CyberWire Daily - The cyber underworld is getting a bit faster and a lot looser, and the gangs may be drawing some unwelcome attention.
Episode Date: November 14, 2023CISA and the FBI issue an update on Royal Ransomware. A look at Smash-and-grab ransomware attacks as well as Cloud vulnerabilities. A pre-Black Friday look at card skimmers. Fences, and their place in... organized cybercrime. DP World Australia restores port operations. Joe Carrigan on scammers taking advantage of the Bitrex crypto market being shut down. In our Industry Voices segment, Usama Houlila from CrossRealms International shares his insights on the pivotal role of AI in cybersecurity. And LockBit may be drawing unwelcome attention to itself. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/217 Selected reading. #StopRansomware: Royal Ransomware (Cybersecurity and Infrastructure Security Agency | CISA) FBI: Royal ransomware asked 350 victims to pay $275 million (BleepingComputer) The Song Remains the Same: The 2023 Active Adversary Report for Security Practitioners (Sophos) Why 93% of Security Leaders Say Cloud Security Requires Zero Trust Segmentation (Illumio Cybersecurity Blog) Malwarebytes Labs Reveals 50% Uptick in Credit Card Skimming in Advance of the Holiday Shopping Season (PR Newswire) Credit card skimming on the rise for the holiday shopping season (Malwarebytes) The Fencers: The Lynchpin of Organized Retail Crime Enterprise (Nisos) DP World cyberattack blocks thousands of containers in ports (BleepingComputer) Operations at Major Australian Ports Significantly Disrupted by Cyberattack (SecurityWeek) Australian Ports Recover From Cyber Incident (Bank Info Security) DP World: Australia sites back online after cyber-attack (BBC News) Australian ports resume some operations after major cyberattack (CNN) Australia Cyberattack Leaves 30,000 Containers Stuck at Ports (Bloomberg) Hacking Gang Behind Attack on Largest Global Lender Says It Got Ransom Payment (Bloomberg) Gang says ICBC paid ransom over hack that disrupted US Treasury market (Reuters) After a surprise cyberattack, the world's largest bank had to shuffle a USB stick around Manhattan to do business (PC Gamer) WSJ News Exclusive | ICBC Hackers Used Methods Previously Flagged by U.S. Authorities (Wall Street Journal) Inside Wall Street's scramble after ICBC hack (Reuters) Did a ransomware gang mess up by attacking a U.S. arm of China’s biggest bank? (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA and the FBI issue an update on Royal Ransomware,
a look at smash-and-grab ransomware attacks as well as cloud vulnerabilities.
A pre-Black Friday look at card skimmers, fences and their place in organized cybercrime.
DP World Australia restores port operations.
Joe Kerrigan on scammers taking advantage of the Bittrex crypto market being shut down? In our Industry Voices segment,
Usama Holila from CrossRealms International shares his insights on the pivotal role of AI in cybersecurity.
And LockBit may be drawing unwelcome attention to itself.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, November 14th, 2023. We begin with a warning from the feds,
specifically from the U.S. Cybersecurity and Infrastructure Security Agency
and the Federal Bureau of Investigation.
A classic double extortion ransomware gang that both encrypts and doxes its victims,
Royal is undergoing some changes. The Royal ransomware gang is a classic double extortion ransomware operation that both
encrypts and doxes its victims. CISA and the FBI yesterday updated their advisory, stating,
Since September 2022, Royal has targeted over 350 known victims worldwide, stating, is not paid. Phishing emails are among the most successful vectors for initial access by Royal
threat actors. There are indications that Royal may be preparing for a rebranding effort and or
a spinoff variant. Black Suit Ransomware shares a number of identified coding characteristics
similar to Royal. A previous joint CSA for Royal Ransomware was published on March 2, 2023.
This joint CSA provides updated IOCs identified through FBI investigations.
CISA and the Bureau have updated their notes on the gang's tactics, techniques, and procedures,
as well as their list of indicators of compromise.
Read and heed CISOs and look to user awareness training.
Rebranded or spun off, the operators behind Royal can be counted on to continue their phishing.
Sophos has published its 2023 Active Adversary Report for security practitioners,
noting a precipitous decline in dwell time for all attacks. This represents both
an increase in the attacker's proficiency—they're able to get in, root around, and get out faster,
even as they continue to use tried-and-true tactics, techniques, and procedures. It also
suggests that the criminals are aware that defenders are now more alert and much quicker
on the uptake. There's no time for anything other than a smash and grab.
Illumio has released a cloud security survey conducted by Vance and Bourne,
finding that 47% of breaches in the last year at surveyed organizations originated in the cloud.
There are some trends in cloud vulnerabilities that are worth some attention.
There are some trends in cloud vulnerabilities that are worth some attention.
