CyberWire Daily - Espionage and counterespionage during the hybrid war. Assessing Russian cyberops. Conti's fate. Investigating cut Internet cables in France. Trends in “pig-butchering.”
Episode Date: July 22, 2022Traditional espionage and counterespionage during the hybrid war. Assessing Russian cyberattacks. Conti's fate and effects. Investigating cut Internet cables in France. My conversation with AD Bryan V...orndran of the FBI Cyber Division on reverse webshell operation and Hafnium. Our guest is Tom Kellermann of VMware to discuss the findings of their Modern Bank Heists report. And, finally the dark online world of “pig-butchering.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/140 Selected reading. UK Spy Chief Sees Russia’s Military Running ‘Out of Steam’ Soon (Bloomberg) Exhausted Russian army gives Ukraine chance to strike back, says British spy chief (The Telegraph) 'Cut by half' Putin's masterplan backfires as 400 Russian spies thrown out of Europe (Express) Half of Russian spies in Europe expelled since Ukraine invasion, says MI6 chief (the Guardian) MI6 chief: Russia’s spies ‘not having a great war’ in Ukraine (The Record by Recorded Future) CIA chief says 15,000 Russians killed in war, dismisses Putin health rumors (Washington Post) CIA Chief Says Russia’s Iran Drone Deal Shows Military Weakness (Bloomberg) Ukraine confronts Kremlin infiltration threat at unreformed state bodies (Atlantic Council) US seeking to understand Russia’s failure to project cyber power in Ukraine (Defense News) Battling Moscow's hackers prior to invasion gave Kyiv 'full dress rehearsal' for today's cyber warfare (CyberScoop) How Conti ransomware hacked and encrypted the Costa Rican government (BleepingComputer) Anatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion (AdvIntel) Conti Criminals Resurface as Splinter RaaS Groups (Security Boulevard) The Unsolved Mystery Attack on Internet Cables in Paris (Wired) Massive Losses Define Epidemic of ‘Pig Butchering’ (KrebsOnSecurity) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Traditional espionage and counterespionage during the hybrid war,
assessing Russian cyber attacks,
Conti's fate and effects,
investigating cut internet cables in France,
my conversation with A.D. Brian Vordren of the FBI's Cyber Division
and Deputy Assistant Attorney General Adam Hickey
on reverse web shell operation and hafnium.
Our guest is Tom Kellerman of VMware to discuss the findings of their modern bank heists report.
And finally, the dark online world of pig butchering.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 22nd, 2022.
The U.S. continues to look for an explanation of why Russian cyberattacks in support of its war against Ukraine, while they've certainly been conducted, have so far fallen short of the devastating potential
widely expected as the special military operation began.
Deputy National Security Advisor for Cyber Ann Neuberger reviewed the bidding Wednesday at the Aspen Security Forum.
Defense News quotes her as saying,
With regard to the Russian use of cyber and our takeaways,
there are any number of theories for what we saw and what, frankly, we didn't see.
Some argue for the deterrence the U.S. has put in place,
and in this she was alluding to the discussions
between President Biden and Putin
after the Colonial Pipeline ransomware attack.
She says,
Some argue that it was the result
of the extensive cybersecurity preparations Ukraine did,
supported by allies and partners.
And some argue that we don't quite know.
Ukraine thinks defensive preparations
made a contribution to blunting Russian cyberattacks.
Ilya Vityuk, head of the Cybersecurity Department
of the Ukrainian State Security Service,
pointed to the weeks of preparatory Russian cyberattacks
before the actual invasion.
He said, as reported by Cyberscoop,
for us it was like a full dress rehearsal.
The Ukrainian services had an opportunity
to assess the enemy's capabilities
and to address their own vulnerabilities
in advance of the onset of war,
and he says they were able to make good use of the opportunity.
Traditional espionage run by intelligence officers
working under diplomatic cover
has grown somewhat more difficult for Russia during the present war.
The record quotes the head of Britain's MI6 as estimating that around half, roughly 400 in total, of the Russian intelligence officers operating in Europe have been expelled.
Clearing compromised personnel from Ukrainian security and intelligence services is a more complex and difficult task.
The Atlantic Council describes the challenges of expunging Russian sympathizers from the SBU Security Service and the Prosecutor General's Office.
The heads of both agencies have been suspended, but reforming large agencies in wartime is like rebuilding a ship during a voyage.
That said, Russian cyber espionage attempts continue unabated. Palo Alto Network's Unit 42
early this week outlined evidence that Russia's SVR intelligence service had been actively abusing
Google Drive to distribute malware in the service of cyber espionage. TechCrunch observed that this
isn't the first time the SVR has been observed making hostile use of legitimate web services.
