CyberWire Daily - FTC warns of smishing targeting the unemployed. Initial access: buying it one way or another. Is the criminal gig economy vulnerable? Ransomware continues to hit healthcare.
Episode Date: August 6, 2021Smishing campaigns are seeking to exploit the unemployed. Initial access brokers seem not to have missed a beat, although some gangs are seeking to bypass them by trolling for rogue insiders. Are crim...inal enterprises vulnerable on the gig economy front? Criminal affiliates are disgruntled--good. Clearly, healthcare isn’t off the target list. Thomas Etheridge from CrowdStrike on eCrime Extortion. Chris Jacobs from ThreatQuotient joins us with a look back at BlackHat. Anup Gosh from Fidelis Cybersecurity, with insights on active defense. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/151 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Smishing campaigns are seeking to exploit the unemployed.
Initial access brokers seem to not have missed a beat,
although some gangs are seeking to bypass them by trolling for rogue insiders.
Are criminal enterprises vulnerable in the gig economy front?
Criminal affiliates are disgruntled, and that's good.
Clearly, health care isn't off the target list.
Thomas Etheridge from CrowdStrike on e-crime extortion.
Chris Jacobs from Threat Quotient joins us with a look back at Black Hat.
Anup Ghosh from Fidelis Cybersecurity has insights on active defense.
And hey, Director Easterly, can we send you a t-shirt?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 6th, 2021. The U.S. Federal Trade Commission warns those receiving unemployment insurance benefits that a smishing campaign designed to scare them into compromising their devices and their data
is in progress. The FTC sensibly observes, quote, state agencies do not send text messages asking for personal information, end quote.
It's a petty, cruel scam conducted with typical criminal opportunism.
People receiving or trying to arrange unemployment insurance already have troubles enough.
They're likely to be negotiating an unfamiliar bureaucracy.
enough. They're likely to be negotiating an unfamiliar bureaucracy, and for all they know,
maybe they do need to click some link and submit the information the text is asking for.
If you're getting unemployment benefits, well, first, good luck with your job search and take care of yourself. But second, don't pay any attention to text messages telling you the
state needs your social security number, your date of birth, or your first pet's name.
Spooked by recent U.S. woofing about retaliation against ransomware gangs,
various criminal fora took steps to exclude ransomware content from their sites.
This sudden discretion, Computer Weekly writes,
seems not to be keeping initial access brokers from hawking their services as usual.
They cite a report by security firm Digital Shadows, whose researchers write that C2C ad listings for IABs,
as the initial access brokers are known, haven't diminished at all. In fact, they're up a bit.
An alternative to buying from initial access brokers is to corrupt insiders
to give you access to networks. The LockBit gang, Bleeping Computer says, is doing just that. The
gang has posted an ad that reads, in part, Would you like to earn millions of dollars? Our company
acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.
You can provide us accounting data for the access to any company.
For example, login and password to RDP, VPN, corporate email, etc.
Open our letter at your email.
Launch the provided virus on any computer in your company.
Companies pay us the foreclosure for
the decryption of files and prevention of data leak. End quote. They even guarantee your privacy.
As this year's Black Hat conference winds down, we've got one more check-in from the show floor
to share. Chris Jacobs is Global Vice President, Threat Intelligence Engineers at Threat Quotient, and he joins us with a look back at Black Hat.
I would have to say that the show this year has been better than I expected.
I was a little concerned that it was going to be 100% vendors and no actual participants.
But as it turns out, it was, I think, the same ratio that it normally is,
just a bit smaller.
And smaller was okay this year.
It was nice to have a more intimate show,
to really get to spend some time with people.
Things weren't too crowded.
It was easy to have conversations.
And really, the community, I think, needed this to be easy to have conversations. And, you know, really the community, I think,
needed this to be able to catch up. You know, I heard from a number of vendors on the show floor
who said that while it wasn't particularly crowded, that it gave them the opportunity
to have more in-depth discussions than they might otherwise been able to have had.
Yes, 100% right. I mean, I couldn't agree with that sentiment more.
I mean, you get to spend a little more time with everyone. You get to have a little more
in-depth conversation. And you mentioned the show floor specifically. The show floor,
when we say things were a little smaller, The show floor fits well into that category.
