CyberWire Daily - PurpleUrchin’s freejacking. Bluebottle versus the banks. A supply-chain attack on a machine-learning framework. The ransomware leaderboard. And cyber ops in a hybrid war.
Episode Date: January 5, 2023The PurpleUrchin freejacking campaign. Bluebottle activity against banks in Francophone Africa. The PyTorch framework sustains a supply-chain attack. 2022's ransomware leaderboard. Cellphone traffic a...s a source of combat information. FBI Cyber Division AD Bryan Vorndran on the interaction and collaboration of federal agencies in the cyber realm. Our guest Jerry Caponera from ThreatConnect wonders if we need more "Carrots" Than "Sticks" In Cybersecurity Regulation. And two incommensurable views of information security. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/3 Selected reading. An analysis of the PurpleUrchin campaign. (CyberWire) PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources (Unit 42) Bluebottle observed in the wild. (CyberWire) Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa (Symantec) PyTorch incident disclosed, assessed. (CyberWire) PyTorch dependency poisoned with malicious code (Register) Compromised PyTorch-nightly dependency chain between December 25th and December 30th, 2022. (PyTorch) Most active, impactful ransomware groups of 2022. (CyberWire) 2022 Year in Review: Ransomware (Trustwave) Russia says phone use allowed Ukraine to target its troops (AP NEWS) For Russian Troops, Cellphone Use Is a Persistent, Lethal Danger (New York Times) Kremlin blames own soldiers for Himars barracks strike as official death toll rises (The Telegraph) No Water’s Edge: Russia’s Information War and Regime Security (Carnegie Endowment for International Peace) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Purple Urchin Freejacking Campaign,
blue bottle activity against banks in Francophone Africa.
The Pie Torch Framework sustains a supply chain attack.
2022's ransomware leaderboard.
Cell phone traffic as a source of combat information.
FBI Cyber Division AD Brian Vordren
on the interaction and collaboration of federal agencies in the cyber realm.
Our guest Jerry Campanera
from ThreatConnect wonders if we need
more carrots than sticks in
cybersecurity regulation and
two incommensurable views
of information security.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Palo Alto Network's Unit 42,
who this morning released a report on threat actor Automated Libra.
They're the gang behind the Purple Urchin freejacking campaign.
Automated Libra is based in South Africa and targets cloud platforms in what is known as freejacking, or the process of using free or limited-time cloud
resources to perform crypto mining operations. It's a special case of cryptojacking.
The Purple Urchin campaign was first discovered in October of last year. The gang was seen using play-and-run tactics defined by the researchers as using cloud resources and not paying the cloud platform vendor's resource bill.
The actors created and used fake accounts with falsified or stolen credit cards, which held unpaid balances.
Operations were seen peaking in November,
with three to five GitHub accounts being created every minute.
More than 250 gigabytes of container data were analyzed by the researchers,
and it was found that the group heavily leveraged DevOps automation techniques,
such as continuous integration and continuous development.
Heroku, Togglebox, and GitHub were observed to be
cloud service platforms the gang used, but data traced ThreatActor activity back to August of
2019, and that trail showed activity spread across a broad range of cloud providers and crypto
exchanges. Researchers at Symantec released a report this morning detailing the continuation
of cybercrime group Blue Bottles activity in Francophone countries, most recently observed
against banks in French-speaking parts of Africa. Symantec says Blue Bottles seems to be a
continuation of activity tracked by Group IB as Operator, most recently documented in a report from the group in November of last year.
The researchers at Symantec find that the current activity shows a lot of carryover from what had been seen earlier,
but there are some departures, some developments in Blue Bottle's technique.
There are some indicators the attackers may have used ISO files as an initial infection vector.
The criminals are now using the commodity malware GooLoader in the first stages of their attack,
and there are now indications that Blue Bottle is now abusing kernel drivers to disable defenses.
Symantec says the cybercrime gang makes extensive use of living-off-the-land,
dual-use tools, and commodity malware,
with no custom malware deployed in this campaign. Three different financial institutions in three
different African countries were victimized, according to Symantec, with activity first
observed in mid-July, with impact on multiple machines at all affected organizations.
A threat actor carried out a supply chain attack
against the open-source machine learning framework PyTorch,
bleeping computer reports.
The attacker uploaded a dependency to the Python package index
that had the same names as one of PyTorch's dependencies.
PyTorch said in a statement that the malicious package was live
between December 25th and December 30th,
stating,
At around 4.40 p.m. GMT on December 30th, Friday, we learned about a malicious dependency package, Torch Triton,
that was uploaded to the Python Package Index code repository with the same package name as the one we ship on the PyTorch nightly package index.
