CyberWire Daily - Ransomware hits another US farm co-op, as Russan gangs seem to continue attacks without interference from Moscow. A new APT is described. REvil was cheating? CISA warns about Conti.
Episode Date: September 23, 2021Ransomware hits a second US Midwestern farm co-op. The US House hears from the FBI that Russia seems not to have modified its toleration of privateering gangs (at least yet). A new APT, “FamousSparr...ow,” is described. REvil seems to have been--surprise!--cheating its criminal affiliates. Josh Ray from Accenture with an update on the Hades Threat Group. Our guest is Tim Eades of vArmour on the urgent need to update cyber strategies in healthcare. CISA issues a new warning, this one on the Conti ransomware operation. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/184 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ransomware hits a second U.S. Midwestern farm co-op.
The U.S. House hears from the FBI that Russia seems not to have modified its toleration of privateering gangs, at least yet.
A new APT, Famous Sparrow, is described.
Our evil seems to have been, surprise, cheating its criminal affiliates.
Josh Ray from Accenture with an update on the Hades threat group.
Our guest is Tim Eads of vArmor on the urgent need to update cyber strategies in healthcare.
CISA issues a new warning, this one on the Conti ransomware operation.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 23rd, 2021.
Ransomware
Ransomware has hit a second U.S. Midwestern farm cooperative.
The Crystal Valley Cooperative disclosed the September 19th attack Tuesday.
Since then, its website went offline.
The company's Facebook page remains available.
The incident has disrupted business operations,
notably the co-op's ability to process credit card payments.
Early reports don't indicate which strain of ransomware was involved.
Iowa's new cooperative was hit by black matter last week.
It's unknown, Bleeping Computer says, which strain of ransomware hit Moncato-based Crystal
Valley.
Late this morning, Crystal Lake's site came back up with an update on the ransomware incident.
Their brief statement read, in part, Late this morning, Crystal Lake's site came back up with an update on the ransomware incident.
Their brief statement read, in part,
quote,
This attack has infected the computer systems at Crystal Valley and severely interrupted the daily operations of the company.
Crystal Valley and cybersecurity experts are working diligently to reestablish safe and secure operating systems,
which will be back online when we are confident the issue has been resolved.
End quote. It remains unable to process credit cards, with the exception of local cards.
The incident is being taken by much of the early comment in the media to be another instance of a trend. Ransomware gangs, particularly the Russian privateers in the criminal subsector, are
determined to either impose their own
definitions of critical infrastructure on policymakers and law enforcement, or, more
probably, simply to push the U.S. in particular to draw some bright lines.
Considering the drawing of lines, U.S. officials this week testified before the House Homeland
Security Committee on global threats to the United States.
Among the topics under discussion was the extent to which U.S. objections and representations have succeeded
in getting Russia to modify its support for the privateering gangs that have been so active in pushing ransomware against U.S. targets.
C-SPAN recorded this exchange between Rep Representative Andrew Garbino, a Republican in
New York's 2nd District, and FBI Director Christopher Wray. The subject of quite a bit
of discussion and planning and operational activity these days, there may be more that
we could share in a more classified setting. But what I would tell you in this setting is that
Russia, the reality is that Russia
has a long history of being a safe haven for cybercriminals, where the implicit understanding
has been that if they avoid going after Russian targets or victims, they can operate with
near impunity.
And the Russian government has long refused to extradite Russians for cybercrimes against American victims.
And worse, their Ministry of Foreign Affairs has long been warning its citizens, publicly
been warning its citizens, which other countries, which third-party countries to avoid, because
those countries, they say, will arrest or extradite those Russians back to the United
States to face justice for cybercrime.
So it's too soon to tell whether any of the things that are underway are having an impact.
But in my experience, there is a lot of room, a lot of room for them to show some meaningful
progress if they want to on this topic.
So Moscow seems not to have been deflected from its long-standing co-optation and use of criminal organizations against its adversaries.
That, at any rate, seems to be the received wisdom in Washington.
You can listen to the entire hearing on C-SPAN.
ESET this morning published its study of a hitherto unremarked cyber espionage advanced persistent threat probably working on behalf of a nation-state.
Which nation-state is unknown,
but ESET calls the group Famous Sparrow
and says it's been active since 2019.
It's recently exploited the proxy logon vulnerability
to collect data from hotels.
Famous Sparrow used some tools
associated with the Chinese APT Sparkling Goblin, but ESET
considers them to be distinct groups. Why would spies, actual professional intelligence services,
be interested in hotel records? No secrets there, right? Well, there are a few reasons.
The first reason, and the less serious but still pervasive one, is that intelligence services are gluttons for information of all kinds, and their appetite grows with the eating.
Why would they collect this data? Well, because they can.
The more serious reason lies in the quality of the hotel information itself.
It's valuable. It can tell a service quite a bit about the individuals who are, for whatever reason, persons of interest.
