CyberWire Daily - Piercing the through the fog. [Research Saturday]
Episode Date: June 22, 2024Kerri Shafer-Page from Arctic Wolf joins us to discuss their work on "Lost in the Fog: A New Ransomware Threat." Starting in early May, Arctic Wolf's Incident Response team investigated Fog ransomwar...e attacks on US education and recreation sectors, where attackers exploited compromised VPN credentials to access systems, disable Windows Defender, encrypt files, and delete backups. Despite the uniformity in ransomware payloads and ransom notes, the organizational structure of the responsible groups remains unknown. The research can be found here: Lost in the Fog: A New Ransomware Threat Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
On and around early May, around May 2nd,
Art of Wolf began monitoring deployment of the new ransomware variant referred to as FOG.
What we saw was that across victim organizations,
most of them were in the U.S.,
with about 80% of the victims in the education sector
and about 20% in the recreation sector.
That's Carrie Schaefer-Page,
Vice President of Digital Forensics and Incident Response at Arctic Wolf.
The research we're discussing today is titled Lost in the Fog, a New Ransomware Threat.
So the threat actors showed an interest in rapid encryption of VM storage data
and then ransom payment for decryption of the said
data, right? So this is pretty common, but what we didn't see is the actual exfiltration.
And something I should point out too, when it comes to the education sector,
this is often a understaffed and underfunded sector, right? So they don't have a lot of IT
support. So it's an easy target for them not
to have all the security operation controls they should have in place. So oftentimes threat actors,
when they're able to kind of get a foothold, it's not surprising that once they get into the
environment, they're able to move laterally quickly. And then the big thing is being able
to elevate their privilege, which is actually how they get to the content of concern, right, which was the cases that we saw.
Well, let's dig into some of the technical details here.
I mean, can you walk us through what does a typical infection look like?
How does someone find themselves falling victim to this?
Yeah, I mean, even if you have, you know, different controls in place, I mean, these were
VPN credentials that were compromised as the initial attack vector, right? So in one of the
early cases, we saw what's called pass the hash activity, where the administrator accounts were
subsequently used, and then remote desk protocol, RDP, connections to Windows servers running Hyper-V and Veeam were used.
We also saw credential stuffing.
And if you're familiar with that, that's where often credentials are used across variable different applications and not changed, right?
So a bot is often used to try to leverage repeatedly going after to try to get in. But in all of the cases,
we actually saw where PS exec was deployed to several of the hosts. And then again,
an RDP and SMB were used to access those targeted hosts.
And you say that they want to get in here sort of quickly and do the things they're going to do.
I mean, does that mean that in that
process, they're also being particularly noisy? In some cases, I mean, that's where it's awesome
to have security operations in place, an MDR type solution where, you know, any abnormal network
traffic is actually detected. But in some cases, you know, they could be quite stealth, right?
You do see, we didn't see it in this particular instance,
but you do kind of see where threat actors will come in
and there's what's called a long dwell time,
where they're watching the patterns and the behaviors
of the end users in the environment
and figuring out how best to leverage
and get to where they want.
So even with the right credentials and controls in place,
we often see that if you've got on the front end good protection, but they've gotten in and gotten moved laterally, they're not using, you know, protecting the privilege escalation, which is the biggest thing, right? it's domain admin or any type of credential like that that allows them to get to the data,
we often see that's where organizations fall down from a structure standpoint and keeping
those controls current.
And what are you seeing in terms of the ask, a dollar amount for a ransom?
Do you have data there?
Well, we can't disclose on our cases what the financial ask is, but ultimately,
and the nice thing about Article Wolf as well, we have a threat actor communication team, right?
So ideally, you always want a client not to have to pay, but as we all recognize, especially when
you're dealing with the data as sensitive as education, right, where you can have a lot of PII,
there may be a need for a client to have to pay.
So in that case, it's that negotiation piece that takes over.
But ultimately, you're always going into it
with the communications with the client to say,
look, ultimately, you'd like not to pay.
And if they have to,
then it's about that negotiation piece that comes in.
How do we reduce that ransom if they do have to?
And then it's also making sure, too, there's this concern. It's called double extortion, right? How do we reduce that ransom if they do have to? And then it's also making sure too,
there's this concern, it's called double extortion, right? In some cases, unfortunately,
you see a client pay because they need a decryptor key and then they turn around and
they've paid for that. They may be able to unlock their data, but a threat actor has
exfiltrated a version or copy of it and they still release it to the dark web, right? So I'm
talking in general, right, of what you see when you have those concerns about negotiation with
the threat actor. We have not, in these circumstances, seen any evidence of double extortion here.