Since the PyPy index takes precedence, this malicious package was being installed instead
of the version from our official repository. This design enables somebody to register a package by
the same name as one that exists in a third-party index, and PIP will install their version by default.
This morning, Trustwave's Spider Labs released a roundup report of what they've assessed as the most active threat groups within the ransomware space last year. You'll recognize the names.
They are in reverse order. Coming in at number four was Black Cat, also known as Alfie,
which has possible links to the Dark Side and Black Matter
gangs. Black Cat made a name for itself in July by developing a search function for indexed stolen
data in July 2022. They're small, but with some potential for growth, and they seem to be a
veteran crew that's learned its trade in other gangs. Hive, a ransomware-as-a-service operation, was number three.
Coming to light in June 2021, the group uses an affiliate ransomware-as-a-service model
and has accounted for around 9% of reported ransomware attacks in the third quarter of 2022.
The group also replaced its ransomware in 2022, changing the language from Golang to Rust, which provided
advantages such as deep control over low-level resources, variety of cryptographic libraries,
and making it more difficult to reverse engineer. Hive targets sectors not usually targeted by
ransomware groups like healthcare, energy, and agriculture. Black Basta, a new crew but one that seems to
trace its descent to Conti, R-Evil, and Finn 7, comes in at number two. The group's use of
established tools such as Cackbot and Cobalt Strike, as well as its lack of affiliate recruiting
in favor of collaboration with previously associated actors, seems to contribute to the gang's success.
And finally, the winner is LockBit, noted for running like a business. LockBit version 3.0,
the latest, added automated permission elevation, ability to disable Windows Defender, a safe mode
for bypassing installed antivirus tools, and the capacity to encrypt Windows systems
with two distinct strains of ransomware.
Trustwave explains that that last feature
decreases the chance that a third-party decryptor
might blow the gaff on the scam.
How troublesome has LockBit been?
Plenty.
About 44% of 2022's successful ransomware infestations
can be chalked up to lock bit.
The extent to which cell phone signals have been used for geolocation and then targeting in any particular case remains unclear,
but the devices represent a persistent operations security challenge for both sides.
The phones make it possible to collect combat information that would formerly
have been difficult to come by, from unguarded conversations to revealing photos shared in
social media. The New York Times summarizes the problem that simple phone conversations pose.
Russian commanders have ordered the troops to give up their phones, but such orders have been
widely evaded. It's also not only the words that
matter, but the signals themselves. The Times report states, soldiers did not appear to know
that cell phone data alone could potentially betray them, giving Ukrainians enough to pinpoint
a phone's location down to an apartment building. Another way of putting it would be to say that metadata can be every bit as lethal as data.
And finally, the Carnegie Endowment for International Peace notes that Russia has an understanding of information security that's quite different from the one that prevails in Western and especially U.S. circles.
It's more concerned with influence, with controlling a narrative, than it is with the confidentiality, integrity, and availability of data.
This view is significantly inward-looking and inclined to view information operations as deterministic.
Concentrating on confidentiality, integrity, and availability is a poker player's way of seeing the world.
You want to hold your cards close, know what's in your hand,
and don't give the other players any tells. A chess player sees the contest differently.
Mistakes might be made, but nothing happens by chance.
Coming up after the break, FBI Cyber Division A.D. Brian Borndren
on the interaction and collaboration of federal agencies in the cyber realm.
Our guest, Jerry Campanera from Threat Connect,
wonders if we need more carrots than sticks in cybersecurity regulation.
Stick around. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
There's an age-old bit of wisdom about motivating people that you can use carrots or sticks.
Cybersecurity regulations and guidelines often fall into these two categories,
trying to use a positive lure to get you to do the right thing or a negative punishment if you don't.
Jerry Campanera is general manager of risk products at
ThreatConnect, and I spoke with him about the notion of regulatory carrots versus sticks.
The sticks are real. The GDPR regulation is written such that you could potentially lose
between 2% and 4% of your gross revenue to a fine. That's a pretty big stick. That's a lot of money.
But in regards to carrots, we don't see a lot of that.
Where this really starts to get interesting is where the government starts to mandate
what you should be doing.
So I was reading about some of the healthcare regulations that are coming down the pipe
as well, too.
And they're trying to figure out how to build regulations in a way that makes sense.
So they're putting sticks together, but there's no carrot.
By that, I mean, they're saying, well, thou hast to do this.
You have to be compliant with this set of standards or this approach.
And that's great, but they're not providing any financial incentive for them to do this.
And the reason that that carrot in terms of financial incentive matters is because every company has a bajillion things to do, right?
That's a technical term, bajillion.
