CyberWire Daily - LockBit 3.0 and Punisher ransomware described. Leave that USB right in the parking lot where you found it. Killnet’s woofing. Lilac Wolverine’s big new BEC. And World Cup scams.
Episode Date: November 30, 2022Has LockBit 3.0 been reverse engineered? A COVID lure contains a Punisher hook. A Chinese cyberespionage campaign uses compromised USB drives. Lilac Wolverine exploits personal connections for BEC. Ki...llnet claims to have counted coup against the White House. Tim Starks from the Washington Post has the FCC’s Huawei restrictions and ponders what congress might get done before the year end. Our guest is Tom Eston from Bishop Fox with a look Inside the Minds & Methods of Modern Adversaries. And, of course, scams, hacks, and other badness surrounding the World Cup. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/228 Selected reading. LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling (Sophos News) Punisher Ransomware Spreading Through Fake COVID Site (Cyble) Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia (Mandiant) BEC Group Compromises Personal Accounts and Pulls Heartstrings to Launch Mass Gift Card Attacks (Abnormal Security) Killnet Claims Attacks Against Starlink, Whitehouse.gov, and United Kingdom Websites (Trustwave) Scammers on the pitch: Group-IB identifies online threats to fans at FIFA World Cup 2022 in Qatar (Group-IB) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Has LockBit 3 been reverse engineered?
A COVID lure contains a Punisher hook.
A Chinese cyber espionage campaign uses compromised USB drives.
Lilac Wolverine exploits personal connections for BEC.
Killnet claims to have counted coup against the White House.
Tim Starks from the Washington Post has the FCC's Huawei restrictions
and ponders what Congress might get done before the end of the year.
Our guest is Tom Estin from Bishop Fox with a look inside the minds and methods of modern adversaries and, of course, scams, hacks and other badness surrounding the World Cup.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, November 30th, 2022. Sofos this morning reported on its reverse engineering of LockBit 3.0, also known as LockBit Black. It appears that the ransomware's operators are experimenting with making their malware wormable,
that is, giving it functionality that would enable it to spread
by itself through and across networks. Their research also offers some support to other
security experts who've suspected a connection between LockBit and the BlackMatter ransomware
family. They found a number of similarities which strongly suggest that LockBit 3.0 reuses code from Black Matter,
especially in its anti-debugging, obfuscation, API resolution, printer attack, and shadow copy deletion features.
There are other similarities as well, and Sophos points out that much of LockBit 3.0's tooling
mimics what a legitimate penetration tester might use.
In news concerning a different
ransomware strain, researchers at CIBEL have an account of an ongoing campaign to distribute the
Punisher strain of ransomware. As is so often the case, it depends upon social engineering to gain
access to its targets, which in the current outbreak are for the most part concentrated in Chile.
The operators are using a phishing website that misrepresents itself as a COVID tracking application.
Seibel explains that Punisher demands the equivalent of a thousand US dollars in Bitcoin for decrypting files.
This ransomware strain uses a common ransom note, which is downloaded from the remote server,
and then appends content to the ransom note to make it specific to each of its victims.
Unlike many other ransomware operations, this one appears to target individuals as opposed to organizations.
Victims might find it easier to recover their files from this attack than they would from other, more advanced forms of ransomware.
Seibel points out that Punisher uses the AES-128 symmetric algorithm.
Mandiant reports that a cyber espionage campaign it associates with Chinese intelligence services
is currently active against targets in Southeast Asia, particularly in the Philippines.
The campaign
uses compromised USB drives as a principal attack vector, thus counting on users delivering the
malware across whatever protective air gaps may exist. The principal tools it's been seen using
are Mist Cloak, Blue Haze, Dark Dew, and NCAT. The campaign may have been in progress since September 2021,
and Mandiant reads it as an example of Chinese determination
to establish and maintain persistence in targets of interest.
Abnormal Security describes a business email compromise gang
dubbed Lilac Wolverine that's launching widespread campaigns asking for gift cards.
