CyberWire Daily - PolyVice and Royal ransomware make nuisances of themselves. US warns that KillNet can be expected to go after the healthcare sector. CISA’s plans for stakeholder engagement.
Episode Date: December 23, 2022The Vice Society may be upping its marketing game. Royal ransomware may have a connection to Conti. Royal delivers ransom note by hacked printer. KillNet goes after healthcare. CISA's Stakeholder Enga...gement Strategic Plan. Adam Meyers from CrowdStrike looks at cyber espionage. Giulia Porter from RoboKiller does not want to talk to you about your car’s extended warranty. And holiday wishes to all. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/245 Selected reading. Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development (SentinelOne) Vice Society ransomware gang switches to new custom encryptor (BleepingComputer) Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks (Trend Micro) Researchers Link Royal Ransomware to Conti Group (SecurityWeek) Major Australian university dealing with suspected cybersecurity attack (7NEWS) Printers at Queensland's second-largest university spit out ransomware messages after cyber attack (ABC) Pro-Russian Hacktivist Group ‘KillNet’ Threat to HPH Sector (HC3) HHS alert warns KillNet hacktivist group targeted US healthcare entity (SC Media) HC3 Analyst Note TLP Clear Pro-Russian Hacktivist Group Killnet Threat to HPH Sector December 22, 2022 | AHA (American Hospital Association) Strategic Plan for Stakeholder Engagement (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Vice Society may be upping its marketing game.
Royal Ransomware may have a connection to Conti.
Royal delivers ransom notes by hacked printer.
Killnet goes after healthcare.
CISA's stakeholder engagement strategic plan.
Adam Myers from CrowdStrike looks at cyber espionage.
Julia Porter from RoboKiller does not want to talk to you about your car's extended warranty.
And holiday wishes to all.
From the CyberWire studios at DataTribe, I'm Dave Bittner,
with your CyberWire summary for Friday, December 23rd, 2022.
Hello, everyone. It's great to have you with us here today. First, we look at some developments in the cybercriminal underworld.
Cybersecurity firm SentinelOne discovered a new ransomware variant in use by the Vice Society Group.
It's custom-branded for the group, a first for these threat actors.
Vice Society activity has been observed since June 2021
and was always seen utilizing third-party ransomware strains such as Hello Kitty,
Five Hands, and Zeppelin, Sentinel-1 reports. The strain seen in a recent intrusion, which the firm's
researchers have dubbed Polyvice, appends the file extension of encrypted files to.vice society.
The recent findings that the Zeppelin ransomware strain implemented weak
encryption that allowed for decryption may have been a factor in the group's implementation of
the new Polyvice variant. It is suspected that this ransomware is likely from a vendor
as Chili ransomware and Sunny Day ransomware have identical functions,
with variations only in campaign-specific details.
Our second note from the underworld comes from researchers at Trend Micro,
who have published a report on the relatively new ransomware strain that goes by the name
Royal. It turns out that there are some signs of connection to an old familiar name,
Conti. Royal attacks are being launched by a sophisticated gang
that used to operate the now apparently defunct Conti ransomware.
Royal ransomware first surfaced in September 2022,
and the vast majority of its attacks have targeted entities in the U.S. and Brazil.
The threat actor uses callback phishing,
a social engineering technique in which the attacker poses as technical support and instructs the victim over the phone to install remote desktop software.
The threat actors also exfiltrate data before executing the ransomware.
Trend Micro predicts that the Royal ransomware operators will increase their activity in the coming months.
will increase their activity in the coming months.
Royal has made an appearance in Australia.
The Queensland University of Technology,
second largest university in the state of Queensland,
has apparently sustained a Royal ransomware attack,
the Australian Broadcasting Corporation reports.
Yesterday, printers in the university's network began spewing out ransomware notices in bulk,
in some cases until they used up
all the affected printer's paper. 7 News gives some of the content of the extortionist's message.
After telling the recipients that they had been hit, the printouts read,
most likely what happened was that you decided to save some money on your security.
Alas, as a result, your critical data was not only encrypted but also copied. I'm going to read it. covered, that is, by promising to return your data once you pay the ransom.
The university has shut down IT systems as it works on remediation.
Australian authorities have grown fed up, positively testy, with the trouble cybercriminals have caused over the latter part of 2022.
It will be interesting to see what response Royal draws from them.
The gang is already in U.S. sites,
and it's likely to receive some unwelcome attention from Australian authorities.
We wish them good hunting.
Go out and drop these chumps.
