LockBit's Disastrous Success

PLUS: Banks Dragged Kicking and Screaming to Combat Fraud

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare and this week's edition is brought to you by Gigamon and its precryption technology.

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Apple podcasts:

LockBit, Stable Diffusion

Ransomware criminals continue to make hay despite increased government efforts worldwide to clamp down on the ecosystem. What's next?

Last week, the US financial services division of China's biggest bank, the state-owned Industrial and Commercial Bank of China (ICBC), was hit by ransomware that reportedly affected trading in US Treasuries. According to The Financial Times, "the attack prevented ICBC from settling Treasury trades on behalf of other market participants" and that "with its systems compromised, ICBC Financial Services proposed sending a USB stick with trading data to BNY Mellon to help it settle trades". I mean, this is very serious, but lol.

This left ICBC's US unit owing BNY Mellon USD$9bn for unsettled trades, with the subsidiary requiring a capital injection from its parent company to pay the debt. Yikes.

This hack was discussed in the diplomatic stratosphere, and US Treasury Secretary Janet Yellen raised it with Chinese vice-premier He Lifeng.

Ransomware gang LockBit claimed the attack and told Reuters over the Tox encrypted messenger that ICBC had paid a ransom. Reuters was not able to independently verify this particular claim, but LockBit's involvement was confirmed in reporting from The Wall Street Journal.

This is a very brazen attack but we also think it's a risky one, at least for the people directly involved, as it is the kind of thing that motivates government officials to take action. And we're not talking about US officials here, but Chinese ones.

Assuming LockBit has some Russian nexus (they advertise on Russian-language dark web forums), Chinese officials could have some influence over Russian law enforcement efforts. The leverage the PRC has over Russia has increased since the Russian invasion of Ukraine and, as Risky Business News reported last week, Russian officials can arrest cybercriminals when they are motivated to.

If the PRC does ask Russian officials to take action, however, we think this will likely just result in the arrest of a few ransomware affiliates. It will not significantly change the ransomware game.

The ICBC aren't LockBit's only recent high-profile victims. Security researcher Kevin Beaumont reports that a LockBit "strike team" has been using a recent Citrix Netscaler vulnerability (known as CitrixBleed) to get initial access to organisations and then passing that onto another team that ultimately deploys ransomware.  (LockBit's use of CitrixBleed to gain access to the ICBC was reported in The Wall Street Journal).

Other organisations that Beaumont has found running vulnerable versions of Netscaler include British multinational law firm Allen and Overy, Boeing, and DP World Australia. LockBit has claimed credit for the ransomware attack on Allen and Overy and have leaked data purportedly from Boeing as well.

And DP World Australia was  crippled by an attack last Friday. Per the Australian Financial Review:

The Middle Eastern-owned stevedore, which operates terminals in Sydney, Melbourne, Brisbane and Perth and handles about 40 per cent of the goods coming in and out of Australia was forced to shut down technology systems at 10am on Friday.

The shutdown prevented some 30,000 containers of goods from moving in or out of its terminals, including refrigerated containers that can hold anything from lobsters and wagyu beef to blood plasma.

While ships could still offload and pick up containers, the technology systems that allow trucks to share data with the stevedore were turned off, meaning trucks could not get into DP World’s terminals to collect or drop off containers.

There hasn't been an official confirmation of who breached DP World Australia or how they did it, but Beaumont's Citrix Netscaler compromise theory seems plausible or even likely. A patch for that vulnerability was released on the 10th of October.

The Australian government has a playbook for these kinds of serious cyber incidents where it rolls out a whole of government response coordinated by a 'cyber disaster tsar' (aka the National Cyber Security Coordinator). This approach uses an emergency response framework that was developed during the Covid pandemic and was first used in the case of a cyber incident when responding to the Medibank Private breach late last year.

From the point of view of a critical infrastructure company, part of this is great. If you are the victim of a significant cyber security incident you'll get all kinds of government assistance! On the other hand, the government will learn if your cyber security posture was sub-par.

This essentially puts all critical infrastructure companies on notice to up their game.

That's a good thing, but what else can governments do? Back in November last year Australia's Cyber Security Minister Clare O'Neil announced "an ongoing, joint standing operation to investigate, target and disrupt cyber criminal syndicates with a priority on ransomware threat groups".

In January this year we covered how LockBit's porous OPSEC made it "ripe for disruption" and in June this year cyber security authorities in the Five Eyes, France and Germany issued a cyber security advisory warning about LockBit ransomware.  We'd be stunned if these recent incidents don't make LockBit a priority target for state action.

Although we love writing about flashy government disruption operations involving website takedowns and press releases, we think operations that covertly degrade ransomware groups are more sensible. Flashy operations push ransomware affiliates to greener pastures, whereas discreet operations leave them toiling joylessly in the ransomware salt mines.

We think these kinds of offensive cyber disruption operations will make a difference, but won't eliminate ransomware. Ultimately, the crime needs to be starved of funds and so efforts to prevent ransomware payments should be accelerated.

Banks Dragged Kicking and Screaming to Combat Fraud

Reuters reports that banks in the US have begun refunding victims of 'imposter scams' on payment app Zelle.

Imposter scams involve people being tricked into sending money to scammers. Prior to June 30 the banks that run Zelle did not refund victims of these scams, as the customers themselves were authorising the transfer. This meant they weren't required to provide refunds under federal law.

This reminds us of new UK rules for payment systems that come into effect next year. The UK rules apply to essentially the same type of fraud, although the Brits call it Authorised Push Payment (or APP) fraud. On Britain's 'Faster Payments' system, UK payment firms will split the cost of reimbursement 50:50, giving both the sending and receiving firm incentives to crack down on fraud.

