Srsly Risky Biz: Thursday, August 26

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

America's Tough Talk on Ransomware Hasn't Moved the Needle

It's been nearly four months since the DarkSide ransomware attack against America's Colonial Pipeline -- and all the tough talk from America resulting from that attack -- but there's little evidence much has changed since.

We polled several organisations that use different methods for tracking ransomware:

• Collating data from hands-on incident response
• Monitoring data that appears on extortion leak sites
• Analysing uploads to the ID ransomware identification service

Each source of data is incomplete and has different biases, but the initial assessment from all our sources was there has been little change in overall ransomware trends. Bill Siegel, CEO of Coveware, a ransomware incident response firm, told Seriously Risky Business "there has been no change since the pipeline attack, and frankly no change in the past 36 months".

However, there are some signs that ransomware operators are expanding their reach into markets outside the US. Allan Liska, of Recorded Future, says the percentage of extortion attempts involving data stolen from US victims has dropped, but cautions this coincides with a "drop in the number of victims posted to ransomware extortion sites" and that "ransomware groups are taking longer to post victim data to extortion sites".

"We don't know if this is in response to Colonial Pipeline or just a realisation from these groups that double extortion is not as effective of a threat as it was initially thought to be," he says.

Data based on uploads to the MalwareHunterTeam ID Ransomware service -- where ransom notes and encrypted files are uploaded to identify the ransomware strain -- tell a similar story, according to Brett Callow, a threat analyst at Emsisoft.

"Since the Colonial incident, we’ve seen an uptick in attacks outside the US, including Australia and NZ," he says. "We haven’t seen a decrease in attacks on US-based companies."

In any case, Coveware's Siegel thinks strategic decisions made by some ransomware crews to avoid certain industries and sectors will be outweighed by other driving forces. "Individual companies or industries are not targeted. Cost-effective vulnerabilities are targeted. Who and when is attacked is a function of how economical it is to pull off a full compromise."

While Ransomware-as-a-Service (RaaS) gangs like Maze, DarkSide, Egregor et al. get all the attention, Siegel's point is particularly salient when we consider the ransomware attacks themselves are actually perpetrated by a menagerie of "affiliate" crews. These affiliates have shown a lot of flexibility in the past -- they'll work with multiple RaaS crews. An affiliate known as the OnePercent Group, for example, has previously used the REvil, Maze and Egregor ransomware tools. Callow observed that it's become increasingly common for affiliates to “deploy ransomware A on a company’s Windows systems and [ransomware] B on its Linux systems (or sometimes simply double-encrypt the data)".

So, even if one RaaS gang isn't willing to be involved in attacks on critical infrastructure, affiliates can just pick another RaaS platform that's happy to eat the risk. BlackMatter, for example, signalled a reluctance to get involved in such big-ticket critical infrastructure attacks, much to the joy of US government officials, but that doesn't mean these types of attacks will just stop.

Indeed, other attempts by the ransomware industry to "self regulate" aren't working so well either. Several criminal forums, where hackers advertise their services to cooperate on attacks, have banned ransomware posts in an attempt to dodge future consequences. In response, ransomware crews and affiliates are using coded language on the very same forums to find each other.

Meanwhile, ransomware attacks on American hospitals have continued unabated with three reported this month.

These ransomware attacks not only cost a lot -- over USD$100 million in this case -- but also affect patient care. Ambulances need to be redirected and surgeries delayed, but there are more insidious, longer term impacts.

A CISA study has found ransomware provably disrupts and delays healthcare, which may ultimately may flow through to "excess deaths" -- deaths that wouldn't have occurred without the ransomware attack. Although this is a statement of the bleeding obvious, this kind of research is needed to drive home the point to policymakers that ransomware is often a life and death phenomenon.

Cyber Insurance at Breaking Point

Cyber insurance is facing a "crisis moment" as rising payouts send premiums to the moon.

Seriously Risky Business previously covered the problem of soaring payouts in December 2020. Proponents have argued cyber insurance takeup will improve cyber security because it provides financial incentives for organisations to improve their cyber security based on data about real-world cyber incidents. This newsletter thinks that cyber insurance, at least in its current form, is the equivalent of insuring glass houses -- and then paying the people who throw rocks at them.

Some Chaotic Evil is on the Loose in South East Asia

In South East Asia, the ALTDOS hacking group has been extorting companies across Bangladesh, Singapore and Thailand. Its operations seem a bit haphazard -- the group doesn't always deploy ransomware and sometimes won't even bother engaging with victims to ask for a ransom and will simply dump the stolen data online. It's interesting to see reports of a group targeting a specific region of the world. As we pointed out in the Risky Business podcast, South East Asia has seen substantial economic growth over the last few decades, but it's networks are (largely) still in pretty poor shape. We hope this isn't the start of a pivot to targeting poorer countries.

