CyberWire Daily - Notes from the cyber phases of the hybrid war against Ukraine. Conti retires its brand, and LockBit 2.0 is now tops in ransomware. Extortion skips the encryption. Cyber exercise in the financial sector.
Episode Date: June 27, 2022Lithuania sustains a major DDoS attack. Lessons from NotPetya. Conti's brand appears to have gone into hiding. Online extortion now tends to skip the ransomware proper. Josh Ray from Accenture on how ...social engineering is evolving for underground threat actors. Rick Howard looks at Chaos Engineering. US financial institutions conduct a coordinated cybersecurity exercise. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/122 Selected reading. Russia's Killnet hacker group says it attacked Lithuania (Reuters) The hacker group KillNet has published an ultimatum to the Lithuanian authorities (TDPel Media) 5 years after NotPetya: Lessons learned (CSO Online) The cyber security impact of Operation Russia by Anonymous (ComputerWeekly) Conti ransomware finally shuts down data leak, negotiation sites (BleepingComputer) The Conti Enterprise: ransomware gang that published data belonging to 850 companies (Group-IB) Fake copyright infringement emails install LockBit ransomware (BleepingComputer) NCC Group Monthly Threat Pulse – May 2022 (NCC Group) We're now truly in the era of ransomware as pure extortion without the encryption (Register) Wall Street Banks Quietly Test Cyber Defenses at Treasury’s Direction (Bloomberg) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Lithuania sustains a major DDoS attack.
Lessons from NotPetya?
Conti's brand appears to have gone into hiding, online extortion now tends to skip the ransomware proper, Josh Ray from Accenture on how social engineering is evolving for underground threat actors,
Rick Howard looks at chaos engineering, and U.S. financial institutions conduct a coordinated cybersecurity exercise.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 27, 2022.
Lithuania this morning announced that it has sustained a distributed denial-of-service attack.
Reuters quotes Lithuania's National Cyber Security Center to the effect that further attacks of this kind are expected.
They say,
It is very likely that attacks of similar or greater intensity will continue in the coming days,
especially in the transportation, energy, and financial sectors.
The nominally hacktivist Russian group Kilnet,
responsible for earlier DDoS attacks against Italian targets, claimed
responsibility for the incident. A group associated with Kilnet, the Cyber Spetsnaz, last week
threatened Lithuania with cyber attack should it persist in its policy of restricting rail delivery
of embargoed goods to Russia's non-contiguous province Kaliningrad. It's now been five years since the
GRU hit Ukraine with NotPetya pseudo-ransomware in a campaign that was marked by a degree of
indifference to the damage done to other countries in the course of the attacks. It moves one to the
conclusion that the international consequences of the malware weren't so much collateral damage as side benefit.
CSO reviews some of the major lessons from NotPetya. The campaign showed that ransomware
and wiper malware representing itself as ransomware could serve as an effective weapon,
and the GRU was willing to use it as such. Adam Flatley, director of threat intelligence at Redacted, commented,
it's interesting that the Russians are being a little more careful this time with their cyber
attacks, but that's only constrained by their desire to be careful. The technology is still
there for them to easily change the setting and let it loose if they wanted to. Computer Weekly
looks at the results Anonymous has obtained so far in
its OpRussia hacktivist campaign, and it finds that they've generally been more consequential
than had been generally expected, although of course falling short of the devastation
Anonymous customarily threatens. Your Anon News tweeted,
The Anonymous collective is officially in cyber war against the Russian government.
That was hours after the Russian invasion of Ukraine.
The scope and sweep of the attacks, mostly defacements, doxing, and DDoS, have been surprising,
and potential targets of hacktivism elsewhere are considering how they might harden themselves against similar operations.
Conti seems to have retired as a brand.
Bleeping Computer reports that the gang shut down its data leak and negotiation sites last Wednesday,
and they seem to have remained down, at least for the rest of the week.
Observers read this as the retirement of the brand, not the retirement, still the reform of the criminals behind it.
Sleeping Computer writes,
Some of the ransomware gangs known to now include old Conti members include Hive,
Avos Locker, Black Cat, Hello Kitty, and the recently revitalized Quantum operation.
Other members have launched their own data extortion operations that do not encrypt data, such as Karakurt, Blackbyte, and the Bazaar Call Collective.
The gang's arm attack campaign last November and December, short but intense, retrospectively looks like the brand's last big hurrah,
except, of course, for its public declaration of adherence to Moscow's cause in Russia's war against Ukraine.
Group IB describes arm attack as having hit some 40 organizations in the U.S. and elsewhere with noticeable effect.
Assuming the Conti brand stays retired, the leading ransomware brand is now Lockabit 2.0.
NCC Group's May ransomware report puts the leaderboard like this.
LockBit 2.0, Black Basta, a rising criminal star, Hive, and the rump of a retiring Conti.
Bleeping Computer reports that OnLab has noticed a trend in LockBit 2.0's attack technique.
