Living off the Land Is the New Normal

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Corelight.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Cyber security firm Huntress has confirmed what organisations like the NSA have been saying — that 'living off the land' is the new normal.

We've covered the shift towards living off the land techniques (abusing legitimate tools already present in the host environment) by both Russian and Chinese APT actors. A new Huntress report focused on threats to small and medium-sized businesses (SMBs) found more than half of incidents involved LOLbins (living off the land binaries) and were "malware free".

One type of legitimate software that is commonly abused by threat actors to gain and maintain access to targeted environments is remote monitoring and management (RMM) software. Huntress found that 65% of all types of SMB security incidents involved RMM software such as ConnectWise, ScreenConnect, AnyDesk or TeamViewer. These types of software are not detected as malware and their use is often not audited, especially in small organisations.

Living off the land techniques are also being used by the most concerning threat actors that this newsletter has covered in recent months, including cyber crime groups (see our reports on Octo Tempest or Scattered Spider) and state-backed groups such as the PRC's Volt Typhoon.

Volt Typhoon's campaign is genuinely concerning. Microsoft thought the group was "pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises".

In a recent Risky Business podcast, Morgan Adamski, the director of the NSA's Cybersecurity Collaboration Center said she was worried about the "scope, scale and sophistication" of Chinese APT activity. One element of this was the shift to living off the land.

"We're going to have to up our game", Adamski said. "You've got to know what your sys admins are doing, are they in every single day, are they actually supposed to be doing the activity that you see them doing?"

"And so it is going to take a concerted effort across everyone in the industry, as well as the net defenders, to really put a lot of time and effort behind this."

Living off the land is here to stay and cyber security organisations are going to have to adapt their practices to cope.

Hacks at Key Firms Upset Housing Markets

When key firms that provide services to a range of clients are hit by cyber incidents, the damage ripples out through the economy. For example, in the UK and the US, attacks on companies that provide services to the real estate industry have impacted house sales.

The consequences of breaches like these means key service providers need to be held to very high standards of security.

Last week, Fidelity National Financial (FNF), a US Fortune 500 company that provides insurance and settlement services to the real estate industry, announced it had blocked access to some of its systems after detecting a breach.

FNF, which owns a suite of related companies, stated that "the services we provide related to title insurance, escrow and other title-related services, mortgage transaction services, and technology to the real estate and mortgage industries, have been affected by these measures".

The AlphV/Black Cat ransomware gang claimed responsibility for the hack on their leak site the day after FNF's announcement, while also mocking Mandiant, presumably the firm AlphV believes FNF has engaged for incident response.

The fallout was described as a "catastrophe" by TechCrunch, with prospective buyers being unable to close house purchases and left in the dark about their status. When TechCrunch called IPX 1031, an FNF subsidiary, a voicemail responded that "Fidelity National Financial is still experiencing a system-wide outage. We do not have access to send or receive email or access to any system. We appreciate your patience."

In the UK, an attack on CTS, a provider of managed IT services for law firms, is also affecting home purchases by disrupting the legal sector.

Last Thursday November 23, CTS announced it was experiencing a service outage caused by a cyber incident that had "impacted a portion of the services we deliver to some of our clients".

Today's Conveyancer, a real estate lawyer publication, reported the incident was affecting around 80 firms across the country and wrote that it "risks bringing exchanges and completions to a standstill". The impact felt by each firm varied depending upon their reliance on cloud-based services. One CTS client told Today's Conveyancer:

Depending on your cloud dependency you may, like us, still be able to find workarounds for matters exchanging and completing this week. Other firms have been more affected and are unable to access phone, emails, or case management systems. As a result some transactions are still going ahead today.

A number of UK law firms spoke to the UK's Property Eye property trade publication, confirming that the incident’s impact was widespread. O'Neil Patient, for example, said that "this issue is impacting a number of organisations across the sector, as our provider is a specialist in secure legal systems for many law firms and barrister’s chambers".

One lesson here is that service providers are high-impact targets and because so many customers rely on them they need top-notch cyber security standards.

While we do not know how FNF and CTS were breached, cyber security researcher Kevin Beaumont, using information from Shodan, notes both were slow to patch the latest Citrix Netscaler vulnerabilities.

It is standard practice for cybercrime gangs to take any vulnerability in internet-facing enterprise software and exploit it at scale for either data theft extortion or for network access. CISA warned last week that these vulnerabilities were being actively exploited by cybercrime groups and they have already been implicated in the high-profile compromises of Boeing and the Industrial and Commercial Bank of China.

A patch for these Citrix Netscaler vulnerabilities was released on the 10th of October. Perhaps the more straightforward lesson here is that organisations need to get much much faster at upgrading and patching their internet-facing vulnerabilities.