Mandiant had earlier seen the SVR using Dropbox for command and control.
In the course of a discussion with Advanced Intelligence over the firm's study of Conti's
attack against Costa Rican networks, Bleeping
Computer offers a useful summary of what's happened to the gang. It's effectively rebranded
through Dispersal. Its alumni now working for Quantum, Hive, Avos Locker, Black Cat, and Hello
Kitty gangs. Security Boulevard calls these splinter ransomware-as-a-service groups.
Boulevard calls these splinter ransomware-as-a-service groups.
Back on April 27th, parties unknown severed backbone cables in three distinct locations around Paris. The actions were separated in space but closely coordinated in time.
Wired reports that almost three months later, who cut the cables and why they did so remains unknown. Michel Combeau,
the managing director of the French Telecoms Federation, told Wired,
the people knew what they were doing. Those were what we call backbone cables that were mostly
connecting network service from Paris to other locations in France in three directions. That
impacted the connectivity in several parts of France.
The cables were severed in ways that made them difficult to repair,
but there are no obvious suspects and no obvious motive.
And finally, Krebs on Security offers a depressing follow-up
to warnings the FBI issued back in April
about a criminal trend that's come to be known indelicately as pig butchering.
It's a romance scam that lures its victims to fraudulent cryptocurrency sites
and then fleeces or butchers them.
Losses are said to have ranged in the hundreds of millions of dollars.
Krebs on Security explains,
The term pig butchering refers to a time-tested, heavily scripted, and human-intensive process
of using fake profiles on dating apps and social media to lure people into investing in elaborate scams.
In a more visceral sense, pig butchering means fattening up a prey before the slaughter.
The scammers offer to mentor their marks in crypto speculation, and in the course of that mentorship, siphon off large amounts of cash.
There's apparently an uglier-than-usual side to this form of organized crime.
Many of the operators are people who've been trafficked and forced into the internet scam, which seems to be mostly run from underused casinos in Cambodia.
Krebs on Security notes four common elements of a pig butchering caper.
It often, but not always, begins with a dating app.
According to Krebs, pig butchering attempts are common on dating apps, but they can begin
with almost any type of communication, including SMS text messages.
From there, it moves to chatting over WhatsApp.
There's no video used.
The fraudsters always refuse to do a video call with their marks.
And investment chit-chat sets the hook.
The scammers say they have inside knowledge of the cryptocurrency market, and they're
eager to help their new friend make money.
What follows can be easily imagined.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security but when it comes to our GRC programs we rely on point-in-time checks
but get this more than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta here's the gist Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Cloud computing and virtualization technology company VMware recently released the fifth edition of their report titled Modern Bank Heists, looking at the cybercriminal ecosystem
and how defenders can best prepare for future attacks.
Tom Kellerman is head of cybersecurity strategy at VMware.
The genesis of this report was actually because of my work at the World Bank and the Treasury
security team back in the early 2000s and the fact that we published the first ever book on
the information security challenges facing the financial sector then. So it's always been my
passion to understand what keeps the financial sector security leaders up at night, how are they changing their defensive
strategies, and more importantly, how are the adversaries changing their modus operandi,
both from a cyber attack perspective, but from an e-fraud perspective as well.
You know, I think if you say the phrase bank heist, I think a lot of us think of, you know, maybe an Ocean's Eleven kind
of a scheme or, you know, an old Western Hollywood rendition of it. How do we define bank heists in
this modern age? Well, in this modern age, if you look at just the cyber attack itself, the bank
heist has really become a hostage situation. The adversary is more likely trying to hijack the
digital transformation of the financial institution and use its network, its website, its mobile banking app, its APIs that's built out for fintech to attack its customers.
More importantly, the adversary is truly cognizant of what the crown jewels are for a financial institution.
crown jewels of the non-public market information or the market strategies that the institution may leverage in the international markets, which is why the majority of institutions in this year's
report noted that they saw evidence that the adversaries were targeting non-public market
information and market strategies to enable to allow for digital front-running and digital
insider trading. Well, let's go through some of the key findings of the report together.
What are some of the things that caught your eye?
Well, specifically, you know, the attack vectors writ large have shifted.
The primary attack vector into financial institutions today is not spear phishing.
I know that sounds like it's sacrilegious.
Application attacks are the primary attack vector, followed by previously deployed RATs,
remote access Trojans that exist within the environment because of Linux-based ransomware and RATs writ large.
The majority of institutions suffered from one over two ransomware attacks, and the majority paid ransom.