The approach is still through phishing, but the
phishbait has changed. The typical LockBit come-on now consists of a bogus copyright infringement
notice. To see the infringing material, the email says, the recipient should open an attached file,
which carries the hook, the payload. It's not unique phishbait. The operators of both Bazaar
Loader and Bumblebee
have also used copyright infringement claims to induce their victims to bite.
The Register briefly describes a trend currently observed in ransomware attacks.
Increasingly, they're skipping the ransomware.
That is, they're not bothering to encrypt the victims' files.
Instead, they're relying on the threat of doxing,
promising to release sensitive stolen data if the ransom isn't paid. So, the trend toward
double extortion ransomware, encrypting data to hold them hostage but not before stealing it and
then threatening to release it publicly, is now often skipping the encryption step. It used to be
like kidnapping followed by blackmail.
Now, more often than not, it's just blackmail.
And finally, major U.S. financial institutions,
motivated in part by the possibilities of cyberattack
that Russia's war against Ukraine raises
and at the urging of the U.S. Department of Treasury,
have recently conducted a coordinated exercise
designed to help them refine their defenses and their plans for coping with a cyberattack.
Bloomberg reports that the exercise included JPMorgan Chase, Bank of America, and Morgan Stanley.
Bloomberg explains, it ran through five hypothetical threat levels, ranging from
minor assaults to a full-scale onslaught on
multiple banks and critical payment systems. The exercise is regarded as showing an unusual
degree of cooperation and information sharing among competitors.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He is the CyberWire's chief security officer and also our chief analyst.
Rick, always great to welcome you back.
Hey, Dave.
So I was reading the call sheets and rundowns for our discussion this morning,
and I noticed that this week's CSO Perspectives episode is the end of Season 9.
Man, this year is going by fast.
God, I know what you mean.
And we covered a lot of ground this season, too.
We did a little InfoSec history.
We covered the current state and future of software bill of materials.
We did some identity stuff about single sign-on and two-factor authentication and software-defined perimeter.
And we talked about the current state of intelligence sharing today.
And at the end, the last episode we did was a cyber sandtable exercise for the Colonial Pipeline attacks of 2019.
And, oh, my goodness, that's a lot of stuff.
I think you should take the rest of the year off.
Okay, I will bring that up with my boss.
So what do you have in store for us in your season finale here?
So have you ever heard of a resilience program called Chaos Monkey?
Yes, yes, I have.
That is Netflix, right? Where they sort of,
it's exactly what it sounds like. They randomly go in and like blow things up and to test their
resilience to make sure that their engineers have engineered in enough resilience so that
basically no matter what happens, customers won't notice that things have happened.
Am I on the right track there?
Yeah, you know, and that's what I thought too
until I did a deep dive here.
But it turns out, as with most things in cybersecurity,
it's a lot more nuanced than that.
Netflix and other big Silicon Valley companies
like LinkedIn and Google and Microsoft
and a bunch of others
invented this thing called chaos engineering
as an advanced resilience discipline designed to discover potential systemic weaknesses in
their deployed architecture that they didn't know about before. So chaos engineering emerged
because in the last 15 years, these organizations find themselves running gigantic systems of
systems with thousands of dependencies that no human can keep track of
in their heads. So, chaos engineering is a response to that situation where they can run carefully
controlled experiments on production systems. I mean, they are blowing stuff up here, but they
want to figure out all the unknown areas of weakness that they haven't discovered before.
So, in this last episode of CSO Perspectives of the Season, we do a deep dive
on chaos engineering to discuss how, for the right organization, it might be a useful tactic for
your resilience strategy. I would like to see a book or an article or something about the times
when chaos engineering went horribly wrong. Wouldn't you? And you know they happen. They
just don't talk about them, right?
No, no. They're probably, you know, traded in dark, shadowed corners at industry events. You
know, the folks who know, but the rest of us, it's too dark a secret to spread around.
It's very true.
Well, listen, before I go, what is the cybersecurity term that you're covering
over on the WordNotes podcast this week?
So, this week, we're talking about Identity and access management, or IAM for short. And you
know, Dave, I'm a little bit of a nerd, and I like to throw a little pop culture references
into the discussion, mostly to entertain myself. It's not for the audience. It's mostly for me.
Let's be clear, Rick. It's only to entertain yourself. But go on.
But I got to tell you, this week I have outdone myself.
I found a way to connect my favorite Star Trek movie of all time,
the 1982 movie The Wrath of Khan, directly to IAM.
How great is that?
That is great, and I concur with your excellent taste in Star Trek movies.
I think we're going to get lots in cards and letters about that one,
but I'm okay.
I'm up for the challenge.
I think it's a defensible position.
Not exactly a Kobayashi Maru, but we'll live with it there.
All right.
Well, you can find all of this stuff over on our website,
thecyberwire.com, where you can learn about Cyber Wire Pro.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default deny approach can keep your company safe and compliant.
And joining me once again is Josh Ray.
