Mark Tibbs
Welcome to MDR Cyber's quarterly threat update this is the threat, this is looking back at threats from Q2 in 2021. Thanks for joining us. So right without further ado, I'm going to introduce to you very briefly our lovely panel.
Kimberley Bromley
My name's Kim and I am a Senior Cyber Threat Intelligence Analyst at Digital Shadows and regular guest on Shadow Talk, our cyber threat intelligence and information security podcast.
Katy Ling
I'm a Cyber Intelligence Analyst at MDR Cyber. Previously I was working in counter-extremism and threat intelligence but at MDR Cyber I mainly work in the investigations and open source team but also assist with cyber incidents.
Adam Lorimer
My name's Adam Lorimer and I work within MDR Cyber looking after digital forensics and security instant response.
Mark Tibbs
My name is Mark Tibbs and I'm the Cyber Intelligence Director here. Kim and I used to work together in law enforcement many years ago but since then I've also worked for Digital Shadows and now MDR Cyber. We're going to look back today at a few key incidents from 2021 at Q2 and the point of that is to see what we can learn practically from them. So this quarter in keeping with the past few years it's been dominated by the ransomware epidemic as I describe it. We've seen a continuing boom in incidents across a range of sectors and the problem is not going away and this quarter we witnessed an audacious attempt by well-known group to leverage the software supply chain to make mass infections through a managed service software Kaseya however we've also seen some encouraging enforcement wins against some ransomware groups and then we've, we've chosen a couple of incidents which probably didn't really hit the news but not, not really mainstream incidents that we've picked out because they, they, they had teachable moments in there for our audience. So it's a minor incident involving an old browser initial access vector called Exploit Kits which used to be a feature of the cyber threat landscape but basically have gone away and then also evidence that email fraudsters were using old email protocols to avoid modern authentication, multi-factor authentication to get in and out of email accounts but Adam do you want to take us through the Kaseya ransomware supply chain attack and tell us what happened?
Adam Lorimer
So in early July, the very start of the month there was a incident involving mass distribution of REvil ransomware. The investigation indicated that MSPs, Managed Service Providers that were using a Kaseya virtual server administration product were affected and the actors, the criminals responsible got access to servers these MSPs were running by exploiting some documented but unpatched vulnerabilities in a tool called Kaseya VSA. They then deployed ransomware downstream to hosts that were being managed by those servers and that ended up infa… impacting it is somewhere in the region of 1,500 customer organisations. So a more positive ransomware development is that there has been a enforcement and ransom recovery success in the United States. At the start of May Colonial Pipeline was impacted by a ransomware attack which resulted in it having to suspend operations for the better part of a week. They paid a ransom of 4.4 million in bitcoin to the DarkSide Ransomware Operators who are responsible for the incidents. Around three weeks later the DarkSide Operators transferred some of that bitcoin to a wallet which the FBI had access to via a private key. So the FBI were then able to swoop and recover those funds, so that was around half the total ransom.
Mark Tibbs
Right so shall we start with some questions about the Kaseya incident because that was a significant incident or was it, Kim?
Kimberley Bromley
Although Kaseya estimated that only around 40 to 60 of their MSP customers were affected, because of all the clients that they have and the downstream effect that Adam spoke about, the victims were much higher and those numbers have been creeping up and up and up and I also read some reports that REvil and Gang Crab, who are believed to be the REvil predecessors have tried to target Kaseya before. They've seen the value in it as a target, knew that the potential impact they were going to have would be huge and, and that's why they went after it.
Mark Tibbs
So what can businesses do about things like Kaseya and possible future supply chain attacks, Katy?
Katy Ling
In terms of generally protecting ourselves against them it's employee training and having good security controls but also specifically for supply chain, it's about auditing your suppliers and making sure that they are also up on their cyber security. And then specifically for the Kaseya attack I think it highlighted the need for code auditing of your software to check for bugs and any vulnerabilities hopefully before bad actors can identify them and then use them to their advantage.
Mark Tibbs
I'm going to move on to the FBI sees the colonial pipeline ransom. What the FBI got the private key for the bitcoin address, how did that happen?
Kimberley Bromley
Specifically how they obtained that key or password we don't know. A few possible options so they might have been, the FBI might have been tipped off by someone associated with the attack. The attack happened and then DarkSide were very quick to come out and blame one of their affiliates for it so perhaps an affiliate was getting an own back and then passed, passed the key over. We know that the FBI have been tracking and monitoring DarkSide since they began last year, so it's very possible that the FBI had some sort of monitoring on the group. Lastly they might have attained it from bitcoin themselves or from the crypto exchange that was dealing with the transactions.
Mark Tibbs
Adam in terms of recovery for crypto what are the techniques that are available to victims of cybercrime.
Adam Lorimer
If you have a crypto currency exchange that is in a friendly jurisdiction then monitoring the movement of crypto currency until it hits an exchange wallet and then serving that exchange with a legal Order requiring them to freeze that wallet and then transfer the funds and details of the wallet ownership to you is an option. At some point operator… these criminal operators are going to have to use an exchange to convert their ransoms, their criminal proceeds into usable currency and if you've been able to track the movement of that currency following the payment of the ransom or the theft of the funds or whatever then legal action against an exchange is possible and has been done before in a handful of cases.
Mark Tibbs
Stephen has asked, do you know if any ransomware perpetrator have been caught if so what were the consequences or penalties? Well yeah, thankfully recently there have been some arrests and Kim did you want to talk introduce this?
