Srsly Risky Biz: Thursday June 9

Evil Corp's identity shell game all for naught

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray, and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber, and founding corporate sponsors CyberCX and Proofpoint.

Evil Corp's Sanctions Evasion Attempts Fall Flat

With sanctions against Evil Corp proving effective, it's tempting to suggest ramping them up against the wider ransomware ecosystem. However, these sanctions are best used as a stick to punish the worst actors, not as a catch-all tool.

On Monday, the LockBit ransomware group claimed to have breached cybersecurity firm Mandiant on its leak site (covered in Risky Biz News). Rather than being a genuine breach, this looks to be retaliation for a Mandiant report released last week that linked Evil Corp to LockBit ransomware.

Evil Corp was originally sanctioned by the US Treasury department in 2019 for crimes including the development and distribution of Dridex banking malware. Since these sanctions were announced, Evil Corp has cycled through a succession of homegrown ransomware variants in increasingly quick succession. Mandiant believes that sanctions made it difficult for the group to extract ransom payments and as each new variant was associated publicly with Evil Corp the subsequent payment difficulties forced it to develop and migrate to a new variant.

Mandiant speculates that Evil Corp has since given up on its own strains and migrated to using ransomware from other Ransomware-as-a-Service operators to muddy attribution. Rather than being identifiable because it uses exclusive homegrown ransomware, it could blend in with other affiliates.

This makes total sense for Evil Corp, but it appears that LockBit doesn't want to be tarred by the same sanction brush. It's a reasonable concern for them. Victims will be reluctant to pay up when they're hit by LockBit because the affiliate who actually deployed the malware might be on a sanctions list. The penalties for breaking Treasury sanctions can be stiff, up to USD$1m in fines and 20 years in prison per violation, so groups involved in payments (such as insurers and ransomware recovery and negotiation firms) aren’t keen to accidentally break any of them.

Mandiant claims LockBit's fake hack was an attempt to discredit its report, but we think it's more a case of juvenile payback and an attempt to distinguish itself from Evil Corp. When LockBit published the cache of files it claimed it stole from Mandiant, the files included a statement from LockBit distancing itself from Evil Corp and its leader Maxim Yakubets which boils down to "our group has nothing to do with Evil Corp".

One might look at Evil Corp using other RaaS as evidence that sanctions against ransomware actors are ineffective, but this incident proves the opposite. Sanctioned groups work hard to avoid them, and other criminal gangs don't want anything to do with the sanctioned entities.

If that is not compelling enough, at this week's RSA conference Rob Joyce, NSA's Director of Cybersecurity, confirmed that ransomware operators had changed their behaviour due to sanctions. "How do we know? Really? We're NSA… we've heard them say it is hard to get funds out," he said.

So, if sanctions are effective, why not sanction all the groups? Surely this would drive down payments to the ransomware ecosystem?

For a start, there is a certain baseline amount of public information that is needed to effectively levee sanctions, as explored in a ProPublica article we linked to some weeks ago. It's far better to list named individuals rather than meaningless groups that are constantly being rebranded, but it can be hard for the Treasury office responsible to point to reliable public information.

Additionally, victims are already more reluctant to pay Russian ransomware crews, as sanctions against Russian entities have expanded since the invasion of Ukraine. Even groups such as Conti — that aren't specifically listed — could be sanctioned because of possible ties to listed entities such as the FSB. In other words, payments are already generally being throttled, so doing the work to specifically name more groups might not be worth it.

There may also simply be better things for Treasury to focus on. Reuters this week reports on cryptocurrency exchange Binance's laundering of USD$2.35bn of funds over time. Why go for amorphous ransomware groups when exchanges are easier to target and may offer a far bigger payoff in terms of effects across the ecosystem? (Obviously blanket sanctions on the world's largest cryptocurrency exchange are a non-starter, but there are levers to pull.)

And although sanctions look to be effective at reducing payments to ransomware groups, this is probably not the best measure of success. If it were, governments should simply make ransomware payments illegal. Job done! Ransomware solved!

Using sanctions as a behavioural lever to reduce the amount of disruption that ransomware causes looks to be a better approach: apply sanctions to the most damaging ransomware groups to encourage ransomware crews to behave "better".

So we should enjoy the schadenfreude in this LockBit and Evil Corp incident, but let's keep sanctions for the most damaging groups.