It can be useful in building up what the services call a target dossier.
Famous Sparrow will bear watching.
R-Evil, whose alumni may be operating the Black Matter ransomware,
if indeed Black Matter doesn't simply represent a rebranding of the older gang,
appears, ThreatPost reports, to have been cheating its own criminal affiliates.
A backdoor and double-chat functionality enabled R-Evil to communicate directly with victims,
bypassing its affiliates.
They could, in effect, cut out the middlemen lower in their multi-level marketing scheme,
dealing directly with the victims when it seemed to their advantage to do so. The back door and chats have been cleaned out, perhaps as part of a
rebranded R-Evil's attempt to restore its reputation in the criminal-to-criminal marketplace. No one
wants to deal with an untrustworthy service provider. Unfortunately, criminals tend to be
trustworthy only on shaky, self-interested, and instrumental grounds, but we all knew that.
Still, it's worth bearing this in mind when deciding how to credit such criminal claims as
we won't act against the common good, or we won't harm individuals, or even we won't damage critical infrastructure.
With respect to the last example, we've seen at least three times this year that gangland doesn't consider food supply and distribution to be critical infrastructure.
Maybe they all grow their own food on a private plot of land, but we doubt it.
If our evil was indeed stealing its affiliates blind, that would suggest an additional possible explanation for the gang's decision this summer
to go into occultation and rebrand itself.
Sure, the Americans are sore at them,
but there may be outraged affiliates a lot closer to home who are also pretty angry
and possibly less inhibited than the FBI.
The U.S. Cybersecurity and Infrastructure Security Agency, that's CISA,
has issued a new warning with the FBI and NSA against Conti ransomware.
Conti will exploit common vulnerabilities to gain access to its targets,
but most of its infestations can be traced to some variety of social engineering.
CISA and its partners in the FBI and NSA recommend certain mitigations.
They're familiar best practices, but worth a quick review in any case. Use multi-factor
authentication, implement network segmentation and filter traffic, filter network traffic to
prohibit ingress and egress communications with known malicious IP addresses, scan for
vulnerabilities and keep software updated, upgrade software and operating
systems, applications, and firmware on network assets in a timely manner, consider using a
centralized patch management system, remove unnecessary applications and apply controls,
investigate any unauthorized software, particularly remote desktop or remote monitoring and management
software, implement application allow listing.
Implement endpoint and detection response tools.
Limit access to resources over the network, especially by restricting RDP.
Secure user accounts.
Regularly audit administrative user accounts and configure access controls under the principles
of least privilege and separation of duties.
Regularly audit logs to ensure new accounts are legitimate users,
and use the ransomware response checklist in case of infection.
This advice is given with reference to Conti,
but it's equally applicable to other threats as well.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Healthcare systems around the world continue to be strained by the burden of COVID-19, making their resources all the more precious for protection against cyberattacks.
Tim Eades is CEO of enterprise security firm vArmor, and I spoke with him on the security challenges facing the healthcare community.
So healthcare systems today have been underinvested, I think, from a security perspective over the last decade or so. The level of security investment, if you compare it to a bank, for
example, the spending differential was quite large. And so they just didn't have the funds.
I mean, the banks have been a target for money for decades. And healthcare now with ransomware, the guns over the last two or three years have been
pointed really hard at healthcare.
I mean, they're still pointed at banks, obviously.
But my oh my, the vulnerability of the healthcare systems because of the lack of investment
and a lack of funding has really left them exposed, I think.
And so does that leave them in a situation of really has really left them exposed, I think.
And so does that leave them in a situation of really having to play catch up here?
Yes, they are having to play catch up.
For sure, they're having to play catch up.
For sure, they know how to do it.
There's enough expertise out there that can help them.
And now it's a prioritization of funding for them to do that.
But obviously, you're struck here, right've got the healthcare systems are incredibly spread very thin
from a resources perspective.
We're in the middle of a pandemic.
They're trying to look after patient care first.
And at the same time, they're being attacked for ransomware.
So they are between a rock and a hard place.
And it's a difficult position for them to be in.
And I think it's something that I think security companies
need to really do a better job of stepping up and helping out and getting flexible,
whether it's on payment terms or capabilities or services or whatever it is, as they're dealing
with this pandemic on one side and the ransomware attacks on the other hand.
I think it's fair to think of healthcare systems, you know, hospitals and so
forth as critical infrastructure. I mean, should there be a federal response here? Should funding
be coming from those folks? That's a very good question. Should they be doing more? Should there
be a fundamental federal response to helping out the hospitals on this side? Yeah, I think that
would be a very interesting topic.
I mean, you've heard Biden talk about zero trust
and everything else.
And with the Colonial Pipeline ransomware attack,
which is, I thought, made everybody more aware,
particularly on the East Coast,
like, oh my God, ransomware is real.