Turning to the cyber phases of Russia's hybrid war against Ukraine,
Killnet, the hacktivist auxiliary that has been perhaps the most publicly prominent Russian actor in cyberspace over the past few months of the war, has turned its attention to healthcare.
The U.S. Department of Health and Human Services, through its Health Sector Cybersecurity Coordination Center, the HC3, has warned U.S. hospitals and other healthcare providers that they should expect to receive attention from KillNet. The HC3 analyst note says that KillNet has previously targeted or threatened to target
organizations in the health care and public health sector. Much of its activity has represented a
threat to data privacy, and it's worth noting that more has been threatened than has apparently
materialized. For example, Kill Milk, a senior
member of the KillNet group, has threatened the U.S. Congress with the sale of the health and
personal data of the American people because of the Ukraine policy of the U.S. Congress.
In December 2022, the pro-Russian hacktivist group claimed the compromise of a U.S.-based
healthcare organization that supports members of the U.S. military
and claimed to possess a large amount of user data from that organization.
In some cases, however, Kilnett has threatened medical devices.
The report says,
In May 2022, a 23-year-old supposed Kilnett member
was arrested in connection with attacks on Romanian government websites.
In response to the arrest, Kilnett reportedly demanded his release and threatened to target
life-saving ventilators in British hospitals if their demands were not met. The member also
threatened to target the UK Ministry of Health. HC3 says, with commendable realism, that Kilnett
does tend to do more woofing than biting, stating,
It is worth taking any claims Killnet makes about its attacks or operations with a grain of salt.
Given the group's tendency to exaggerate, it is possible some of these announced operations and developments may only be to garner attention, both publicly and across the cybercrime underground.
to garner attention, both publicly and across the cybercrime underground.
So, as the proverb would have it, the group's eagle mouth does have a tendency to overload its parakeet backside. Nonetheless, HC3 suggests several steps healthcare organizations might take
to protect themselves and their patients, so keep those shields up, doctor.
Speaking of shields up, CISA, the U.S.
Cybersecurity and Infrastructure Security Agency, has published a strategic plan for stakeholder
engagement. The goals of the 2023 through 2025 plan, the first of its kind for CISA, are to,
first, foster collaboration on stakeholder engagement and outreach across CISA divisions,
second, gain a better understanding of stakeholders' security risks and needs,
and third, effectively provide stakeholders access to CISA's products, services, resources, and information.
Stakeholder outreach and cooperation are as important to CISA as they are to any U.S. federal agency,
given the extent to which so much U.S. critical infrastructure is held by the private sector,
and so it will be interesting to see how the agency executes its strategy over the next three years.
And finally, the Cyber Wire will publish on our winter holiday schedule
beginning tomorrow and continuing through next week.
It's not a hiatus.
Instead, we'll depart from our regular daily and weekly podcasts and news briefings
to bring you a selection of special coverage.
Visit The Cyber Wire over the break for discussion of some of the cybersecurity sector's
most interesting topics and even some pieces offered for your entertainment. We'll resume regular publication on January 3rd,
the day after the U.S. Federal Observance of New Year's Day. In the meantime, we hope you have a
quiet, restful holiday season. It's been one heck of a year full of good times and bad, joy and
sadness. We're glad you chose to spend some of good times and bad, joy and sadness.
We're glad you chose to spend some of your time with us,
and we look forward to more time together in the coming year.
It means the world to us that you find value in what we do.
On behalf of our amazing CyberWire team,
I wish you a Merry Christmas, Happy Holidays, and a safe and joyous New Year,
and special wishes for peace on Earth, and especially for a just peace in Ukraine.
Be kind. Take care.
We'll see you next year.
Coming up after the break, Adam Myers from CrowdStrike looks at cyber espionage.
Julia Porter from RoboKiller does not want to talk to you about your car's extended warranty. Do stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Adam Myers is head of threat intelligence at CrowdStrike, And in his position, he's been front and center
to some of the industry's most significant cyber investigations.
I checked in with Adam Myers for his insights
on where we stand when it comes to cyber espionage.
When we think about cyber operations, cyber espionage,
it's really for countries.
These entities are conducting these operations for sabotage.
They're also using them to enable disruptive, destructive operations and espionage.
And so the scope of these things ranges country to country.
North Korea, over the last couple of years, has engaged in a lot of revenue generation,
meaning that they're breaking into cryptocurrency platforms
and financial institutions and financial technology companies
in order to steal actual money
to help that regime conduct nuclear building
and some of the other stuff that they're engaged in.
And that's consistent with what we've seen them do
across some of the other spectrum of things that they may attempt to do.
Counterfeiting would be effectively human trafficking for labor purposes, criminal activity.
