.
And he just starts drooling.
Oh, this is going to be a great day.
It's going to be a good day.
I am going to be able to take my kids on vacation.
Yep. I'm going to move out of my mom's basement. Right. This is going to be a great day. I am going to be able to take my kids on vacation. Yep.
I'm going to move out of my mom's basement.
Right.
This is going to be great.
I'm ordering the large ice cream cone today.
Yes.
Yes.
And Kit essentially burns this non-existent half a million dollars in crypto
and sends the guy into a seething rage.
Worth the time to watch.
It's a one-minute video that he has on.
It's in the article that Kit has posted on his Twitter account.
Definitely worth it.
I've watched a number of his videos and watched this guy just lead people on for hours.
It's great.
I skip around the videos just to see what's going on.
What do you make of Kraken doing this, putting the effort into—
I mean, on the one hand, do we label this a publicity stunt?
I mean, certainly there's some of that here.
I would say there's good PR to be had, yeah.
I don't know I'd call this a stunt.
Yeah.
But yeah, there's good PR to be had.
But additionally, this attacker did have a wallet on Kraken
and that allowed them to address on Kraken.
I got to stop saying wallet.
Address on Kraken.
So he had an account on Kraken.
They know what his account is now, and they can shut Kraken. I got to stop saying wallet. An address on Kraken. So he had an account on Kraken. They know what his account is now.
And they can shut him down.
I see.
So he can't use their infrastructure anymore.
So there is a legitimate good business purpose for this.
Yeah.
But the PR is, yeah, I'm sure the PR opportunity is not lost.
No, no.
All right.
Well, interesting stuff.
This one's kind of fun, I guess, right?
Yeah.
The guy is impersonating President Joe Biden.
Ah, okay.
Sure.
As you do.
That's awesome.
I mean, it's a terrible President Joe Biden impression, by the way.
Yeah.
Okay.
All right.
Well, Joe Kerrigan, thanks for joining us.
It's my pleasure. Cyber threats are evolving every second, and staying ahead is more
than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and
podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most
influential leaders and operators in the public and private sector, as well as the critical security
teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement
agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest
investment, your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by
John Petrick. Our executive editor
is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see
you back here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.