Shorts

A New Twist on "Ethical Hacking"

The hacktivist campaign of the "Belarusian Cyber Partisans" continues. This newsletter reported on the activities of the group some weeks ago. Since then it's released more hacked information including lists of alleged police informants and the personal information of government officials. It still looks to be a genuine hacktivist group and its membership story is consistent with that -- about fifteen people, mostly involved in IT, where three or four focus on what the group calls "ethical hacking". In this case, "ethical hacking" means hacking in aid of "the overthrow of the Lukashenka government". So either the group is genuine or the whole thing is a front for some sort of foreign intelligence service.

This Was Totally Not Israel

Iran's Evin prison, where political detainees are held, has allegedly been hacked and documents, images and security camera footage stolen. Videos showing brutal treatment of prisoners have been released, along with security camera footage of the hackers displaying messages on screens in the prison's video surveillance centre. It's not clear if the group claiming responsibility, Adalat Ali (Justice of Ali), is a genuine activist group or whether this is another salvo in the cyber hijinks between Israel and Iran.

TCP amplification DDoS

Various network devices, especially those used by states censoring the Internet, can be abused to create potentially very large TCP DDoS attacks, according to some very interesting research published this week. This is different from "traditional" DDoS in a couple of ways: it's TCP amplification not UDP; many of these devices might not be fixed as patching could degrade state censorship capabilities; and it offers very high levels of "amplification" for attackers. DDoS attacks might return as a real problem. This is high impact stuff.

Data Brokers Track the Military

Data brokers are advertising services to track US military personnel, according to this Lawfare post. Seriously Risky Business previously warned of the national security implications of the adtech and data broker ecosystem. This will be sure to get some attention from lawmakers in the US.

US Census Bureau Hack Goes Public

It turns out that the US Census Bureau was hacked back in January 2020 by a group using December 2019's blockbuster Citrix vulnerability. The hack wasn't really consequential, but it is great that there is an Office of Inspector General report that assesses the Bureau's response and suggests improvements. Among other things, the report found that the Bureau missed opportunities to mitigate critical vulnerabilities, didn't keep sufficient logs, continued to use servers after they were no longer supported, and did not conduct a lessons-learned session after being hacked. These reports are needed and it is good that this one has been made public.

Poly Want A Hacker?

Last week a hacker stole USD$600 million in cryptocurrency from PolyNetwork. This week they returned it, got called "Mr White Hat", and were offered a job by the exchange they stole from. I suppose this is a good news story?

The Liquid cryptocurrency exchange, meanwhile, was also hacked and USD$94 million of magic internet money stolen. The exchange hasn't yet followed the Poly playbook and asked for its money back on Twitter, although it has reassured its customers that "personal data was not compromised in any manner during the incident". What a relief that only money was stolen!

The Power to Fail

Upguard discovered that Microsoft's Power Apps had insecure defaults, potentially exposing a huge amount of data from many different organisations -- too many for Upguard to contact directly.

Apple Dabbles in HUMINT

This long read examines how Apple uses human sources to understand and keep tabs on the market for leaked information and jailbreaks. A real HUMINT agency would do a better job keeping its sources happy and quiet after they were no longer useful.

It's Not Dumb if it Works

Hackers have attempted to get access to a network by recruiting insiders via email. An in-person approach was previously used to try to get ransomware onto the Tesla Gigafactory network, but using an email campaign is new. Stop laughing, this will probably turn into a thing.

When Your Lawyers Are Probably Taking Things Too Seriously

Citrix (briefly) removed acknowledgements of Positive Technologies employees from its security bulletins, presumably in response to US sanctions being levied on the Russian firm. To save other companies angst -- just acknowledge Positive Technologies in security bulletins. One tech company CISO we spoke to says this dilemma landed on their desk (after six… SIX!!! Meetings at lower levels), but they decided to continue crediting the company's researchers anyway because hey, what are we? Barbarians?

Mozi Botnet

The Mozi botnet, an IoT botnet that infects network gateways and digital video recorders, has "evolved" new capabilities to tamper with DNS and HTTP sessions to conduct person-in-the-middle attacks. It makes a lot of sense to launch broad-based mass attacks on whatever networks Mozi can get a foothold in -- escalating from presence on a router to internal network access, potentially at scale.

Well… it Looks Like We're Doing Something

President Biden held a cyber security summit with private industry covering sectors including technology, insurance, finance, and education. It's hard to escape the conclusion the summit was more about optics than tangible security gains. Microsoft announced it would spend $20bn on developing its security products, which was probably its plan all along. Amazon, meanwhile, offered up the equivalent of $5 and a sunhat as an offering to the White House gods, promising to provide free security tokens to its customers. Kevin Collier had the definitive take.