But what was most interesting to me from an attack perspective was that 94% of them suffered attacks against APIs they built out for fintech.
And those APIs were used to hijack the environment itself.
How are the financial institutions doing in this kind of cat and mouse game here?
I mean, is there a sense that they're ahead of the bad guys?
Are they gaining ground? Where do we stand?
I mean, they've definitely decreased well time and time to resolution.
But that being said, the adversary still exists within the environment for days.
You have to accept that based on their revenues and based on what they spend on technology and cybersecurity,
they're still spending less than 12% of their IT budgets on cybersecurity.
But they intend on increasing that cybersecurity budget by, on average, 25% this coming year.
So it really speaks to this has become a matter of great importance for safety and soundness and sustainability of the brands.
One of the things the report points out is that a majority are concerned with security on cryptocurrency exchanges.
I'm curious, to what degree does cryptocurrency enable these sort of heists?
Okay, so there's two parts to that question.
First of all, we have to accept the fact that financial institutions of today are trying to become technology companies.
And in doing so, they're trying to reach out to the modern generation space retail customer base by providing access to virtual currencies and storage of virtual currencies as well. And in the majority of those cases, they partner with smaller fintech firms.
And the first step in that process is building out an API. And this is why you're seeing this
surge of API attacks into these institutions. This is compounded by the fact that the majority
are paying ransom when they're ransomed on average, you know, roughly two times a year. And that's
highly problematic because they're feeding the beast. But what I would point out here is not all
virtual currencies and exchanges are equal in terms of how they pay attention to security,
their investment in security, or their desire to align with the principles of FATF, the Financial
Action Task Force. So based on the information that you all have gathered here, what are your recommendations?
Well, we need to really understand that the adversary is already within the environment.
So given the fact that the adversary is in the environment at some point, there's no
way to be 100% preventative vis-a-vis you've got nation state adversaries working with
cybercrime cartels to offset economic sanctions.
They will get in.
But when they get in, can you defend from
within? And I think defending from within is all about making sure that you can achieve intrusion
suppression. So can you detect, deceive, divert, contain, and hunt an adversary unbeknownst to the
adversary? Because you don't want an escalation to a destructive attack, which are increasing
dramatically. So you have to integrate your network detection response capabilities with your endpoint detection response capabilities.
You have to apply micro-segmentation.
You should automate vulnerability management,
particularly for outward-facing critical vulnerabilities as defined by CISA.
I do believe in the use of deception and decoy technologies,
a long attack path that can't be hardened.
You should activate application control and high enforcement,
conduct weekly threat hunting that extends to the C-level, that extends to the administrative
assistance of the C-level, even though that sounds taboo, and use that as justification
for prioritization for cybersecurity investments, and really, really focus on DevSecOps and API
security. And finally, ensuring that your backups are immutable and viable and periodic in nature
will be quintessentially important given the fact that most financial institutions suffered
a destructive cyber attack this past year. That's Tom Kellerman from VMware. There's a lot more to
this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for
Interview Selects, where you'll get access to this and many more
extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Brian Vordran.
He's assistant director from the FBI's Cyber Division.
And we're also joined by Deputy Assistant Attorney General Adam Hickey.
Gentlemen, welcome to the Cyber Wire.
Thanks, Dave. Good to be here.
Brian, let me start off with you here. I know you and your colleagues have been doing some work lately regarding reverse web shells, Hafnium.
Can you bring us up to date? What's going on?
Sure, Dave, and thanks for the opportunity to join with you today.
You know, back in 2020, there was a broad vulnerability identified in the Microsoft Exchange server. It really came to light at the end of
2020, but really received its first public disclosure in early January of 2021. And
essentially, the Chinese state-sponsored group known as Hafnium had installed tens of thousands
of PowerShells in computers and servers here in the United States that pose a huge
vector for potential attack.
Very interesting tradecraft by the adversary that exposed a lot of computers and servers
and put us in the position, not only with Microsoft, but with our partners at CISA and
NSA to take some unique action.
Looking forward to talking about that with you today.
Well, let's dig right in then.
What are some of the actions that you all took there?
First disclosure of the vulnerability was really identified
by Microsoft on approximately January 2nd of 2021.
Moving into early March of that year, March 3rd to be specific,
Microsoft published another advisory
and they actually credited
the location of the vulnerability to DevCorp. But then on March 10th, the FBI and CISA published
a joint cybersecurity advisory titled The Compromise of the Microsoft Exchange Server,
which really highlighted the vulnerability and how to mitigate that vulnerability.
So I think when we have these types of opportunities, we very much look at it to move from least
intrusive to most intrusive in terms of investigative or operational techniques that we can deploy
to essentially mitigate the attack surface that the adversary has access to.