Kimberley Bromley
In mid-June this year, so just over a month ago, Ukrainian Police along with law enforcement from Korea and America, arrested six individuals believed to be members of the Klopp ransomware group. The arrested individuals have been charged with offences related to unauthorised access to computers, systems and telecommution… telecommunication networks. If they are convicted of those crimes they could face up to eight years in prison.
Mark Tibbs
What do you think the impact is of these kind of operations on ransomware groups?
Kimberley Bromley
We might see a short-term cessation in their activity, closing of the infrastructure that they were using. A large percentage of the time these groups then do come back just under a new guise. It was interesting that earlier in the year a ransomware called Ziggy did actually cease operations citing law enforcement action as a reason. So it is, it is kind of scaring some of the lower level ransomware groups and when we've seen arrests coupled with infrastructure seizure like in this point, that does seem to have a bit of a longer lasting effect.
Mark Tibbs
Why is ransomware such a key issue for businesses at the moment?
Adam Lorimer
If you reach a point where a ransomware operator has compromised your network and is in a position to deploy ransomware on hosts across your, like your corporate network then the best case scenario is you have to recover everything from backups and rebuild all of the compromised computers which is a massive and unavoidably time-consuming and expensive job. You know, the worst case scenarios continue to get worse from there so yeah a successful ransomware attack is hugely disruptive even if you've done everything right and you're in a position to recover relatively quickly.
Mark Tibbs
And then in terms of sort of key trends, I mean things that we've seen over the last couple of years I suppose are that you know, these groups are becoming more professional moving from single targets to target businesses, the volume of attacks is increasing, the, the, the variety of different methods of initial access is also quite broad. In 2020 a lot of exploitation of perimeter services like VPNs and firewalls and there's quick exploitation of newly documented vulnerabilities. As I remember from years ago, Exploit Kits used to be a real a really big part of the cyber threat landscape. Katy, do you want to just brief in the incident that we picked out has been kind of interesting?
Katy Ling
In February of this year a new Exploit Kit was identified a new campaign, and it used two scripting engine vulnerabilities and unpatched internet explorer browsers and the exploitation chain started with a malicious online ad delivered through a legitimate website and after clicking on it the user would be redirected to the landing page and that's where they were trying to serve two exploits and if one of them was successful then the malware would be executed on the victim's machine. This doesn't happen that frequently anymore because of increased browser security so I think we're just highlighting it because potentially Exploit Kits are making a comeback.
Mark Tibbs
So just from visiting a website I can get infected with malware?
Adam Lorimer
As Katy alluded to, less so these days because browser security has gotten so much better. These vulnerabilities were for internet explorer which isn't a particularly common browser anymore.
Katy Ling
So Chrome and Firefox and I think all of the browsers that we've been pushed to use, it's much more difficult to execute EKs on them because of the increased security. I think that this potentially suggests that they were trying to target a specific group someone that they knew was using internet explorer.
Mark Tibbs
Okay and Kim what can businesses do to ensure they're not vulnerable from Exploit Kits?
Kimberley Bromley
Standard advice, it's going to be to make sure that browsers and plug-ins that you're using or any other systems and software are patched and they are up-to-date and you keep up-to-date with any new security patches that come out and then you can also take to actively scanning networks to try and identify and take action against any new threats that you don't have those automations in place for.
Mark Tibbs
I'm going to move on finally to business email compromise or BEC fraud where attackers gain access to email accounts to facilitate fraud. So in June Microsoft reported an incident or a campaign that they've been tracking and the campaign was relatively standard in, in most ways. A lot of business email compromise and email compromise in general has been mitigated by the use of second factors or, or several multi-factor authentication. So in this case what was it interesting about it was that the researchers observed the attackers were exploiting configurations so that all the less secure methods of access could be used. So basically the attackers they used automated code to check credentials and bulk and then they forced the legacy email protocols removing the need for a certain factor.
Adam Lorimer
How big business is this particular crime type?
Kimberley Bromley
So in 2020 the FBI's internet Crime Complaint Centre estimated that losses from BEC fraud exceeded 1.8 billion dollars which was a four-fold increase on 2016 and the number of incidents also rose by sixty one percent during that time.
Adam Lorimer
Mark, Kim's given us a bit of a background of how big a crime type this is but she also kind of hinted at the fact that it's been around for a pretty long time. Why is it still a problem?
Mark Tibbs
Well it's, it's still a problem because businesses generally haven't adopted some of the security protocols that will avoid this. So introducing those kind of minimal standards is a really important one but then also just some process as well around verifying transactions. You can set a standard that says well over a certain amount we have to, we have to verify it through a third, a third way not email. Of course they they play on urgency and, and they'll often sort of pose as CEOs, what's often called CEO fraud or very senior business leaders to put that pressure on more junior staffs. So the key here is like that you know, there are a number of protocols that can be defaulted to less secure authentication so businesses running Office 365 that use legacy email protocols such as IMAP could be potentially vulnerable to these kind of attacks but essentially it's about businesses understanding what legacy protocols are still able to be used and you know, if they can, disabling them basically and using, using some of the security tools that email providers like Microsoft and roll out.
Adam Lorimer
What are the types of things that investigators should look for with BEC.
Katy Ling
So we would ask you to send over the emails and then we can look at the header information and try and find out if we can see who's actually sent it and trace them down and try and get back any money that might have been lost or hopefully it would have been identified before before that so we can actually just see who it is and go from there and as Mark said, potentially take legal action.
Mark Tibbs
Thank you very much to my panel and thanks to all our audience and thanks for the great questions.