They do.
And security is one of them.
So if now all of a sudden you have regulations that say, here's what you need to do, what
companies are going to do is they're going to look at that and analyze, what's the potential
fine that I'm going to have to deal with?
And is it worth just paying it?
Instead of the government or these regulatory bodies saying, here's a way that if you were to actually implement and meet our standards,
we can reduce your cost or provide funding.
And that's the carrot piece that's missing from a lot of these regulations.
They're pretty much all, if you do something bad, we're going to fine you.
And that works for things like GDPR for New York State.
But when the government starts saying,
we need you to be compliant with this set of standards
and doesn't provide the funding or the carrot to do that, it just creates
a really challenging situation for these companies. Do you suppose that we're seeing some carrots
coming from other directions? I'm thinking particularly of the insurance industry,
where they're saying, if you want to be covered and you don't want to spend as much money,
do these things and perhaps your rates will be lower.
Absolutely.
I think that's one area where we'll see a lot of innovation in the coming year or two.
Because we've seen that the premiums are rising pretty high.
Not only are premiums rising, but the zone fencing or how the insurance companies are limiting what they pay out is increasing as well, too.
They're making it harder, which is why it's a business.
And so I think there's a couple of things we'll see.
I think what I'd love to see is I'd love to see, and it's funny, I'd love to see something
I won't do.
But Geico, the insurance company, came out a while back with the device you put in your
car.
And if it monitored your speed, if you're going a certain speed and you're
not speeding, you're not crashing, it's a good thing.
Over a period of time, they'll lower your rate because they're measuring and actively
monitoring where you are from a risk perspective versus how much you're paying.
And lower risk, you pay lower.
That's the concept that's going to have to be implemented in security when it relates
to the insurance world as well, too.
So we will see some of that, but the insurance industry also has to adapt
both how they look at risk from a company's perspective
and how they're measuring it.
Because today, they're not measuring at that level of detail
or really doing that kind of inside-out measurement in general.
So, yeah, I do see that coming, but there's some work to do there.
Well, when we think about the government and particularly the federal government,
what sorts of options do they have
to incentivize organizations?
So the government has lots of different things
that they can do, right?
They can, for example, do something as simple as,
you know, if you as a vendor, for example,
are producing a low number of vulnerabilities,
low number, you know, highly secure technologies
in a good way.
They can provide incentives for you to work with the government, better rates, better contracting terms, lower taxes.
They got a lot of flexibility there.
There's a model, though, that's worked in the past.
And it's interesting because if you look back in history, we drive cars.
We've been driving cars for 100 years or so.
we drive cars, we've been driving cars for 100 years or so the NTSB, National Transit Safety Board
was set up to help solve a similar problem
that similar problem was that there was a lot of accidents that caused death in cars
because there was no security, there was no defenses in a car at that time
and if I look back at the numbers, you can see that
the death rate, the motor vehicle death rate reached peak in 1937 with about 30 deaths per 100,000 population.
Whereas today, that current rate is 12.9.
So it's a 58% improvement.
Now, what they did was they actually worked with the manufacturers, with the vendors, with consumers to figure out what would work from a security perspective.
the manufacturers, with the vendors, with consumers to figure out what would work from a security perspective. What I think the government can and should be doing is looking at creating like an
NTSB type organization for security, because that will help solve the end-to-end problem.
Because if we don't think about this like an end-to-end problem, what can end up happening is
you'll fix one part of the problem, or you'll fix one part of the supply chain, and then something
else will pop up as the bigger problem. Play whack-a-mole with this kind of security.
Whack-a-mole doesn't work.
You have to have somebody looking at this problem at a broad level,
and I think that's where the government can come in.
So I'm actually surprised they haven't tried to create
a cyber technology safety board to do something very similar
and encourage vendors and consumers and companies
to get on board with this and really help increase security for both critical infrastructure
and everybody writ large.
That's an interesting idea, and I can't help wondering,
what's the cyber equivalent of an airbag or a seatbelt or a padded dashboard?
You know, it's interesting.
I think it's as simple as two-factor authentication, right?
It's as simple as maybe a VPN when you're browsing. I know I've done something right in my life. I
have no idea, but I can measure success in one way and that my family has been trained.
If they get a weird text, they don't click on it. They get a weird email, they don't click on it.
Even my mother says, hey, this is a bad email. I'm like, yes.
Like that kind of simple training works. So it can be as simple as just training people.
Hey, you know what? You probably don't have a cousin who's a long lost cousin who's a prince in a foreign country that wants to send you money. You don't. Don't click the link. It'll
be as simple as training, two-factor authentication, basic cyber hygiene.