So in this case, Microsoft disclosed their vulnerability. Then the cybersecurity advisory that was joint between the FBI and CISA further allowed owners of those computers or affected servers to take mitigation steps.
But then on the backside of that, the FBI conducted thousands of victim notifications to try and reduce that attack
surface even further. So between the Microsoft disclosure in early January of that year,
the cybersecurity advisory, and the thousands of victim notifications, the FBI essentially was able
to work with CISA and others to reduce the attack surfaces through those power shells by about 90 to 95 percent.
But that left still between 5 and 10 percent of the attack surface available to the adversary.
We're joined by Deputy Assistant Attorney General Adam Hickey.
Adam, what part does the DOJ have to play in an effort like this?
So around the time that Brian's talking, there's going to be constant communication
between the FBI's cyber division
and the relevant component of the Justice Department
where the lawyers are going to provide legal advice.
And that, in this case, was the National Security Division.
And we're going to be monitoring the threat reporting
along with them.
We're going to be monitoring the advisories that go out
and the impact that has on the public and where we stand at a certain moment in time. And the FBI is going to ask us,
what more can we do? Is there more we can do? And we're going to ask them, do you have a capability?
And we're going to look at the capability they develop, and we're going to look at the law and
what the law requires. And if there's a match, we may be in a position to take action that
fully remediates or more fully remediates the problem.
Can you walk us through this particular example?
Both of you, how does this one play out and where do we stand today?
Sure. David Sprein, and I'll start with that. we're left with between 5 and 10 percent of the attack surface left, we really come to a question
of do we have the authorities and the technical capability to mitigate the rest of the vulnerable
computers or servers that are being used or could be used by the adversary, in this case, China?
And the answer to that in this case was yes. We have the authority through Rule 41,
And the answer to that in this case was yes, we have the authority through Rule 41, and we have the capabilities through some really, really good technical skills we have in our field offices and here at headquarters.
And so in this particular scenario, we leveraged our Rule 41 authority and a technical operation to essentially seek a court order, a standard warrant, to remove the remaining web shells. And in this case, what we did is we copied the web shell so that we were able to maintain
it for evidentiary purposes.
And then we essentially deleted the web shell.
And by deleting the web shell, we essentially broke the communication or the vector of attack
that was available between the actor, the Chinese government, and the computers they
had installed the PowerShell on.
So just really good work by the FBI and by DOJ finding the authority to do this work
and then developing a very, very advanced technical tool to actually deliver the result.
But I think it would be worth, Adam, talking briefly about Rule 41 and our authorities
and how they apply to this type of operation.
Sure. And I think to do that, I think we have to also add a third element to this operation,
which is a source that was able to help us out with identifying the file paths of the web shells
on the victims' computers. And that is probably one of, this gets at one of the reasons why public
notification wasn't sufficient in this case. Every one of the web shells had a unique file path.
It's a dynamic address, if you will, such that we couldn't put out a standard one-size-fits-all
advisory to the public that says, look here, look in this folder, look for this particular sequence of characters,
that's how you'll find the web shell.
Instead, we were fortunate that we had information from a source that advised us what those file
paths were, and that allowed us to go to the court and say, look, we have probable cause
to believe that this evidence and also instrumentality of a crime is located on these victim systems and ask the court for a warrant as we would in another comparable case in the physical world, allowing us to seize effectively the web shell to search it, to copy it, and then to delete it.
And Brian, are you satisfied as you look back on this activity that things played out the way that you hoped that they would?
Yeah, we really are.
I think it's a great opportunity for the department and for the FBI to really leverage the unique authorities we have in the cyber ecosystem within the intelligence community and the interagency and the overlap with private sector.
in the interagency and the overlap with private sector.
And you couple that with just great work by some of our agents and computer scientists in the field at headquarters to develop the technical capability to do this work.
Knowing we were left with this attack surface and owing to the American public a responsibility
to behave in their best interest, not only within the policies and procedures and
laws that we operate within to protect the American public's rights, but also to eliminate
an attack vector from a very, very sophisticated adversary. We're very, very happy with the results
because we feel we completely eliminated that threat at that time. All right. Well, Assistant Director Brian Vordren from the FBI's Cyber Division and Adam Hickey,
Deputy Assistant Attorney General at the Department of Justice, thank you for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Rob Pentazopoulos from SecureWorks.
We're discussing their work, Our Evil Development adds confidence
about gold southfield reemergence.
That's Research Saturday.
Check it out.
The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing CyberWire team
is Liz Ervin,
Elliot Peltzman,
Trey Hester,
Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.