He is Managing Director and Global Cyber Defense Lead at Accenture Security.
Josh, it's always great to have you back.
You know, I know you and your team spend a good amount of time tracking some of the threats that are going on in sort of that criminal underground.
And I wanted to touch today, particularly on social engineering
and some of the things that you all are seeing evolving there.
Yeah, thanks, Dave, again, for having me back.
We are continuing to see the professionalization
of cybercrime in the underground
and specifically around highly specialized areas.
And we've spent a lot of time talking about things
like technical exploit creation as
a service.
But really over the last three years and more increasingly over the past six months or so,
our CTI team has observed the increased availability of these socially engineering as a service
offerings on the underground.
And this significantly magnifies threat actor capabilities and really
ensures that this threat actor has maximum impact. And you know me, Dave, I'm normally
pretty even keel when I hear about these types of shifts after being in the industry for a while.
But after speaking to my team about this, I really believe that this change will not only
significantly improve threat actor capabilities, but will be problematic for security practitioners and net defenders.
Well, can you give us some specific examples here?
I mean, you know, social engineering certainly isn't new.
So what's the approach that has you concerned?
Yeah, no, you're exactly right.
And I think it speaks specifically kind of to the adversary tactics and what they're doing.
specifically kind of to the adversary tactics and what they're doing. So threat actors are leveraging this service across the skills gambit. And what we're seeing is that lower skilled actors,
this obviously provides them a new enhanced set of capabilities that they wouldn't
otherwise have access to. And they're investing in this as well. So for the big groups like
Aconte or Laptis, they have dedicated department for this. And they don't in this as well. So for the big groups like Aconte or Laptis,
they have a dedicated department for this.
And they don't just have one individual. They have a team with a dedicated lead
that's really responsible just for social engineering.
So they're very well organized around this particular piece.
We're also seeing the threat making more realistic,
socially engineered emails,
really kind of looking at the user awareness training, I think,
and pivoting their tactics as such.
It's very well written, whether it's in English or French or German or Italian,
because you used to be able to spot the broken English or something like that,
and that was a dead giveaway.
But the threat has definitely kind of caught up with this
and these tells that humans
use to spot the suspicious email now i i've heard that they're they're getting their way into systems
and and taking advantage of of people's like even their calendaring systems yeah no this is actually
fascinating and slightly scary i mean and this speaks specifically to the timeliness of when they
launch the attacks. So they will buy access through one of the many darknet cookie markets,
you know, say facilitating access to an Outlook calendar. And now they have this internal
visibility. So for instance, we've seen actors buy the credentials to an email account through
these markets. And instead of just spoofing an email, they send the phishing email from an internal email
address.
This is social engineering from a genuine corporate account, which is a much more effective
strategy coupled with the visibility component where you can send it when somebody's on PTO
or getting ready to attend a conference or has an important business meeting come up.
And this has been one of the things that we've used to educate our user base.
And we see that the threat is continuing to pivot to counter these user awareness trainings.
Are they getting better with being able to use the lingo of individual organizations?
Have they upped their
game there? Yeah, that's actually one of the most fascinating things. And it really complicates
matters further. I mean, we've observed they've actually started to employ industry subject
matter experts so that they can speak the jargon and understand the nuance of the business
operations. And I like to draw the comparison, like much like we, you know, as Accenture,
we kind of tout our industry expertise.
You know, they actually have the ability now to do that
in a way that increases the effectiveness of the attack.
So now you have a threat that can leverage
a highly specialized, sophisticated service,
employing proper grammar across multiple
languages. And then through the use of dedicated reconnaissance, they can target key personnel
at the proper time based on their internal visibility. And with their increased industry
knowledge, they make their emails much more realistic and they can send them from a valid
internal account now.
Well, let's talk about that. I mean, given this new reality and how much they've stepped up,
what are you recommending to people to best protect themselves?
Well, you got to be great at doing the basics as always. And we've talked a lot about a lot of the technical controls, you know, such as pushing for, you know, MFA. And once again,
you know, people are being targeted
as the weakest link in that chain.
And more specifically, high-level executives
and employees that have access
to key internal business operations are top targets.
What they post on social media
and what their extended circle and family members
may post on social media can what their extended circle and family members may post on social
media can be easily weaponized.
So not only staying vigilant and increasing monitoring on your own enterprise, now you
have to think about how do you extend that user awareness training to that trusted circle.
And we've begun to help clients think about things like monitoring in the dark net, not
only to get the intelligence
on these available threats and capabilities,
but how do you think about executive cyber protection
for your key and highly visible employees as well too?
So those are things that we're going to have to do
to really extend that intelligence gathering
and visibility in conjunction
with those technical controls,
I think to continue to mitigate this threat.
All right. Well, Josh Ray, thanks for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, Ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
and find Grumpy Old Geeks where all the fine podcasts are listed.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey,
Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Harold Terrio, Ben Yellen, Nick Vilecki, Thanks for listening.
We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.