And it's really affected me as the taxi driver
or as a person that works in the supermarket,
whatever else.
As that turns to turns towards healthcare systems,
yeah, I think it would be appropriate
that the current administration looks at this
as critical infrastructure and does more.
Is there a difference between the haves and the have-nots here?
Are there healthcare systems who are on top of this
and are doing a good job,
contrasted to other systems that may be in more financial dire straits?
Yeah, there's certainly, they have and they have nots like all things.
There's a spectrum here where the top hospitals and the top clinics
have exceptional security programs, but there's a very long tail,
arguably a longer and longer tail than there is in banking.
So I just feel really sorry for them,
whether some of these hospitals that get hit,
as I said, they're spread extremely thin on the pandemic.
Their budgets have to be poured towards patient care.
And at the same time, they've been underinvested
from a security perspective for the last decade or so, maybe more than that.
For that person out there who is in charge of security for a healthcare organization, do you have any advice, any words of wisdom?
I mean, how do they come at this problem?
You know, I think the wisdom of the crowd is the most important thing.
You know, the National Health ISAC organization is a fantastic organization.
Errol Wise runs that.
And so I would lean into the ISAC organizations and information sharing organizations, work with their colleagues in other industries, in other hospitals, other healthcare providers, and start to look at best practices across it.
Start to see whether the NH NHISAC can actually help.
And then I think from there,
you will start to steer to better wisdom.
And then I think they need to negotiate really well
and say, look, we need this help.
We need the services to help us get this up and running.
We need to make sure that we get creative on terms.
What the wisdom would be, I would, number one,
I would go work with the wisdom of the crowd,
go to the National Health Isaac, go talk to Errol Wise, who runs that. It would be a great source
of income, of knowledge. And then from there, you can turn around and say, what are the right
things to do? How is Mayo handling it? How is the top of the spear organized to secure their assets
and their information? and then get the best
practices from them, negotiate with the security providers, and demand a better approach to
solving the problem.
That's Tim Eades from vArmor.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Josh Ray. He is Managing Director and Global Cyber Defense Lead at Accenture Security. Josh, it is always great to have you back.
I wanted to check in with you on the Hades Threat Group.
I know it's something you and your colleagues have had some focus on here.
You've got some new findings to share.
What can you share with us today?
Yeah, thanks, David.
I just want to provide a quick update to the community on that research that you mentioned from our CTI and IR teams.
The profiles of the known victims
continue to be consistent of this big game hunting.
And the target selection and deployment methods
is really aimed towards high value payouts.
So that's important to remember.
And our team has seen firsthand
since the discovery of Hades,
at least seven new victims
across consumer goods and services,
insurance and new manufacturing industries.
And this is likely directly a result of their unique approach
to kind of victim communication.
And they've taken this notion of lone wolf approach.
And for those that aren't familiar with that,
this lone wolf approach is consistent with what we would normally look at
as these ransomware as a service.
Hades has taken the exact opposite approach.
They don't appear to be participating in these RAS operations.
And actually, our CTI team was able to really confirm this
because we haven't found any forums or marketplaces that is supporting
that Hades is operating outside of this affiliate-based model. Now,
this does not mean that they are not well-resourced in a very credible threat.
What are your recommendations for folks to best protect themselves against this group?
Yeah, I mean, so there's a few things that have kind of changed, and I'll kind of provide some
recommendations here. So, you know, one of the things that we've seen is that, you know, there is some consistency as far as overlap and intrusion sets across the known victims. However, you know,
there are some unique destructive actions that we've observed, right? So we've seen that targeted,
that organizations have been targeted in their cloud environments and the destruction of that cloud-based native backups and snapshots.
So that's kind of troubling.
And we also see that there's been a new variant that the Haze group is using.
So where before, you know, they were pretty consistent with the malware variants that they're using.
They've now introduced into their arsenal this notion of Phoenix CryptoLocker.
And we think this is, you this is possibly to deter attribution claims
or even some additional campaign links.
When you talk about mitigations, obviously there's the hygiene pieces
that you need to kind of keep in mind.
But I think more so than ever, organizations absolutely need to have
this robust crisis management and incident response plan.
They need to make sure they have continuity of operations plan to account for wiper attacks that
can spread across the business. Obviously, you know, best practices around patching and updating
antivirus and things like that. But, you know, we really stress to make sure that our clients
have, you know, EDR deployed at least across 90% of their
workflows and ensuring things like securing RDP connections with VPNs and NLA if you absolutely
have to use RDP.
And then finally, while this is not an exhaustive list, again, moving past that notion of just doing the baseline and
moving towards a more proactive security approach, actually start to hunt for attacker TTPs,
really to detect and respond more effectively to these types of ransomware attacks
before they can impact the business. All right. Well, Josh Ray, thanks for joining us.
Thank you, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karpf,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening. We'll see you back here tomorrow. Thank you. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.