First, complexity of applications and workloads and the immense overlap of cloud and on-premises environments complicate the defender's task.
Second, still more complexity, diversity, and the expansive number of services that cloud providers offer.
And finally, it's difficult to maintain situational awareness in that complicated environment.
Poor visibility over all the above, including the inability to identify weak points and proactively ensure protection rather than just reactively locking down compromised systems.
Malwarebytes is tracking an increase in card skimming campaigns ahead of the holiday shopping season.
The researchers describe a large credit card skimming operation called Crytek that surfaced in March 2023.
The threat actors craft customized skimmers for each compromised website.
Malwarebytes says the experience was so smooth and seamless that it made it practically impossible for online shoppers to even realize that their credit card information had just been stolen. In April,
the skimming campaign reached a peak and then slowed down during the summer. However, it came back, increasing to its highest volume in October. And of course, all of this can be expected to
continue and probably increase during the holiday season.
It's not just card skimming either.
There is also an increase in organized shoplifting.
A report from NISOS looks at cybercriminal fences involved in organized retail crime. The researchers note,
ORC is separate from typical shoplifting committed by individuals stealing goods for personal use.
To acquire products, an ORC enterprise typically steals large quantities of merchandise from
stores or cargo locations to resell online, at independent locations or through other retailers.
It works because of the widespread and largely unregulated aftermarket for stuff that thrives online.
NISO says it all comes down to the fencing, stating, The success and endurance of ORC relies on the fencer's ability to sell stolen merchandise to consumers
who are either unwitting or apathetic to the product's origin and acquisition.
A review of court cases showed fencers are often the top individuals in smaller or less complex enterprises,
while larger enterprises may involve senior individuals who help divert and clean stolen goods before resale.
DP World Australia has reopened port operations as its investigation into the cyberattack the company sustained Friday continues.
investigation into the cyber attack the company sustained Friday continues. There is so far no public disclosure of the precise nature of the incident, and no known criminal group appears
to have claimed responsibility. DP World did issue a statement to its various stakeholders
in which it said, a key line of inquiry in this ongoing investigation is the nature of data access
and data theft.
Sleeping Computer points out that data theft is typically a concern of extortion attacks,
but there's been no public acknowledgement that the incident involved ransomware.
In any case, a concern about data loss would be prudent in any victim of a cyber attack.
And finally, has LockBit maybe gone too far with its recent attacks?
The Washington Post comments that LockBit's attack against the Industrial and Commercial Bank of China's ICBC Financial Services Division may backfire against the gang.
LockBit is generally regarded as operating under the tolerance and effective protection of the Russian government. Lockbitt says that it's based in Amsterdam,
and that it's a group of disinterested criminals without political purposes
and interested simply in financial gain.
It's got a plausible case for financial motivation,
but the group's Russian identity isn't in serious question.
It operates effectively as a privateer,
free to attack where it will as long as it avoids
Russian targets. It also runs an affiliate program in which it licenses its malware to
other criminal franchises. U.S. and especially Chinese authorities are unlikely to ignore or
overlook the attack on ICBC. Prominent members of the Chinese Communist Party lost money in the financial
turmoil that followed the attack, and China is likely to take enforcement action against the
gang. Russia may have been embarrassed by an attack against a country that it's assiduously
courted as a wartime ally, and it's not impossible that Russian security services
might make a gesture against Lockheed with a round of
arrests. The Post lists some other possibilities surrounding the attack. Russia may have approved
the attack as retaliation for Chinese cyber espionage. Lockheed may have imperfect control
over its affiliates and is brazening out the attack to avoid losing face in the underworld.
Or the Russian government's close relationship with cyber gangs
may be fraying under the pressure of the war against Ukraine.
Lockbit told Reuters yesterday that ICBC had paid the ransom demanded
and that the matter was now closed, but that's just Lockbit's unreliable word.
After all, ransomware gangs aren't known for their honesty.
Coming up after the break, Joe Kerrigan on scammers taking advantage of the Bittrex
crypto market being shut down. In our Industry Voices segment, Usama Hulila from CrossRealms International
shares his insights on the pivotal role of AI in cybersecurity. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Thank you. slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Usama Hulila is founder and CEO of CrossRealms International, an IT services provider.
In this sponsored Industry Voices segment, Usama Hulila outlines his thoughts on the
pivotal role of AI in cybersecurity and its potential to revolutionize our response to
cyber threats.
Historically speaking, it used to take three months for an attack to take place.
If we go back to Target and others, it was three months.
And then it dropped down to a couple of weeks, then a couple of days.
And now we're zero to four hours for an attack to start to finish.
So the thought is a human isn't going to be able to deal with it
because it's actually quite complex as a problem.
So one, you have to receive the logs in time.
Two, you have to figure out what those logs are
and correlate them and enrich them,
then figure out what action to take on them.