Internet Anonymity Targeted in Authoritarian States and Democracies Alike

Both authoritarian states and democracies are clamping down on internet freedoms and anonymity, each for entirely different reasons.

Let's start with the authoritarian countries. Roskomnadzor, the Russian telecommunications watchdog, has ordered that the Tor browser be removed from the Russian Google Play store and also cracked down on use of VPNs. Together these appear to form part of a concerted effort to limit Russian citizen's access to anonymising and censorship evasion technologies.

Other internet restrictions occur for reasons that are plain odd. The Record reported the Syrian government shuts down internet access to prevent cheating in high school national exams. And it is not alone in this — according to an Access Now report released in May this occurs in several other countries including Bangladesh, Iran, Iraq and India.

However, Access Now's report found that most internet shutdowns occur in response to political instability and that India, a democracy, was the biggest culprit with 106 shutdowns. These occurred mostly in Jammu and Kashmir rather than being nation-wide, but they are still worrying as some observers are concerned that India may be "set on a path to becoming an illiberal pseudo-democracy".

In addition to liberal use of internet shutdowns, the Indian government is also imposing stringent cyber security regulations intended to make the Indian internet more "open, safe, trusted and accountable".

Some of the regulations seem too broad to be useful and will capture too much of the internet's background noise. For example, companies have just six hours to report a range of common (or vaguely defined) incidents to India's Computer Emergency Response Team (CERT-In), including:

  • Targeted scanning/probing of critical networks/systems
  • Identity Theft, spoofing, and phishing attacks
  • Malicious mobile apps posing as legitimate apps
  • Unauthorised access to social media accounts
  • Attacks or malicious/suspicious activities affecting systems/ servers/networks/ software/ applications related to Big Data, Blockchain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones

This newsletter recently lamented the US government's lack of granular data on ransomware incidents and we are a fan of robust disclosure requirements — governments need to know what is happening on the internet to respond effectively. But this will just overwhelm CERT-In with the dull roar of the everyday internet.

These regulations also essentially spell the end of 'no-log' VPN services, with VPN service providers (and also data centres and cloud service providers) being required to keep subscribers' validated names, addresses, and IP address allocation information for five years. These kinds of VPNs are used for criminal activity, so there are good reasons the Indian government would want these logs kept.

As a result of these regulations, both ExpressVPN and Surfshark announced over the last week they have decided to remove their Indian VPN servers to avoid being subject to the regulation.  Both are keeping Indian IP addresses in Singapore and the UK, so they say they will be able to serve customers wanting to appear to be in India. Other VPN services told The Record they might also remove their servers from India.

One concerning gap in the Indian regulations as they are published is that they don't make clear what thresholds must be met for access to subscriber information. For example, the FAQ associated with the regulation states access to logs is at the discretion of CERT-In:  "The requisition for seeking information is [sic] respect of logs may be given by an officer of CERT-In not below the rank of Deputy Secretary to the Government of India".

Subsequent press reporting in The Economic Times makes it clear that this type of data would only be used by law enforcement agencies after they had followed standard procedures and obtained court orders, as happens in other democracies.

When push comes to shove, government authorities in democracies are often able to get IP addresses when they need to after following proper procedures. French authorities, for example, got the IP address of a French activist using ProtonMail's services via Europol after  approval from Swiss authorities, despite ProtonMail's reputation and the “privacy cred” that comes with being Swiss-based.

What's the lesson here? Governments of all stripes are no longer treating the internet as a regulation no-go zone, but different types of governments will make different decisions about where to draw the lines between privacy, anonymity, and security. Often these lines are drawn in the types of checks and balances found in democracies and less in the regulations themselves. As in: A metadata retention regime in Australia will result in different outcomes to the same sort of regulations applying in Myanmar.

Three Reasons to be Cheerful this Week:

  1. iOS Safety Check: Apple announced iOS 16 will include Safety Check, a new feature to protect people in abusive relationships. It allows users to audit who else has access to passwords and other sensitive information such as location data and cut them off in one clean sweep.
  2. PII market seized: The US government announced the seizure of the SSNDOB marketplace, an online marketplace that sold personally identifiable information (PII) of (mostly) US citizens, including social security numbers, dates of birth and names. It's good to see international collaboration with both the Latvian and Cyprus police involved. Cryptocurrency analysis company Chainalysis reports SSNDOB has received USD$22m in Bitcoin since 2015, which probably understates the market's importance as the PII it sold was used to enable fraud and other cyber crime.
  3. Children's hospital attack thwarted: At a cyber security conference FBI Director Christopher Wray said the organisation managed to prevent an attack by state-sponsored Iranian hackers on a Boston children's hospital. It's good it was stopped, but, like, wtf.