Coincidentally, an updated version of the ASD's "Essential Eight" strategies to mitigate cyber security incidents was released this week. One of the big changes is to place higher priority on rapid patching, and the ASD recommends that patches be applied "within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist". That's a tall order for most organisations, but how much angst would have been saved just in recent weeks if that recommendation was implemented?

In the race to exploit or remediate these bugs, too often threat actors are winning.

Three Reasons to Be Cheerful This Week:

1. Swapping vulns for coins: The UK's NCSC is launching a set of challenge coins it will give out to selected researchers who submit reports to its Vulnerability Reporting Service (VRS) and it thinks have "shown themselves to be exemplars of the vulnerability disclosure community". The VRS covers UK government services and this is a good way of encouraging reports that appeals to security researchers' sense of self-worth.
2. International ransomware group dismantled: Authorities from seven different countries have collaborated to dismantle a ransomware group responsible for attacks in 71 different countries. The group used a variety of ransomware strains, including LockerGoga, MegaCortex, HIVE and Dharma, in attacks that affected over 1,800 victims worldwide. Coordinated raids took place at 30 locations and the group's leader and four accomplices were arrested in Ukraine.
3. Myanmar rebels battling cyber scams: The Three Brotherhood Alliance, a militia opposed to the Myanmar junta, has taken aim against online ‘pig butchering’ compounds operating near the border with China. The PRC has tried to pressure the Myanmar government to crack down on the crime with limited success. So it's a happy coincidence for the Chinese government that rebel forces have suddenly felt motivated to tackle cybercrime kingpins.

Sponsor Section

In this Risky Business News sponsor interview Tom Uren talks to Brian Dye, CEO of Corelight about the value of data from NDR tools when it comes to longer term incident response.

Shorts

DP World Dodges the Ransomware Bullet

DP World Australia has confirmed that ransomware was not deployed in a recent incident that we covered earlier this month. DP World Australia says "a small amount" of data was stolen during the incident, including the personal information of current and former employees.

This is a best case scenario as the actual deployment of ransomware would have been far more damaging. As it was, the incident resulted in the shutdown of five ports across Australia, national news coverage and a whole-of-government response. Australia's Minister for Cyber Security, Clare O'Neil, even berated DP World for not patching its systems more rapidly.

That's more than a little angst. DP World Australia's executive vice president Nicolaj Noes told the Australian Broadcasting Corporation that although getting cyber security right is complex, perhaps they should, in retrospect, have "done some things differently".

PRC Ransomware Pressure Intensifies

The Qilin ransomware group  (aka Agenda) has claimed responsibility for a cyber incident affecting production at Yanfeng Automotive Interiors, a Chinese automotive parts manufacturer. Bleeping Computer reports Yanfeng employs 57,000 people in 240 locations worldwide and the incident disrupted production at multinational automaker Stellantis' North American assembly plants.

Just two weeks ago, in the wake of a ransomware attack on the US subsidiary of China's largest bank, we speculated about the Chinese government pressuring Russian officials to take action against ransomware crews. It's not clear that Qilin is Russia-based, although cyber security firm Group-IB reported earlier this year that a Qilin recruiter looking for affiliates wrote in Russian and said that the group does not work in CIS countries (countries that were formerly part of the Soviet Union).

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at the evolution of Russian electricity network cyber attacks.

From Risky Biz News:

Fastly to block domain fronting in 2024: Internet infrastructure company Fastly will block domain fronting on its cloud platform from February 27, 2024.

Fastly now joins a growing list of major cloud companies that have banned domain fronting. The list includes Amazon (banned in 2018), Google (2018),  Microsoft (2022), and Cloudflare (2015).

Domain fronting is a technique to use different domain names on the same HTTPS connection. Because of its ability to hide backend infrastructure, domain fronting has also become popular with malware operations, being adopted by both financially and espionage-motivated groups.

[more on Risky Business News, including the historyof domain fronting, its legitimate uses and how it has been used by services like Signal and Tor to bypass internet censorship.]

Cyber insurance catches on across the EU: An ENISA report on NIS compliance spending has found that roughly 42% of the EU's critical infrastructure and digital service provider operators have signed up for cyber insurance in 2022.

The report notes that while cyber insurance coverage was at 43% in 2020 and just 30% in 2021, the cyber insurance market now appears to be active and developed all over the EU.

[more on Risky Business News, including how companies are complying with the EU's NIS Directive]

Crypto-phishing service shuts down after stealing $71 million: A phishing platform specialising in cryptocurrency thefts has shut down operations after stealing more than $71 million over the past nine months.

Named Inferno Drainer, the platform launched in February this year. Spotted by Web3 security platform ScamSniffer, the service allowed threat actors to create phishing pages for more than 220 cryptocurrency brands.

ScamSniffer researchers say Inferno Drainer was responsible for more than 10,000 phishing sites and helped hackers steal cryptocurrency from more than 103,000 victims since its launch.

[more on Risky Business News]