Know Your Adversary™

In Episode 91 of TheCyber5, we are joined by Paul Malcomb, Intelligence Advisory for Nisos. Paul brings over 15 years of experience from Fortune 500 security teams and the public sector including incident response, threat intelligence, and third-party risk management.  

In this episode, Paul explains how the ransomware-related ecosystem is evolving and provides insights to some of the newer threats organizations face.

Below are the three major takeaways:

1. Ransomware actors no longer need to be end-to-end capable and are now very decentralized:

• Gone are the days where threat actors have to be masters of all, with the democratization of services, affiliates with little to no technical knowledge can now execute sophisticated cyber attacks. Ransomware operators needed to possess the full scale of technical and non-technical capabilities within an organized criminal group. Initial access brokers, supporting operators, and/or the actual malware developers no longer need to be the same entity. Today, individual attack components are outsourced in order to provide an affiliate with end-to-end solutions filling nearly any unmet need to include but not limited to: payment negotiations, money laundering, infrastructure creation, payment collection, etc. 

1. CTI, Red and Blue teams must unite and move faster to adjust to the decentralization:

• It is becoming more and more critical to fuse CTI teams with their respective Red and Blue team components in order to emulate an organization's most pressing threats. Blue teams sometimes have minutes to detect and remediate a ransomware actor once the initial access is gained. This initial access is often gained through misconfigurations or unpatched vulnerabilities on legacy systems. Similarly, privilege escalation and lateral movement tactics commonly leveraged can also be mimicked enabling Blue team detections to be optimized against a specific adversary. This type of adversary emulation is only possible through the fusion of the three (3) teams (CTI, Red & Blue).  Smaller and medium sized businesses (SMBs) have almost no chance to avoid ransomware unless they are using managed services to detect, correlate and respond to events. Managed Intelligence Service providers have experienced personnel, proven processes and the appropriate tools needed to accurately scope RaaS-related-risks and help guide SMBs through the challenge of hardening their systems focusing on cost effective risk reduction strategies.

1. Living Off the Land attacks make detection harder by an order of magnitude:

• With the growing percentage of attacks not having any type of signature file or easily identifiable IOCs, timely adversary threat intelligence focused for a specific organization is often the only early warning indicator capable of identifying potentially malicious activity pre-impact. When ransomware attackers use the same commands and tools that are native in an Enterprise environment, attackers become significantly more challenging to detect because it looks like expected or business-as-usual (BAU) traffic. Over 70% of ransomware is now non-malware attacks meaning ransomware groups don’t need to use custom malware that can be detected from a file hash.The new formula requires only initial access then common administration tool know-how and thanks to the democratization of RaaS, now even these components can be purchased and all an Affiliate needs is the desire to attack and the finances to pay the ecosystem to act.

In Episode 11 of Know Your Adversary®, we chat with an undisclosed security team that prevented an insider threat actor from extorting $300,000 from a global company. The result of the six months long investigation resulted in the arrest of the suspect who, as it turns out, was motivated by pride and money. 

One morning, the security team received an email asking for $300,000 as an extortion payment or the data would be released. Upon showing “proof of life” that the attacker possessed the data, it became clear they maintained elevated access beyond that of someone living abroad in Russia, as is typical of extortion attempts. Thankfully, the global company had a robust security program that allowed them to jump into high gear and track down the actor within weeks. 

While many think about grandiose espionage examples like former Soviet spies Aldridge Aimes and Robert Hanssen, in the private sector, two common themes are observed with insider threats when malicious acts go beyond negligence and into malfeasance: greed and ego. This case was no different and drives home important practices for an insider threat program. 

Including: 

1. Robust Open Source Intelligence Capability: Looking outside-in, your team should have the ability to collect important data that matches internal telemetry. This means having collection against social media and telemetry that can alert to sensitive data leaks with third party file sharing services (Dropbox, OneDrive, etc). 

2. Logging: It’s important to have inventory logs from the applications that are of most important business use. When sensitive data is leaked to the internet, a security team will almost certainly start looking at the logging from the applications where the leak originated.

3. Security Awareness Program: Building trust within the employee base to allow them to become their own sensor network with the security team always helps an insider threat program.

4. Forensics Capability: Quick forensics capabilities will almost always be needed when an alert fires from an insider data leak.

Check out the latest episode to learn how all of these functions worked in almost perfect unison when the insider threat started the extortion attempt.