All of these things are associated with behaviors of North Korea in order to generate revenue for the regime and also for the Kim family.
Is there a bit of fuzziness here? I mean, I guess when I think of espionage, I tend to think of the
spy versus spy kind of stuff. But when you get into things like theft, as you mentioned, you
know, North Korea is stealing things. Even the intellectual property that China is known to take,
it seems like it crosses over into the, is it fair to say, I don't know,
gentlemanly spying on each other, reading each other's letters into theft.
How do we deal with that fuzziness?
Well, I think espionage is a dirty game that has to be played. And it always has had, you know,
degrees of that, right? If you go back to the KGB in those days, you know, there was an entire line
of technical collection that was established to steal secrets.
Things like the Star Wars program back in the 80s
was something that I think in part was designed
to draw out those Russian KGB Linux operators
and some of the technical collection people
in order to play that game with them.
So it has always been this.
And I think when we think about cyber espionage,
cyber operations, COVID was a huge problem
for espionage operators.
Because if you think about that spy versus spy stuff that you
alluded to, trying to get across a border, trying to put human assets into a target country became
very difficult during COVID. Borders were locked down. You had to submit to all kinds of different
quarantines and things like that.
So it became difficult to put human assets in place that weren't there and to service the human assets, to be able to get information from them while they were undercover or in place.
So cyber operations became a hugely important role for these different espionage operators.
I think we've seen that over the last two or three years.
It's proliferated.
We've added new nations as what CrowdStrike tracks conducting cyber operations.
One of the more prolific ones that we've been tracking pretty closely is Turkey. And so there is this increase in not just the number,
but also the, by number I mean an increase in operations, not just in terms of the different
agencies within the known countries doing it, but new countries coming to light that are conducting
these operations. And I think that they see this as very attractive. It's cheap. It's low risk.
If an operation gets burned, you have some degree of deniability and you can move on and do it
again. It doesn't require setting up a whole bunch of infrastructure in country. It doesn't
require moving humans around and building covers and legends and all the things that you read about in spy movies or books.
And it becomes really democratized in a certain way for lots of countries that want to engage
in these operations.
They really just need to find some people that have the know-how and are willing to
do it and then task them to do it.
You know, I've seen what I think it's fair to say
you can call a shift in the approach
by some of the government agencies,
you know, the three-letter agencies,
in that there's a lot more public-private partnership
and I suppose an acknowledgement
that they can't do it alone,
the public can't do it alone,
and that they really need to come at this problem together, collaboratively.
What is your take on that shift?
Do you think that that indeed is the case, that it's happening?
Absolutely.
And as I said before, right, everybody that's playing defense,
whether it be at a small enterprise, a large enterprise, Fortune 500,
or government agency,
they have a role to play.
They're on that front line.
Through things like the JCDC,
the Joint Cyber Defense Cooperative
that was established by CISA,
through some of the other efforts
by different government agencies,
not just here in the US but across the globe,
we've seen an increase in collaboration,
two-way sharing, which used to be very one-way.
And it was typically private sector
sharing information to the government
and it became a black hole.
And what we've seen over the last couple of years
is that there's been a substantial effort
by government agencies across the globe
to increase their information sharing and partnership with the private sector.
And I think that that's a recognition of the fact that we are the frontline defenders.
And so that being able to get those frontline defenders involved and to share information in a two-way capacity makes everybody safer.
That's Adam Myers from CrowdStrike.
There's a lot more to this conversation.
If you want to hear more,
head on over to the CyberWire Pro and sign up for Interview Selects,
where you'll get access to this
and many more extended interviews.
As 2022 winds down, there's one thing I think it's safe to say that most of us, at least here in the U.S., have experienced.
People trying to reach us about our car's extended warranty.
Julia Porter is vice president at RoboKiller, one of the companies making apps that look to block these spammy and scammy phone calls and text messages. They recently published a report on the trends they're tracking
and the annoyances they're blocking. So I checked in with Julia Porter for the details.
So unfortunately, Americans are now more spammed than ever as of 2022. In past years, you know,
we've been very much focused on robocall trends,
which have continued to increase year over year. Unfortunately, we do have a new problem that's
emerging at great scale, which is robotechs. Just in the first half of 2022, it's estimated that
Americans received 66 billion robotechs, which is quite a lot. And at this point, it's now
outpacing robocalls, where Americans received about only 40 billion estimated spam calls in
the same time period. So at this point now, one of the biggest trends and concerns, frankly, for us
is that, and we can talk about this in a bit, but the industry is very focused right now on
combating robocalls, and scammers know this, and they seem to be getting one step ahead of us in
pivoting to this new technology, which is robotechs. And I mean, is that really what it comes down to
is that as organizations like yourselves are helping people get on top of robocalls, is this
just a pivot on the part of the bad guys?