And so you have to wonder if that big booth vendor approach is really going to stay that standing in a booth may not be as effective as being able to, again, meet up at the local coffee shop or grab lunch with some of their prospects and customers.
Overall, how did you feel the tone was of the show this year? Were people in good spirits? Despite the sort of shadow
that COVID has cast on so many things,
were people's spirits up?
Yeah, I think so.
I think people were happy
to get back together.
It's been a long time
since we've been able to get together
as a community.
I think that there was
a lot of willingness to... you know, I didn't see any
issues with people wearing masks and trying to stay safe. And everyone is just so excited to
get the InfoSec world back together that the slight inconvenience of needing to wear a mask when in public, I think, was fine.
And yeah, the tone was great.
People are happy to get back to something that looks like normal.
That's Chris Jacobs from Threat Quotient.
The criminal economy depends on a lot of gig workers for lower-level tasks, including some coding and administration, a study by the Czech Technical
University finds. ZDNet has a discussion of a Black Hat presentation that takes this finding
and suggests that one way of disrupting this part of the criminal economy might be to offer
better legitimate gigs. After all, these gang associates are neither highly motivated or
highly compensated.
With the right opportunity, they might well drift out of crime as they drifted in.
And what about criminal affiliates? A lot of cybercrime is organized as an affiliate network,
sort of an evil amway. Not all is well in these precincts of the C2C markets, however.
The record reports that a Conti affiliate, disgruntled over their relatively slim share of criminal profits,
has leaked the gang's technical manuals.
Take that.
And maybe offer the affiliates a chance to sell laundry soap.
We've heard a lot about the pious Robin Hood-esque promises from some ransomware groups to target only rich corporations, not individuals, and to leave critically important targets alone.
Sometimes there's an approach to honesty in such avowals as there was in Black Matter's explanation that their target selection was based on a cost-benefit calculation. If various governments get steamed enough, black matter will draw more scunion on themselves than they can handle,
and they want to avoid that.
There is, after all, all that aforementioned American woofing.
But only the naive would take the ransomware gang's pledges
of respect for public safety, reliable health care delivery, and so on
for anything better than this kind of mendacious
self-serving marketing. And indeed, there's evidence that health care very much remains
on the criminal menu. Why wouldn't it? They're criminals. Italy continues to investigate an
incident at the Lazio Regional COVID Vaccine Scheduling Service. According to Becker's Hospital Review, Indianapolis-based
Eskenazi Health has suffered a ransomware attack that's forced it to take many services offline
and divert ambulances from its facilities. And the Argus Leader reports Sanford Health,
serving the Dakotas, has also sustained a ransomware incident.
Which strains of ransomware were involved in
these incidents isn't publicly known. And finally, DHS and its CISA unit are at Black Hat,
represented by both Homeland Security Secretary Majorcus and CISA Director Easterly. They're
inviting hackers, the good kind of hackers, to consider a security job with the
government. And they're also talking up their recent public-private partnership efforts.
There's clearly a tradition emerging at CISA, young agency as it is. The directors are going
to be known for their fashion. The first director, Christopher Krebs, was famous for his gaudy but
natty socks. His successor,
Jen Easterly, turned up at Black Hat in dragon-patterned jeans, and we hear a black
Free Britney t-shirt. The Washington Post liked her message, but the Post loved her style.
We expect more of the same in years to come. Top hats? Doc Martens, whatever it is, enjoy.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
I recently spoke with Anup Ghosh, CEO at Fidelis Cybersecurity,
about the notion of hacking back and why it's a controversial topic.
Anup Ghosh returns today with part two of that conversation with insights on active defense. Today, we are going to be talking about
the notion of leveraging active defense. Can we start off with some high-level stuff here? I mean,
can you sort of define for us what do you consider to be active defense?
Yeah, this is important because active defense for a long time has meant one thing in the Department of Defense,
and recently it's being co-opted in the commercial sector to mean something slightly different.
So for those who have worked in the Department of Defense and cyber,
they define it as employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.
And notice that's not really specific to cyber, but it's clear this is talking about offense.
And of course, private individuals and companies don't have the legal authority to take offensive action.