In Episode 10 of Know Your Adversary™, ICE Miller Managing Partner Guillermo Christensen discusses the difference between the 2012 Saudi Aramco destructive cyber attacks and the 2021 Colonial Pipeline ransomware attacks.

In 2012, Iran attacked Saudi Arabia-based Aramco’s information technology (IT) infrastructure, denying service to the entire company to the point that Aramco gave gas away for free. Fast forward to 2021, a Russia-based ransomware gang Darkside attacked the IT infrastructure of Colonial Pipeline, particularly the billing system. When Colonial Pipeline couldn’t determine how to charge customers, instead of giving gas away for free, they shut down the pipelines thus denying gas to most of the United States easter seaboard. 

Primary Takeaways:

1. Ransomware gangs based out of Russia have organizational structures like most enterprises: sellers, access data brokers, operators, malware developers, and ransom negotiators. 
2. Small and medium sized enterprises have little chance to defend against these gangs without the help of experts, typically in the form of managed service offerings such as detection, response, and intelligence. 
3. Attribution to the actors and organizations is not as challenging as many make it out to be with the right coverage inside and outside the firewalls. Actors make mistakes not segmenting their infrastructure between attack stages and reusing emails and passwords to build their infrastructure, often on third party services. 
4. Enterprises need to consider national security related legal and consulting services that deal with nation state actors.

In Episode 9 of Know Your Adversary™, Nisos researcher Zeshan Aziz revealed that Chinese commercial marketing firm OneSight, developed a sophisticated social media management and monitoring system called OneSight Backstage Management System to propagate political disinformation against the Uyghur community. The research indicates the Chinese Communist Party (CCP) likely conducted the campaign.

Previous research into a breach of OneSight identified sophisticated social media surveillance tooling was used for widespread disinformation campaigns across many prominent Chinese and U.S. social media platforms. These campaigns targeted political topics, including Uyghur dissidents and anti-COVID19 messaging. While OneSight won legitimate contracts with the Chinese Communist Party to market Chinese state media, OneSight also used fake social media accounts to promote false narratives intended to create negative sentiment against U.S. policies.

Primary Nisos Process and Tools to Combat Disinformation:

1. Narrative: Identify the propagated primary messages.
2. Accounts and Content: Find the platform's activity and roll back the accounts.
3. Platforms and Outlets: Determine how widespread the messaging is on other platforms.
4. Attribution: Attribute the sponsor backing the disinformation campaign through technical signature analysis. 

Major Takeaways from the Investigation:

1. OneSight regularly advertises its Chinese commercial clients but does not disclose working directly with the CCP. However, research into the Chinese government procurement databases (the equivalent of the United States’ FedBizOps) indicates that OneSight regularly works with the CCP. 
   1. Besides anti-Uyghur messaging, other narratives favoring the Chinese state included positive messaging about Carrie Lam, a Hong Kong politician seen as a close ally to the CCP. 
2. CCP Unmasked claimed to have stolen internal documents from Knowlesys, a company based in Hong Kong and GuangDong, Yunrun Big Data Service, a company based in Guangzhou, and OneSight, based in Beijing. Nisos researchers reviewed the data from the OneSight compromise. In a YouTube video, they discovered a proprietary tool called OneSight Backstage Management System: a portal for storing and correlating persona accounts, the messaging used for those accounts, and the platform used for propagation. 
3. Violations of Foreign Agents Registration Act (FARA) have been an effective near-term way to combat individuals and organizations pedaling foreign disinformation. Its purpose is to allow the U.S. government and the general public to be informed of the identities of individuals representing the interests of foreign governments or entities.

In Episode 8 of Know Your Adversary™, we detail an August 2020 investigation when a Russian gang member named Egor Igorevich Kriuchkov traveled to the United States to recruit an employee of a US-based manufacturing company and to install ransomware on the network via USB thumb drive. He offered the employee $500,000, and if the operation was successful, the Russian gang was going to extort the company for $5,000,000. 

Fortunately, the company prepared the employee for this type of scenario and reported Egor. A subsequent FBI investigation arrested Egor and deported him back to Moscow, since there was a minimal loss.

This investigation details the sophisticated roles and responsibilities of ransomware gangs, identifying them as having a unionized effort. More strikingly, the investigation points to a potentially growing trend of recruiting employees to deliver malware payloads instead of just conducting the infiltrations remotely. 

Our guest for this episode is Charles Finfrock, who was previously a security intelligence professional for the company.