It's actually a pivot at the industry level.
RoboKiller has been blocking spam texts for many years now,
and we have been first to market in solutions to protect consumers.
But what we believe this is a result of,
and the trend lines up with this timing quite closely,
is if you've been following the government efforts on the robocall side with a new technological
framework called StirShaken. StirShaken, it was a technology that was released last year that all
telecommunications providers in the US had to adopt and comply with, which was essentially
a technological framework for color ID verification and authentication. And what that was designed to do was create a universal standard for understanding whether or
not a phone call that was being placed was being spoofed. A lot of times scammers, robo-callers in
particular, are using caller ID spoofing to mask their caller ID. and normally that's on the backside of a phone scam more than it is a
legitimate call. And so the industry has been very, very focused on adopting this framework,
complying with new regulations, and we are seeing improvements as a result. But unfortunately,
scammers know this as well and were prepared for this and are responding in just a whole new medium,
unfortunately. Yeah, it really seems like a game of cat and mouse here. And as you say,
very frustrating for consumers. I mean, what are some of the other statistics that you're
tracking here? So the FTC reports on the reports that they receive for consumers who come to the
FTC and report losses to phone scams. We believe, based on the traffic that they receive for consumers who come to the FTC and report losses
to phone scams. We believe, based on the traffic that we're seeing, that these reports that
represent millions and millions of dollars of consumer losses are only a small piece of the
actual losses in the United States. For 2022, we are projecting that consumers are going to lose about $28 billion to Robotext,
where that kind of nets out is about $1,000 in losses per Robotext scam.
And unfortunately, again, going back to that point of being more spammed than ever,
people are also losing money to robocalls.
And we believe that number for robocalls is going to reach about $60 billion by the end of 2022.
And so you can imagine that this is a huge problem for consumers that we're seeing nationwide.
And of course, that just kind of takes it a step further.
Not only are these calls and texts really annoying, but for some, they can be quite catastrophic financially.
In terms of the actual scams themselves, are there certain ones that are
more popular? Yes. It's kind of sad and funny at the same time. I think if you've kind of been on
social media, you might have seen some people talking about the car warranty robocall. Based
on RoboKiller's data, we estimate that it's statistically possible that every American with a smartphone has received that robocall more than four times this year, at least.
I know I have.
I guess it's something we all have in common.
What's interesting with the car warranty robocall is we're actually seeing a large decrease, a significant decrease, actually, in the last couple months for that robocall
specifically, actually thanks to an effort from the FCC. The FCC tracked down some known robocallers
that were suspected to be behind this car warranty robocall. And they actually put out an announcement
that allowed all carriers to block any traffic from where they had identified they thought this scam was coming from.
And what we've seen since that announcement in July of this year is that car warranty robocalls, according to RoboKiller,
have gone from about 15% of total robocalls to less than 1% in just a couple months.
So this is actually an exciting development because it's a great testament to the FCC's efforts to get involved to stop a particular scam and seeing that that's working really basically immediately.
So we're very excited about that.
Of course, scammers, just like we're seeing with Robotech's shifts, are really going to often just change their tactics and adopt different scams.
often just change their tactics and adopt different scams. In terms of the types of scams that we're seeing, the overall trend that we know about phone scammers is that they watch the news,
they know what's top of mind for us, and they're often changing and targeting their scams to be
as relevant as possible. So for example, in the last couple months, we've seen increases in
significant increases in student loan phone scams, both for robocalls
and texts, as coverage around student loan forgiveness has increased in the media.
And again, that scammers really are just trying to kind of catch you when you're not really
paying attention.
But, you know, you might like look at something and see like, oh, yeah, you know, I did apply
for student loan forgiveness.
I'm going to, you know, just click this link and check this out in this text.
And then all of a sudden, you know, you're hooked.
And so that's definitely a common trend that we see, of course,
as we head into the holidays.
Scammers love to pose as delivery service text companies.
I've been getting a ton of Amazon spam texts
in the last couple of days, actually.
And so really, for them, it's a game of relevancy
just to increase the likelihood that you'll fall for their scams, unfortunately.
That's Julia Porter from RoboKiller.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
Thank you. out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Bharu Prakash, Liz Ervin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Maria Vermatzis, Ben Yellen, Nick Vilecki,
Millie Lardy, Gina Johnson, Bennett Moe,
Catherine Murphy, Janine Daly, Jim Hoshite, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening. We'll see you back here next year. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.