The documents the UK's Payment Systems Regulator released regarding the change are very interesting, particularly its cost-benefit analysis. They leave us with the strong feeling that US banks could do much more, but have taken the steps they have to head off the possibility of more expensive regulations.

Our question for US regulators and lawmakers is: who do you care more about? Banks or people?

Three Reasons to Be Cheerful This Week:

  1. Phobos ransomware affiliates charged in France: French authorities have charged a Russian couple and allege that they have been working as affiliates for the Phobos ransomware gang. The couple are from Saint Petersburg, Russia and were arrested in Italy and then extradited to France. Officials say the couple has worked with Phobos since 2020 and are linked to payments from more than 150 victims across the world.
  2. Myanmar scam centre progress: Over 160 Thai nationals will be returned to Thailand after being rescued from gangs running scam centres following a joint PRC-Myanmar law enforcement operation. Seriously Risky Business covered these type of 'pig butchering' scam centres here.
  3. Gene giants move to 2FA by default: Following the theft of user records from the 23andMe DNA testing firm, it and other companies in the sector, including Ancestry and MyHeritage, will start using multi-factor authentication for customers by default. For 23andMe, this is very much shutting the gate after the horse has bolted, but it is better than not shutting the gate at all.

In this Risky Business News sponsor interview Tom Uren talks to Ryan Mahoney, Product Director at Gigamon. The TLS 1.3 encryption standard makes passive network monitoring inside your network difficult without break and inspect contortions, but Gigamon's precryption technology provides the visibility into encrypted traffic in hybrid environments that network defenders need.


Catching the Mirai Botnet Boys

Wired's Andy Greenberg has a good long read covering the story of the Mirai botnet and its three authors, who were teenagers when they started creating the software. Two of the three had originally started a DDoS protection company, ProTraf, and created Mirai to launch DDoS attacks to drum up business.

It was a slippery slope that eventually ended up with Mirai taking out significant portions of the internet with the world's largest DDoS attacks at the time. The three were eventually tracked down by the FBI and cooperated with the organisation in cases against other cybercriminals.

Ultimately, it's a story of redemption. The trio avoided jail time because of their cooperation with the FBI. While doing community service they assisted in the creation of an IoT malware honeypot for an anti-DDoS organisation and have since gone on to jobs in finance and security research.

Not Catching Scattered Spider?

Some of the individuals in the Octo Tempest group, aka Scattered Spider, that we've referred to as Lapsus$-style hackers have reportedly been identified. But what’s next? According to Reuters:

For more than six months, the FBI has known the identities of at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts International and Caesars Entertainment, according to four people familiar with the investigation.

The Reuters' article quotes several cyber security experts who question why these individuals haven't been arrested.

We are willing to give the FBI the benefit of the doubt here, especially after reading Wired's investigation into Mirai (above). In that case, the arrests took place over many months but ultimately resulted in them assisting police investigations and being diverted from a potential life of crime.

State-based Hackers Focus of Government Reports

The Australian Signals Directorate released its 2023 Cyber Threat Report on Tuesday and the UK's National Cyber Security Centre released its Annual 2023 Review on the same day.

The two reports are same same but with slightly different flavours. Both emphasise the risk to critical infrastructure from state-backed hackers, although the UK report is far more explicit about the cyber security threat posed by the PRC.

Israel Turning to Blacklisted Spyware Vendor

According to reporting from Axios and Bloomberg, Israeli security services are turning to the NSO Group spyware company and its Pegasus mobile spyware to help track hostages in Gaza that were kidnapped by Hamas.

Using mobile spyware like Pegasus to locate and possibly collect intelligence from hostages or suspected terrorists makes perfect sense in this situation. From the reporting it appears the Israeli government has its own capability but is looking to Israeli spyware companies including NSO Group, Candiru and others to provide extra capacity.

Both NSO Group and Candiru were blacklisted by the US government in 2021 because their spyware products had been used extensively to target civil society in a variety of countries. It looks like NSO Group is trying to redeem its reputation, and Axios also covers the company’s recent lobbying efforts in the US.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about International Humanitarian Law or the 'Rules of War' and whether they make any sense in cyberspace.

From Risky Biz News:

Clop is coming after your SysAid servers: The infamous Clop ransomware gang is exploiting a zero-day vulnerability in on-prem SysAid IT automation servers.

The attacks were discovered last week by SysAid's security team, and the company released a software update to patch the exploited bug…

The recent attacks would make SysAid the fourth different enterprise software the gang has exploited this year after it previously targeted GoAnywhere and MOVEit file transfer servers and PaperCut print management servers.

[more on Risky Business News]

OCCRP journalists targeted with Pegasus: Two Indian reporters from the Organized Crime and Corruption Reporting Project have had their phones targeted with the Pegasus spyware. The attacks took place hours after the two reporters reached out for comment to the Adani Group, one of India's largest companies. The reporters were investigating the Adani Group's owners for possible market manipulation by secretly buying their own stocks. OCCRP reporters Ravi Nair and Anand Mangnale are two of the 20 Indians that Apple notified in October that their phones were targeted by state-sponsored malware.

Russia hacked 22 Danish critical infrastructure companies: Russian state-sponsored hackers have breached at least 22 Danish companies operating in the country's energy sector.

Denmark's CERT team for the critical infrastructure sector (SektorCERT) described the intrusions as the largest cyber-attack in the country's history.

In a report [Danish PDF, machine-translated English file] published over the weekend, SektorCERT tentatively attributed the attacks to Sandworm, a cyber unit inside Russia's military intelligence service GRU.

[more on Risky Business News]