Save Time with a Risky.Biz Product Demo

Risky Business is publishing sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Sergio Gonzalez shows Patrick Gray the ins and outs of Red Canary's Managed Detection and Response service.

You can subscribe to our product demo page on YouTube here.


Schulte is Still Unpleasant

The New Yorker has a great long read about Joshua Schulte, the former CIA employee accused of leaking the agency's hacking tools in the so-called Vault 7 document dump. The piece illustrates CIA office culture (more "Office Space" than "The Bourne Identity") and what the author describes as "the pageantry of overclassification". After the stolen and now publicly available materials were downloaded from WikiLeaks, for example, the investigators stored the laptop containing them in a safe and investigators needed security clearances before they were allowed to view the material.

Schulte also comes across as a real piece of work. In addition to stealing and leaking secrets, Schulte is charged with child pornography offences (he claims he's innocent, and that child pornography is a non-violent victimless crime anyway). How he ever got a job at the CIA is a mystery.

Chinese APT "Plumbing" Laid Bare

The US government has released a joint Cyber security Advisory detailing the techniques Chinese state-sponsored groups use "to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure" including by targeting "major telecommunications companies and network providers".

The advisory includes a section on how PRC groups typically operate in telco networks. After gaining initial access via known vulnerabilities they target critical authentication systems to get network credentials. These credentials are then used to harvest router configuration information and subsequently to "surreptitiously route, capture and exfiltrate traffic out of the network".

Rob Joyce, the NSA's Director of Cybersecurity, told The Record that this advisory pulled together information about the top vulnerabilities Chinese actors are using to build foundational "plumbing". By publishing this information the US government hopes companies will be able to identify and "stop the tradecraft".

Cyber Command Did Something. We Have No Idea What.

US Cyber Command Director Paul Nakasone stated that the US had launched offensive cyber operations against Russia in support of Ukraine. White House Press Secretary Karine Jean-Pierre then confirmed that these operations did not violate the US policy of avoiding a direct military conflict. An offensive operation could be anything from popping a shell on an enemy C2 server to blowing up a building by fiddling with its HVAC system, so without further context, Nakasone's statement is essentially an information-free zone. But at least they get to sound like they're doing something important.

From Risky Biz News:

Takedown: Microsoft's Digital Crimes Unit (DCU) said on Friday that they disrupted infrastructure operated by Bohrium, a cyber-espionage group operating out of Iran.

Amy Hogan-Burney, DCU General Manager, said the DCU legal team successfully obtained a court order that granted Microsoft control over 41 domains used by the Bohrium group in spear-phishing operations.

"Our DCU investigation found Bohrium targeted customers in the US, Middle East, and India. Targets come from sectors including tech, transportation, government, and education," Hogan-Burney said.

The Microsoft exec said the group's members used fake social media profiles, often posing as recruiters, and lured employees at targeted organisations on one of the 41 malicious sites. Here, they tried to collect their personal information, which they later used in subsequent email attacks that sought to infect the victims with malware.

To date, Microsoft's DCU team has used the US court system to seize domains and server infrastructure from more than two-dozen cybercrime and espionage groups alike.

DeadBolt: Cybersecurity firm Trend Micro published a technical analysis of DeadBolt, a ransomware strain that appeared last year and has been targeting NAS devices. The ransomware uses two ransom notes, one for the infected users and a second for the NAS vendor. If users pay the ransom, they can decrypt their files, and if NAS vendors pay the ransom, they receive a master key to unlock all of their attacked customers. However, Trend Micro said that based on its analysis, only 8% of NAS users ever paid a ransom, while a code analysis found that there is no evidence to suggest that decryption via a master key is even possible.

Confluence exploitation: The Kinsing, Hezb, and Dark.IoT botnets have been spotted exploiting the recently-disclosed Confluence zero-day CVE-2022-26134 to install their payloads on unpatched servers.

Follina gets some love: After being disclosed last week, the Office zero-day vulnerability known as Follina (CVE-2022-30190) is seeing broader adoption by the cyber-criminal underground after being previously adopted by nation-state groups, Proofpoint's threat intelligence team reported, with the latest to get on the exploitation train being the Qbot malware botnet.