So that definition doesn't really work
in the private sector. More recently, MITRE has put out a definition around active defense
that's being more widely adopted by the larger community. And what they describe it as a range
of cyber defense capabilities from basic defense to cyber deception and adversary engagement operations.
That's one of the keys here, right, is it allows an organization to not only counter current attacks, but to learn more about the adversary and better prepare for new attacks in the future. That's the end of the quote. The key here is that you can
actually employ techniques from standard detection sensors that you might put in the network through
deception so that when an adversary starts to attack you, you're beginning to collect on the
adversary, point one. And point two, you can introduce cost and complexity to the adversary.
As they go about discovering your network,
you're creating a false view of the network that can then entrap them.
And that's how MITRE is defining active defense
as employing adversary engagement early in the life cycle and deception to confuse
the adversary. So just to be really crystal clear here, I mean, there's a lot of discussion and a
lot of back and forth about the notion of hacking back, and that's not what we're talking about here.
That's correct. And as we discussed, you discussed, the private sector doesn't have the legal authorities to hack back, not to mention that there's a lot of things that are likely to go wrong if you try and hack back.
But that doesn't mean you're powerless.
And that's where active defense comes in, is to say, look, there are things you can do. It is a mentality. Adversary
engagement is mentality. Sort of the opposite of this is if you're just triaging alerts,
you're not really doing adversary engagement. Adversary engagement is sort of an organizing
principle, right? And so the whole idea is to say, now that I can see there are symptoms of an attack going on, how do I piece these together to understand what the adversary is doing, what their next move likely is? actually seeding the network with fake users, with fake devices, fake file systems, and even
documents that can be active that reveals more about the adversary. So the notion here is,
as you say, I mean, a good bit of misdirection that if someone does make their way into my network,
they may think they've made their way into my network, but actually,
we're going to keep them busy somewhere else. Yeah. I mean, oftentimes they do legitimately
get onto your network. I don't mean legitimately, but they will find their way onto the network.
And that's when a defense really can leap into action, which is to create a view of your network that is actually false.
So populating dark IP space with devices, they're virtualized,
but from an adversary point of view, they look the same.
Even manipulating the active directory, that's oftentimes a target with fake credentials, right? So that an adversary who downloads an Active Directory
and then it proceeds to compromise these credentials
and use them is a clear indicator
that there's an adversary on the network.
We will see pings, IP space that should be dark,
that's not dark.
We can put in place servers and file shares that are not legitimate.
And in the case of ransomware, where they are, in fact, scanning for file shares and begin to encrypt, we can actually create these recursive file directory systems that keep them busy effectively, infinitely, while you can respond and isolate that device on the network.
And the point of all this is to say, you should take an active defense mindset, understanding the adversary is going to get in your network.
And now it's really about laying these traps, laying these breadcrumbs, which we do by populating directories on actual assets
with breadcrumbs to fake assets to entrap them and move them away from your actual valuable
assets you don't want them accessing. What is the value proposition here? I mean,
I can imagine someone looking at something like this and saying, well, this adds
complexity. Here's a whole another virtual network that I need to manage. What's the value side of it?
Yeah, I love that because almost everything we do in defense adds cost and complexity to the
defender, right? And that's sort of your point, which is, hey, I now have another network to manage,
you know, more cost.
I think deception technologies in its proper role
in active defense actually creates
and adds complexity to the adversary.
It's actually not a network you need to manage
because it's completely, you know, it's not an operational network that you need to manage users.
It's managed by a deception solution.
But from an adversarial point of view, it looks the same, right?
So if I find myself onto a network as an adversary, one of the first things I need to do is discover what's on this network.
And that's the advantage that the defender has over the adversary is you know your network
and you can now seed your network with fake assets that the adversary doesn't know.
You know, the proverbial canary in the coal mine.
And so when an adversary starts to discover your network and starts to
engage with these fake assets, you're tipped off, right? And you can go as far as to lure them into
a fake virtual network. And what you've actually done by lacing networks with these deceptions,
you've changed the cost model for the adversary, right?
By exposing themselves, you've made it harder for them to sneak around.
And now they have to start thinking about more carefully, am I on a network where I might get caught, right?
And I think changing that equation, that cost equation, adding complexity to the adversary is a game-changing approach.