We'll be right back.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
I guess where I'm coming at this from is, you know, you mentioned at the outset that the education sector in particular is often underfunded. And so I'm curious, do we see a comparatively low ask
relative to other ransomware situations that we've heard of,
perhaps taking into mind that the education sector is underfunded
and would not be able to fund a big ransomware ask. You see where I'm
going with that? I totally see where you're going. And you're right. I mean, sometimes you do see
threat actors have a heart, right? It's a funny thing to say, isn't it?
Exactly. Don't feel bad. Oh, no, I hit a children's hospital. Maybe we'll do something
different. But yeah, we have not seen that apply to these circumstances.
So yeah, they don't seem to have the sensitivity there.
Yeah.
And you mentioned exfiltration.
Are we actually seeing exfiltration or is it just the ransoming itself, the locking up of the data?
Yeah, we have not seen any exfiltration.
It's just been the encryption.
And that's where I was using that kind of smash and grab, right?
It looks like they're getting in.
And unfortunately, because of the vulnerable opportunity or network, I should say,
they're able to kind of laterally move quickly and get that encryption taken care of.
I see.
Well, can we dig into some of the technical details here?
I mean, that's something that you and your colleagues have shared the information.
What are some of the highlights that you think folks should be aware of?
You know, I think it's definitely, I mean, it's not unusual.
We said that.
So did it surprise us that we didn't see exfiltration?
Probably not.
But I think what's most surprising to me is, again, it's the controls that we hope that organizations and clients kind of have in place,
right? That you go through and even if you have an incident response plan, people aren't turning
around and updating those. It's just like you change the batteries in your smoke alarms, right?
That needs to be a consistent thing that happens. So I think that's what really needs to kind of be
taken into account is that,
especially when you're talking about VPN credentials. I mean, a lot of times that
starts potentially, if it's not a product, it starts with the end user. So it's the education,
it's the security awareness of them onto how they're setting their passwords. Are you using
a phrase? There's simple things of education that can happen
with the end user. And then I think it's also, even if you have a small IT department that I
referenced even for the education sector, it's like, where are you spending your money, right?
Like if you only could have, you know, one or two people that support it, make sure you're doing the
controls that manage, you know, that matter. Make sure you're doing the identity and the access management. Again, locking down privilege on devices that people don't need
to have access to, using laps. There's a lot of different means in order to organize that.
And then you asked the question earlier with the abnormality of traffic. I think that's a
really important one, right? If you can have any type of EDR solution
or monitoring that's in place
in order for you to help detect
that type of abnormal traffic,
how do you react to it?
So I think there's some basics
depending on whatever budget you come from
in whatever sector
that's important to work through.
And even if you're having to get consult,
if you were,
Arctic Wolf will do this as well, but a lot of IR firms do.
You know, sitting down with a client and helping them go through these preventative steps, right?
What do I need to do from a prevention and awareness standpoint so that I'm not the next victim?
Yeah.
When you look at this particular ransomware payload, how do you rate its sophistication?
look at this particular ransomware payload, how do you rate its sophistication? You know, it's hard to tell here too if this is one actual threat actor. As you know, you know, ransomware as a
service is big business. You know, what we have seen from the casework that we analyzed is we do
see a shared functional code block between the ransomware payloads. So definitely we consider that involvement from a,
you know, a common entity. I would say it's, you know, not overly sophisticated, but it definitely,
you know, is coming from somebody that's, that knows what they're doing and enough to
the execution is achieving what they wanted to do, right? When it becomes from an encryption
standpoint. So, you know, evidence is definitely tying these cases to, you know, potentially one sole threat actor, but it's not yet conclusive.
So it'll be interesting to see if this still, you know, now that they know they've gotten the
attention, right, I think there's a lot of media that's picked it up. It'll be interesting if they
take, you know, a greater stance and start attacking more, like we saw in the past with
some other players like Cactus and others, or, you know, even if they start, you know, identifying themselves, right,
as to who they potentially might be an affiliate of. And how would you rate currently the scale
of this threat? How widespread are you seeing this? I mean, we've seen a fair amount of, you
know, our self-casework that we worked. But I can't actually comment
on our peer industry teams
of what they're seeing.
I don't know if there's enough evidence yet
that's kind of been correlated
to substantiate that.
Our thanks to Carrie Schaefer-Page from Arctic Wolf for joining us.
The research is titled Lost in the Fog, a new ransomware threat.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's Research Saturday brought to you by N2K CyberWire.
We'd love to know
what you think of this podcast.
Your feedback ensures
we deliver the insights
that keep you a step ahead
in the rapidly changing world
of cybersecurity.
If you like our show, please share a rating and review in your podcast app. Please also fill out the survey Thank you. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.