The threat actor begins by compromising a personal email account and copying its contact list.
The attackers then set up an email account with the same address as the compromised account,
but on a different provider, usually Gmail, Hotmail, or Outlook.
They'll then use this account to send emails to the compromised account's contacts.
If the recipient is reluctant to send the money, the attackers will explain that the
fictional birthday friend also has cancer or just lost loved ones to COVID-19, or both.
The researchers note that gift card requests are the most popular form of payment in BEC attacks,
despite offering a lower payout per attack.
The cyber auxiliaries of the nominally hacktivist group Killnet
have claimed to have mounted successful distributed denial-of-service attacks
against Starlink, the White House, and a variety of British websites,
Trustwave's Spider Labs researchers report.
The attacks don't appear to have risen to even the level of a noticeable nuisance.
Their coup counting against the White House is instructive in what it suggests
about the group's Skids of the World Unite persona, stating,
30 minutes of collective test attack on the White House was very successful.
Of course, we wanted to take longer but did not take into account the intensity of the request filtering system. Nobody else seems to have noticed. Not that much, anyway.
Trustwave's assessment concludes, we should expect to see more of these low-skill attacks from Killnet targeting an ever-growing list of targets
that it considers to be in opposition to Russian interests.
However, it remains to be seen whether the group can graduate to attacks that cause damage,
exfiltrate data, or do more than take down a website for a short period of time.
And finally, perhaps you're one of the millions of football fans who've been
watching the play in the World Cup. Security firm Group IB is watching too, and they'd like to warn
you that the scammers and other cyber criminals out there haven't overlooked the opportunity the
FIFA Championship offers them. The come-ons include bogus merchandise sites, offers of tickets, phony job offers allegedly connected with the games in Qatar,
and even simple scams by association,
exploiting logos and likenesses from the World Cup.
Where there's meat, there are also flies, as they say.
Group IB's sensible advice is to bring an added measure of common sense
and skepticism to your fandom.
When the Barkers shout out, friends, step right up. Well, keep your hands in your pockets and
keep on walking. Coming up after the break, Tim Starks from The Washington Post has the FCC's Huawei restrictions and ponders what Congress might get done before the year end.
Our guest is Tom Estin from Bishop Fox with a look inside the minds and methods of modern adversaries.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The team at offensive security and pen testing company Bishop Fox recently partnered with the SANS Technology Institute on a report titled Inside the Minds and Methods of Modern Adversaries.
Tom Estin is vice president of consulting at Bishop Fox, and he joins us with insights from the report. Social engineering and phishing were the top attack vectors that ethical hackers use to break
into an organization. I mean, we see this in the news all the time with data breaches and
attacker techniques. So it was really validation, I think, that this is the most popular way that attackers are using to break in,
but also the way that ethical hackers also break in.
So it's a little bit reassuring that as ethical hackers,
we are using the same types of attack vectors that our evil counterparts are.
What other things got your attention?
parts are. What other things got your attention? Other things include, it doesn't necessarily have to do with the ethical hacker's skill set or their background. We kind of found that
pen testers and ethical hackers with varied skill sets are usually the most successful
when conducting their attacks.
So, for example, if you have a pen tester that's very focused on application security,
they may not be the best hacker to break into, say, an external network. But typically, we found through the survey that those varied skills throughout somebody's career
really helps them become better hackers ultimately.
Yeah, that's an interesting insight. I mean, I suppose, really, when it comes down to it,
a lot of this is creative problem solving, right?
That's right. Yeah, absolutely. So it is kind of what I see even with our own consultants at
Bishop Fox. We really try to look for individuals that have a varied skill set,
have a lot of experience in different areas, and not just necessarily that one particular discipline.
But also, like you mentioned, Dave, about problem-solving skills, sometimes that really
comes out from those non-technical experiences as well. So varied backgrounds is a key
to being a real successful ethical hacker these days.
The one thing I would call out
is around detection and response capabilities.