And you have zero to four hours.
Well, that's kind of short.
That's extremely short.
So the way I view AI is a way to kind of speed things up
so that we're able to react skillfully or automatically before the hackers are able to kind of complete their attack.
Can you walk us through that process?
I mean, a threat actor decides that they have their sights set on an organization.
How could AI help facilitate their defense?
The way we're dealing with it is we're
looking at all the machine data that is coming in and we're trying to turn it into an enriched data
that is in a human format. So instead of looking at pages and pages of logs that you have to somehow
try to forensically understand, we're turning it into a simple format, simple language format.
So it says, for instance, this person logged in, this person did this, this person changed
their password, this person went somewhere else.
So the first thing we're dealing with is utilizing AI to turn machine data into a human
language model.
And then from there, turning that into action, whether automated or human,
depending, of course, on what it is. So this is how, at least for us at CrossFronts, that's how
we're tackling AI and cybersecurity. And what part does the human have to play in this equation?
Well, a lot of times there are outliers. You could program a lot of things.
You could program, for instance, your reaction to an attacker coming in on a firewall or, for instance, an attacker coming in in the cloud.
But what happens if the actor is much more capable or smarter than that and trying to come in from different vectors?
coming from different vectors.
This is where AI could look at a huge amount of data and understand what's happening or learn what's happening
fast enough to counter it.
A human can usually deal with a single incident or multiple incidents,
but if you have thousands of incidents
and they all are there to deceive you
or to have you look at an issue somewhere else
instead of focusing on what's happening where the attack vector is,
AI actually can help tremendously here.
What's the potential here for cross-organizational data sharing?
I'm imagining you all, for example, work with organization A
and some alarm gets tripped on their system.
Could that inform the way that organization B gets defended while still maintaining privacy?
A hundred percent. So one of the things that we're working on currently is we're collecting data from
our managed services customers and other customers who are willing. We're collecting,
correlating that data. We're collecting from other resources
that are out there and available, even the paid ones. And it does work. And it's extremely,
extremely effective because in a sense, it closes in the attack area, the surface area.
It becomes much smaller as we create these large filter sets. Basically, for instance,
As we create these large filter sets, basically, for instance, if an attacker tries to hit a bank, then hit a law firm, then hit a professional services company, etc., there can't be anything good in here. Obviously, this is an attack in progress.
and collecting it and taking action on it,
that means that dynamically worldwide,
we are able to close in and reduce that surface attack area.
To what degree do you believe that the bad guys are utilizing this technology themselves?
A hundred percent.
I mean, they are definitely using it.
One of the things that we are afraid of is,
look,
whatever system you buy currently on the internet, anywhere, to actually create your defense, well,
guess what? They have the same ability. They're a business. They're going to buy it. They're going to use it. They're going to study it. They're going to dynamically monitor it. So that's one of the issues is for us that we have to stay ahead of it
by making sure that people don't have access to it.
Or if they do, that it is of no consequence,
that it doesn't give them an advantage.
But currently what I've seen is a lot of these attackers and hackers
have full access to the entire platform that most companies use to defend themselves.
What are your recommendations for that cybersecurity leader who is curious about this
and perhaps wants to check it out for their own organization?
What's the best way to get started here?
I would say it's difficult. That's part of the problem.
We actually, as an organization, we didn't see the amount of effort that it takes difficult. That's part of the problem. We actually, as an organization, we didn't see
the amount of effort that it takes before, especially when it comes to cybersecurity.
So just to repeat that, we as an organization, we didn't realize how much effort it takes to secure
an organization. You're talking about patching, you're talking about updates and upgrades,
you're talking about protection and firewall audits, you're talking about patching. You're talking about updates and upgrades. You're talking about protection and firewall audits.
You're talking about compliance, the cloud.
It takes a lot of effort to do it.
So those are the basics.
You have to do that first.
And then the AI comes in.
If an organization is interested in an AI and they do have a development team of a sort,
then yes, they should definitely
start installing it, looking online, getting some training classes, installing it, training it,
et cetera. But it takes a lot of effort. The team that we have currently working on it at Crossrooms
is like almost 12 people. And it's a slug. And the reason, although we're working with a limited amount of data, which is basically cloud, firewalls, perimeter, identity access management, other services, DNS, et cetera, it still takes a large amount of time in order to do it.
Because to train it, you have to kind of walk through the process, walk through the logs, etc. So do I advise
a medium or a large size organization to get into it? Definitely, because they're going to learn a
lot. It's not the issue of achieving some AI nirvana. It's the idea of learning from it and
being comfortable with it or being, you know, getting acquainted with it enough so that you
would know where it fits your organization
and where it doesn't.
That's Oussama Houlela from CrossRealms International.