Key Takeaways:

1. Ransomware gangs can and will travel  to the United States and recruit employees to deliver the payloads.
2. A training and awareness program should empower employees to act as a sensor network to provide tips for a potential malicious nation-state or gang recruitment. 
3. Mature security intelligence and investigations programs are critical to deter these attacks at scale. 
4. Partnership with federal law enforcement should be established before an attack occurs to help expedite response.

In Episode 7 of Know Your Adversary™, we detail the August 2021 compromise disclosure of T-Mobile. A typical compromise of a sophisticated production network starts with an unwitting employee executing malware on their device. The threat actor then spends significant time moving laterally from the corporate network to the production network. 

However, in August 2021, John Binns, a US Citizen living in Turkey, disclosed that he compromised T-Mobile customer data by directly accessing the T-Mobile production network. While he initially stated his motivations were in response to physical abuse by nation-state governments, further investigation indicated that Binns was driven primarily by financial gain.

Our guest is ShadowByte Head of Research, Vinny Troia, a security researcher who directly interacted with John Binns. Listen now to learn the details of the attack execution and the motivation of John Binns. Key Takeaways Covered:

1. Like any enterprise, cyber-criminals are generally financially motivated; gathering enough data, including interacting directly with the threat actor and conducting the proper analysis, can peel back the motivations and provide context. 
2. The proper context can outline if an organization is a target of attack or opportunity, and this does not need to be a costly endeavor. This can then inform the proper security controls.
   1. Disclosure of attacker TTPs, victimology
   2. Attribution (when we have it)
   3. Share IOCs
   4. Provide context
3. Outcomes facilitated by public enforcement:
   1. Contacting the perpetrator’s family members or employer and demanding them to stop
   2. Law enforcement conducting a “knock and talk” without prioritizing prosecution 
   3. Rolling back anonymity by filing civil lawsuits and sending cease and desist letters
   4. Working with law enforcement to prioritize prosecution
   5. Security controls
   6. Administrative termination or account deletion
4. Further, sometimes attribution and unmasking are the strongest deterrents to cease malicious activity. Some examples of this working effectively are:\

In Episode 6 of Know Your Adversary™, we detail a previous supply chain attack from 2007 and then again in 2015 against a security software company. Foreign nation state adversaries conducted detailed reconnaissance and knew when a router was going to be rebooted for maintenance updates. Upon rebooting the router, the attackers “slipped through the crack” and into the software provider’s network by exploiting a vulnerability of the router model. This gave them a foothold into the software provider’s environment. The attackers then attempted to escalate to compromise the certificate authorities potentially to go upstream and compromise the software provider’s customers. Luckily, knowledge of a previous attack that occurred five years ago, compliance checks, and the properly alerting configurations contained the incident before it became a large-scale breach. 

Our guest is Lucidum CEO, Joel Fulton, a previous security practitioner for the security software company. 

Key Takeaways from This Episode:

1. Supply chain attacks have been a common vector for many years, but are becoming more sophisticated as displayed during the Solarwinds and Kaseya attacks.
2. Appropriate compliance controls allowed the software provider to maintain redundant visibility from internal telemetry when the adversary wiped the memory from the router. They were able to show that the attack was contained within the first two hours of the router exploitation and the attacker went no further. 
3. Threat intelligence, including External Attack Surface Monitoring, is critical to detailing actual reconnaissance that is ongoing against the enterprise, not just vague threats to the broader industry. 

In Episode 5 of Know Your Adversary™, we discuss a 2018 Nisos insider threat investigation of network sabotage that caused almost $1,000,000 in business operations loss. Following a recent merger and acquisition transaction, IT engineers of the nearly acquired subsidiary were upset with their new roles. They were also disgruntled over the fact that the parent company refused to integrate with their open source and cloud infrastructure. They decided to resign (one unbeknownst to the parent company), sabotage the core subsidiary routers, delete all activity of their wrongdoing, and actively conspired to steer the investigation away from their actions while accepting new employment. The results of the sabotage were a complete subsidiary network outage for over a week and a subsequent Nisos, partner, and FBI investigation that led to the arrest and detention of one co-conspirator. 

We will focus on the investigation, recovery, and attribution of threat actors with heightened focus on post-M&A activity. These exigent situations are often a perfect storm of insider control of systems and disgruntled employees seeking to cause damage at any expense.