We found through our survey
that many ethical hackers discover
that they are not discovered
or they are not detected
while they're conducting a
penetration test. And that's still very alarming given this day and age where we would think that
most organizations have the capabilities now, either tools, technology, and people and processes
to detect an attack, but we're still finding that a lot of organizations don't have those capabilities and we remain undetected while we're doing an authorized penetration test. So it gives a little bit of concern when you're thinking about how many organizations are really ready, not just for a pen test, but are they really ready for an attack on their organization?
really ready for an attack on their organization.
Based on the information that you all gathered here, then, what are your recommendations for organizations to best protect themselves?
Well, for one, don't always rely on the hottest tools and blinky boxes that are going to solve
all your problems.
It kind of goes back to what we've always been saying in security is it's a combination
of people, process, and technology.
And to really think about how you're defending your network.
One thing that I like to always recommend is when you're having a pen test done,
the best pen tests that I've seen are ones that are more purple team or tabletop type exercises
where you're working with the penetration tester
to test your controls, to test your detection, instead of just having the pen tester go in
blind and let's see what we can find and maybe hope that we can get detected. But really,
a pen test nowadays should really be combined with the blue team of an organization and really working to understand detection and,
of course, incident response. That's Tom Estin from Bishop Fox.
And it is my pleasure to welcome back to the show Tim Starks.
He is the author of the Cybersecurity 202 at the Washington Post.
Tim, welcome back.
Hey, thanks. Great to be back. A couple interesting stories that you have shared over on the 202 this week.
First off, the FCC has hit Huawei with some restrictions here. What's going on with that
one? Yeah, this is the latest step in a campaign that's, I don't think you can date back to 2012
at this point, where you've seen the executive branch take a series of steps aimed at Huawei
in particular, but also some other Chinese companies, as what the
FCC did here shows, that are basically trying to isolate Huawei, keep it out of the U.S.,
but also part of a campaign that involves trying to convince Europe to turn them away
as well.
So this latest step, it's about Huawei and ZTE.
Those are both the two big Chinese telecommunications companies. There's also Hightera, which makes digital radios.
And then Hikvision and Dahua, if I'm saying that right,
that make video surveillance systems.
The FCC has said, we're going to ban U.S. sales and imports of Huawei,
of these companies' products, because of national security concerns.
Now, it's a little hard to parse in some ways
what the significance of this is,
because, again, it's not quite a revolutionary parse in some ways what the significance of this is because, again,
it's not quite a revolutionary
step. It's more incremental.
If you listen to
the members of the committee,
the commission, that is,
they say this is an unprecedented thing.
This is the first time,
this is the words of Brendan Carr, the first time in FCC
history that we have voted to prohibit the authorization
of new equipment based on national security concerns
because there's been this thing in the background
about what you do with old equipment.
I talked to Dakota Carey over at the Cubs-Samos group
who had said this also will allow them the ability
to revoke previously authorized equipment.
So that's potentially important.
But again, because there have been so many steps
that have been so many steps that
have been going down this process of isolating them, it's also important to note what it can't
do, which is it's not going to keep these products out of America entirely. It's not going to keep
it out of the hands of consumers or small business, for instance. I see. Another thing that caught my
eye that you wrote about this week was Congress's run towards the end of the year in this lame duck
session and some of the potential cyber legislation that may or may not happen. Can you give us a
little rundown there? Yeah, you know, I've covered Congress long enough. You know, I've started
covering Congress close to full time back in 2003. And I've been more focused on cybersecurity as a
topic, but I was at CQ for, gosh, 11 years,
Congressional Quarterly.
It's usually safe to bet, I found,
and I apologize if this sounds cynical,
but it's also just experience.
It's usually safe to bet that Congress won't do something.
If you're having to make a decision between,
will Congress do something or will they not do something,
I tend to err on the side of they probably won't.
But there are a few things that they're going to get done here
toward the end of this lame duck session that looks like pretty solid chances that they're going to happen.
There's a State Department Bureau of Cyberspace and Digital Policy now.
But if you follow the State Department's handling of this office, there was an office in the Obama administration.