Doesn't have to be crazy complicated. That's Jerry Campanera
from Threat Connect.
And I'm pleased to be joined
once again by Brian Vordren.
He is Assistant Director for the Cyber Division at the FBI.
Director Vordren, thank you for joining us again here today.
I want to touch base with you and get your perspective on the interaction and collaboration of the various federal agencies when it comes to cyber.
Can you give us a little bit of behind-the-scenes
insight as to how the different agencies interact? Sure, Dave, and thanks for inviting me to join
you again. I'd probably be best to break this down into two use case scenarios. The first is when we
disseminate cybersecurity advisories, and then the second is when we have an active intrusion with a victim
that we're involved with. So in the former example where we're disseminating cybersecurity advisories,
we work very, very closely with CISA and other agencies within the U.S. government,
most notably NSA, to consolidate our different threat intelligence in our world, the results of our investigative
activity, to inform net defenders and private sector and other equity holders about what we
are seeing across the totality of the U.S. government apparatus. If we do that work
unilaterally, we have different products that we would disseminate. But more and more,
you're seeing a consolidated effort across
the U.S. government in buy seal, try seal products or dual seal, try seal products that really do
formulate and show the results of our collective work. We do that work because we think that
between the multiple agencies that are developing those products, that we can tell a better story,
not just a better story about a threat, but also a better story about how to counter the threat
through net defense activities and net defense posture. In the second example, where we are
actively involved with the victim of a cyber intrusion, it looks a little bit different.
And so because the FBI is a decentralized workforce,
there is a high likelihood that if the victim is a major organization, that the FBI will be
directly engaged with them in person. But CISA and the Bureau are very insistent that a report
to one of us, whether that's CISA or the FBI, truly is a report to all of us. And
we are responsible to synchronize our efforts on the backside. And I think we're getting better
and better at that as the years go on. And so I've been asked directly, Brian, do you really care
that we call the FBI first? And the truth of that answer is, well, I would love for you to call the
FBI first,
but it's more important to me that you call the U.S. government and report what's happening
because the totality of the U.S. government's knowledge on a specific threat is really
important to understand the totality of the nature and the scope of a threat.
But in those moments where we would be engaged with a victim, there's really two distinct roles.
The FBI's role is a role of investigative activity, operational activity, to understand the nature of
the threat, other potential victims that may have been compromised, and to take the totality of
those findings and share them with CISA primarily so that CISA can do really good
work to share the nature of the threat, the indicators of the threat, general TTPs and IOCs
with other net defenders so that net defenders have a current view of other activity.
The only last piece I would add, Dave, is certainly the sector risk management agencies have an ever-increasing role.
And so the best example I can give you is for the pipeline sector, TSA is the sector risk
management agency. So if there is a significant compromise, cyber compromise of a pipeline company,
undoubtedly TSA would be involved with CISA and the FBI so that they could provide sector-specific, in this example, pipeline company-specific use information to those pipeline companies who they have a close relationship with.
So that's how it all synchronizes together in the two examples.
I'd be happy to take further questions for you, but hopefully that sheds some light.
It does.
but hopefully that sheds some light.
It does.
I'm curious, what goes into deciding who takes the lead in any particular case? Is it how it falls into any particular agency's areas of specialty expertise?
Specifically between CISA and the FBI, we both have distinct roles.
So within what we broadly refer to as PPD 41, Presidential Policy
Directive 41, it scopes the FBI's role as a threat response role and CISA's role as an asset response
role. So the threat response you can interpret as investigation, operational responsibility.
The asset response role you can interpret as net defense assets. What are we doing
to make sure that our firmware, our software, our hardware is up-to-date, patched, and net defenders
are knowledgeable of the latest TTPs and IOCs that adversaries are using? So it's not really a lead
role for one agency or the another. It's really a better conversation about all of us having different
roles to fulfill the totality of the U.S. government mission. So hopefully that offers
a little bit more perspective. The only thing I would share with your audience that I think is
important is we have learned that one of the best conversations private organizations can happen
before an intrusion is which organization they would
like to serve as an ingress and an egress to their C-suite. And there have been many times
where the FBI has been selected in that role, and there have been many times when the FBI has not
been selected for that role. We are equally fine with either. We would just encourage companies to,
A, make sure they're reporting when they do become
a victim, and B, think through who do they want to serve as the ingress and egress for the U.S.
government. All right. Well, Brian Vordren is Assistant Director of the Cyber Division at the
FBI. Thanks so much for joining us. Thank you. a partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. That's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Tyler and senior producer Jennifer Iben.
Our mixer is Trey Hester. Original music by Elliot Peltzman. Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.