And that's where active defense comes in.
That's Anup Ghosh from Fidelis Cybersecurity.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Thomas Etheridge.
He's Senior Vice President of Services at CrowdStrike.
Thomas, it's always great to have you back.
You know, we've been seeing this ongoing shift, particularly in the world of ransomware,
towards not just locking up folks' files, but also having an extortion component to that.
Can you share with us, what are you and your team tracking on the extortion front?
Absolutely. Thanks, Dave, and appreciate being back talking to you.
Absolutely. Thanks, Dave, and appreciate being back talking to you. leverage of where once they gain access to an organization's infrastructure, rather than focus
on encryption of key assets right away, they'll make additional attempts at trying to exfil
critical data from some of the systems and stores within their environment to be able to leverage
that for an extortion attempt. So they'll make their first attempt after they encrypt resources
to try to gain a payment. And if that fails, they then go back to the organization and
threaten to release that data publicly or to a competitor in order to force the organization
to be able to pay a ransom. And that's something we've been reporting on pretty consistently for the last year and
a half.
Isn't this by its nature a little, I don't know, noisier within someone's network, this
attempt to exfiltrate data, not just lock it up?
Well, Dave, I think in most cases that we've seen and that we've been reporting in, the threat actor group has had pretty wide and deep access using living off the land techniques and other stealthy methods to be able to stay in the environment for enough time to understand where those critical assets and where that critical information exists. Many cases potentially compromising email platforms to listen in on conversations and
email traffic back and forth about where some of that information resides within the organization.
So being able to get that deep within an organization very quickly and being able to
understand how they're going to leverage that
that data from a extortion and from a ransom perspective is something we've seen pretty
pretty prevalent in the last year plus you know the advice for a long time for uh protecting
yourself against ransomware certainly was having uh backups. What do you recommend with extortion? How do folks best
protect themselves? One of the things that we strongly encourage is the leverage of, you know,
kind of that next generation endpoint security technology, continuous monitoring, making sure that organizations are able to not only detect,
but be able to remediate malware drops that happen on their endpoint infrastructure before the threat
actor is able to take advantage of those tools that they've deployed to be able to traverse the
network undetected and or impact critical servers in the environment.
So backups are really important.
Having those backups stored in an off-site or off-network secure location is definitely a recommendation that we provide to our customers.
but having some of those advanced tools,
monitoring for these threats in real time and being able to remediate a threat
when you first see an instance of attacker's tools
or malware being deployed on the environment
before the attacker is able to compromise
or take advantage of that malware,
something we would highly recommend.
While you and your team are tracking this,
what do the curves
look like? I mean, is this a problem that's growing in prevalence? Where are we with that?
Well, I think data extortion is not new to 2020 or 2021. It's a little bit of a departure
from the traditional big game hunting operations that we've reported on previously, and that it's being accelerated
by some of these e-crime threat actor groups to try to increase the likelihood of a payment.
And how big of a business it is and how prevalent it is can probably be indicated by the number of
dedicated leak sites that are associated with specific ransomware families that have been stood up to
provide a mechanism to make data that's been stolen from an organization available for sale.
In the last reporting we had on this in our global threat report, we saw that in at least
23 ransomware operators in 2020 had adopted this data extortion approach, the most prevalent of which we saw impacting industrial and engineering sector, as well as the manufacturing sector, where about 228 incidents that we covered were reported against that particular vertical.
reported against that particular vertical. Manufacturing in particular is especially vulnerable because not just encrypting the servers, but pulling data really disrupts
day-to-day operations and could affect not only that core business, but downstream businesses as
well. So we're really seeing this tactic pick up in the market. All right. Well, Thomas Etheridge,
thanks for joining us.
Thank you, Dave.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio
or shake up your mood
with an iced brown sugar oat shake and espresso.
Whatever you choose,
your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Be sure to check out this weekend's Research Saturday in my conversation with Ashir Malhotra from Cisco Talos.
Research Saturday in my conversation with Ashir Malhotra from Cisco Talos. We're discussing inside copy and how that APT continues to evolve its arsenal. That's Research Saturday. Check it
out. Our amazing CyberWire team is Trey Hester, Elliot Peltzman, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.