Then Trump got rid of it.
Then Trump created his own new idea for it.
And then he changed that, too.
And then Biden came in created his own new idea for it. And then he changed that too. And then Biden
came in with his own idea. So what Congress has been trying to do is cut out that back and forth
process of, you know, we're constantly dealing with this office is being in transition all the
time and not sure what it is, essentially codify the office now so that it doesn't keep changing
between administration and administration, which is, you know, somewhat significant.
There are other things that they might do, like there was a bit of push to make sure
that the director of CISA has a five-year term, which means that they would go across
at least more than one presidential term.
You know, the idea is to keep that office nonpartisan, which is how it's been.
There are some other things that are harder to predict,
and there are some things that are just probably not going to happen. And if you look at the
significance of the things that are not going to happen, those are some of the more big ideas.
Things like creating a list of the most important critical infrastructure we have in our country,
that if they were damaged or hurt or attacked in some way by cyber attacks,
infrastructure we have in our country, that if they were damaged or hurt or attacked in some way by cyber attacks, that it would cause this massive systemic harm to national security, the economy,
public safety. Create a list of those things and also give incentives to those companies to take
better care of those systems and at least explore the idea of giving them some kind of requirements
that they must do these things.
That has gotten, as you might expect,
gotten them into some trouble with business groups,
industry groups like the Chamber of Commerce and a variety of others who just think that this is a bad idea.
They also point out the fact that the administration
has been working on at least the categorization
of this infrastructure, but they also are probably
not so crazy about the idea
that they might be forced to do something.
Is it safe to say that cybersecurity remains one of those rare things
that sees bipartisan support and people seem to be in on from both sides?
It's feeling less and less like that to me over time.
It's certainly an area that is more agreeable to both parties than, say,
immigration or some of the other big topics, healthcare, you name it. I think that cyber
is still less partisan than those things, but I think it's getting more partisan. I think you
can see the roots of that that started a little after the last big presidential race in 2016.
Obviously, 2020 happened,
but I'm talking about where there was
an actual cybersecurity ramification to that election,
we started seeing a breakdown of things on a partisan lines
about what kind of protections we should be offering
for election security.
And then I think because the Biden administration
has pushed a more regulatory approach
than any prior administration, that has caused some heartburn with Republicans who tend to not like regulation in situations that are economic.
And Democrats have tried to push some of those things on the Hill, that does require critical infrastructure owners to report when they've suffered a major incident.
They must report that to CISA.
It'll be a few years before that becomes implemented.
And they must report when they make ransomware payments.
That's significant.
That is a pretty big deal. But if you look at the way this started and how strict that was when Democrats were first proposing it
and how it ended up, just in terms of what the enforcement mechanisms would be,
I think they're significantly weaker than the enforcement mechanisms that everybody had in mind originally.
It got watered down, I would say. It's fair to say.
It's still significant. It just still points to the fact that while there was a bipartisan agreement on the final bill,
it required Democrats conceding an awful lot.
Yeah.
I think it's safe to say that your cynicism when it comes to Congress is evidence-based, right?
I try not to be cynical.
I'm always impressed when they do get stuff done, right?
I'm always like, good job, Congress.
I am the same.
Yeah.
Pat them on the head, right?
Yeah.
It's a little infantilizing, I guess.
But it's impressive when things get done,
because it is difficult to get things done, right?
I mean, it's very difficult.
The founders set up our country to be that way to a certain degree,
and then certain things we've done have made that worse.
So, you know, however you feel about democracy,
I'm just predicting things.
You're like, eh, predict that it probably won't happen,
you'll be on safe ground.
Predict that it will happen and you might be disappointed.
That's right.
When all else fails, lower your standards
and you won't be disappointed.
All right, Tim Starks is the author
of the Cybersecurity 202 at the Washington Post.
Tim, thanks so much for joining us. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startupvin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Maria Vermatsis, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Catherine Murphy,
Janine Daly, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilfey, Simone Petrella,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.