Key Takeaways from This Episode:

1. Company acquisitions are often a merger of cultures and visions. Plans should be in place to ensure proper roles, responsibilities, and accountability post-acquisition are fully considered. Some deliberation should go towards personnel who may maintain heightened privilege access in the network.
2. Proper diligence should be conducted on IT and security programs pre-diligence as a matter of routine just like financials and compliance. A plan should be in place to integrate company infrastructure on Day 1 of close post acquisition. 
3. Ensuring confidentiality, integrity, and availability of data, systems, and networks following a breach or incident is crucial. Initiating attribution of identities matters in investigations, especially those deemed to be insider threats. 
4. Attribution almost certainly involves “going outside the firewall” and looking for operational security mistakes and artifacts of bad actors. 

In this investigation, the discovery of a third-party virtual server Linode instance ultimately gave critical evidence leading to high confidence in attribution. 

In Episode 4 of Know Your Adversary, we are joined by Gigamon Senior Manager Joe Slowik. Our discussion takes a look into the world of Russian nation-state hacking units, particularly the GRU and the SVR. We take a deep dive into the 2015 and 2016 cyber attacks against the Ukrainian power grid and review how Russia’s capabilities are increasing in sophistication, mainly through lateral hand-offs between the teams of hackers operating in IT and OT environments. We discuss the technical details of such operations and how enterprises can better defend themselves while considering the geopolitical ramifications, mainly that GRU tends to blatantly cause disruption and outages while SVR moves more “low and slow” for intelligence collection. 

Key takeaways from the episode include: 

Different teams with different skill sets were seen in the 2016 cyber attacks on the Ukraine power grid by Russian Unit 74455. This same level of growing maturity was not seen in the previous 2015 Ukraine power grid attack. In 2015, Russian hackers, known in the security industry as “Sandworm,” infiltrated a Ukrainian power grid and successfully “moved laterally” from the information technology environment to the operational technology environment that controlled the electrical grid. They caused a massive outage that became the first known successful cyber attack on a power grid. Then again, in 2016, they conducted the same operation. However, as they moved to the operational technology environment, it was clear a different set of operators were testing other tools that automated the exploitation process. While testing tools on a live OT production environment was not expert tradecraft, it nevertheless demonstrated Russia’s increasing desires to build this tradecraft in people and tools on multiple fronts of computer network exploitation teams. 

Lessons for Protecting Enterprise: 

1. Visibility is still critical. If a security team can’t protect what they cannot see, critical infrastructure won’t have the chance to distinguish between different nation-state hacking units. 
2. MTTA and MTTR: Mean time to alert and respond should matter significantly for security teams depending on who the actor is. If it’s clear it’s the GRU, they have experience conducting disruptive attacks, and response should be immediate. However, if it’s the SVR, while the time to respond should be swift, they are probably operating for intelligence collection purposes and not likely to disrupt business operations by turning out the lights.

In Episode 3 of Know Your Adversary™ we are joined by Shawn Valle, former Chief Information Security Officer at Rapid 7. Our discussion takes a look into the world of online platform abuse and fraud.  Shawn tells us about two major threats he faced prior to taking on his current role. Each of those threats warranted different levels of attribution. In the first case, he was faced with bot programmers who abused the platform to “cut in the digital line” when major retailers were having online sales. In the second case, he was faced with a security researcher who compromised a third-party supplier, exfiltrated sensitive data, and threatened to go public if a ransom payment was not made. 

Key takeaways from the episode include: 

DIfferent types of fraud, but similar techniques. While fraud on technology platforms differs from fraud against other industries, many of the techniques used to combat the abuse is the same. This is especially true when it comes to threat actor engagement. 

Whether we are discussing “Trust and Safety” issues related to online platforms or fraud related to scams against employees, applications, or customers, both types of exploits result in reduced consumer confidence. In both cases, as Shawn explains, organizations must take aggressive steps to engage directly with threat actors to stop and attribute the fraud and ensure confidentiality, integrity, and availability of services. 

Not all levels of e-crime require attribution and unmasking. The extent to which a victim will pursue threat actors varies. Many fraud prevention programs exist simply to identify the tactic being used to commit the fraud and ensure the fraud stops so the product or service can function properly. In many cases, the effort necessary to identify, pursue, and arrest the fraudsters is simply not worth expending resources.

Many levels of loss and reputation impact do require the attribution. As we discussed in last month’s episode with Randy Pargman, when security researchers or insider threats make contact with a victim and threaten a sizable payment or face public disclosure, attribution that goes beyond tactics and techniques is necessary. Shawn discusses another real-world example.