And joining me once again is Joe Kerrigan.
He is from the Johns Hopkins University Information Security Institute and also my co-host on the Hacking Humans podcast.
Hey, Joe.
Hi, Dave.
Saw a story about some research that the folks over at Abnormal Security were doing here
about some scammers trying to take advantage of, I guess, some news about the Bittrex crypto
market being shut down.
Right.
Unpack what's going on here for us, Joe.
All right.
So this is some research from Mike Britton, who is the writer of this Abnormal Report.
Okay.
And Abnormal being the company name, not the Abnormal Report.
Right.
So what happened was there was a company called
Bitrex that started trading cryptocurrency and they were doing that in the U.S. and the security
and exchange commissions said, the SEC here in the U.S. said, no, you can't do that. Now you're
an unlicensed security dealer. Okay. So they shut down in April and they, so they didn't, it wasn't like FTX where
there wasn't any money there. The money was still there. So they said to everybody, okay,
you have until August to get your money out. And they sent emails out. And by the time the
deadline rolled around, which was the end of August, something like 77% of these accounts
had less than a hundred dollars in them. Okay. Meaning that everybody who had gotten their money out essentially had the opportunity
and took it to go get their money out of the account.
Okay.
So these fishers in October, well after the deadline, sent another email saying, last
chance to get your money out.
And it was essentially just a credential harvesting operation.
So they sent the email pretending to be someone from Bitrex.
From Bitrex.
And they sent it to Bitrex, people who had Bitrex accounts,
but mostly students because a lot of them were academics.
I'd like to know where they got the mailing list.
That may be public information.
I don't know.
It may not be.
But they sent this email out to Target, specifically, people that were Bitrex users, in the hopes of harvesting their credentials.
Now, they're probably not going to get any money because the deadline has already passed, right?
has already passed, right?
But what they are going to get is username-password combinations,
which could be email address
and password combinations.
Right.
So once they have that,
that's what Mike Britton is theorizing
they're going after here,
is they're just building
essentially another criminal product
for the black market
of username-password combinations.
And presumably, in this case,
because it's something that was used for something like someone's crypto account,
that perhaps it is a combination of username and password
that people put value in or use for other valued accounts.
Correct.
This is what I'm trying to say.
Let's say you have an account still at another cryptocurrency exchange
like Kraken that's
still open. Right. And you use the same password, which you shouldn't do. Right. So now what you've
just done is in using the same password on Bitrex and Kraken, you've just given them your Kraken
account. Yeah. Now they can go in and essentially send themselves all your cryptocurrency out of
your Kraken account that's still valid. Yeah.
Assuming you don't have multi-factor authentication on your Kraken account, which you should do.
Yeah.
It's interesting to me in these cases, you know, this is something you and I talk about
over on Hacking Humans a lot, that there seems to be a degree of kind of self-filtering in
these scams where, you know, certainly within the mix of folks who are active with cryptocurrency,
there's going to be a certain number of them who are unsophisticated.
Yes.
And the way that this scam works, it seems to be coming at them in a number of directions
to take advantage of their lack of sophistication.
Right.
Like, number one, it's just a typical phishing scam, right?
Credential harvesting scam.
Number two,
it's after the deadline has expired
to withdraw your funds.
And, well, I guess those are the two big ones.
Yeah.
So it's, yeah, you're right.
It does target people
with a certain lack of sophistication in this.
Right.
You know, I say this on Hacking Humans frequently,
but when you're investing in crypto,
don't do that unless you can afford to take whatever money you're going to invest in crypto
out into the street and light it on fire. And, you know, because we don't know where this is going.
I mean, it may, it may be the currency of the future. Yeah. It may not be. Right. So, you know,
it is a high risk.
Even if you know what you're doing, it's still a high risk investment.
Yeah.
Yeah.
Yeah.
It's interesting.
They say that the perpetrators here were fairly sophisticated in the emails.
Right. That they sent out.
No grammatical errors in the emails.
Yeah.
Yeah.
Which makes me wonder, you know, we talk about it being in this large language model world now.
To what degree is that contributing to the ability for these phishers to get their stuff through to people?
Yeah, it has all the hallmarks of a legitimate email on it.
It's got the Bitrex logo and everything.
Yeah.
The only thing is it says, dear Bitrex user at the top.
So it's kind of a generic email.
Right.
Interesting. Yeah. All right. Well, again, thex user at the top. So it's kind of a generic email. Right. Interesting.
Yeah.
All right. Well, again, the research is from the folks over at Abnormal Security.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave. Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Breaking news happens
anywhere, anytime. Police have
warned the protesters repeatedly
get back. CBC News
brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on
and what that means for you
and for Canada. This situation
has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent
intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the
value of your biggest investment, your people. We make you smarter about your team while making
your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior
producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show
was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.