115. A Ransomware for the Dramatic
Coming up this week on Breaking Badness. Today we discuss: Con-TI for Two the initial access broker with ties to Conti, SATCOM on Already: Threats to the SATCOM Networks, and our fun new game, two truths and a lie.
Here are a few highlights from each article we discussed:
- Google’s Threat Analysis Group (TAG) observed a financially motivated threat actor working as an intermediary for Russian hackers, including the Conti ransomware gang
- The group, known as Exotic Lily, is what’s called an initial access broker
- Initial access brokers are more specialized entities who hone their skills to initial break-ins of networks, then sell that access to those with more dangerous intentions
- In this way, initial access brokers provide bad actors more time to focus on their methods of attack
- Google TAG has seen a mix of traditional tactics as well as some more creative ones from this group
- They’ll attempt to get individuals to hand over their credentials and download malware
- They’ll also use lookalike domains that are close to the original (using endings like .us instead of .com)
- This group will also go so far as to create fake personas using AI to generate headshots and appear as recruiters on social media
- Additionally, they might also take publicly available information to create fake accounts of real people to look as legitimate as possible
- What groups like Exotic Lily bring to the table is their ability to scale their research
- They’re only focusing on the initial access portion of the puzzle, while another bad actor will use that information for their own gains
- Because Exotic Lily puts so much time toward building trust, it may seem like spotting these accounts is near-impossible
- However, on the detection side, you can do your own defense and be on the lookout for doppelgangers
- As a reminder, folks need to be careful about new emails or emails that don’t look quite right
- In terms of targeting, this group casts a wide net
- Google reports that they send upwards of 5,000 emails per day globally
- Previously, they had been targeting industries like IT and Healthcare, but recently it looks like every industry is fair game
- Google reported that this groups location (based on communication activity) is Central or Eastern Europe
- In response to Exotic Lily’s activity, Google is improving protections by adding additional warnings for emails originating from website contact forms, better identification of spoofing, and adjusting the reputation of email file sharing notifications
- They are also working with Google’s CyberCrime Investigation Group to share relevant details and indicators with law enforcement
- CISA and the FBI recently shared they’re aware of “possible threats” to satellite communication (SATCOM) networks in the US and worldwide
- For those who are unaware, the term ‘SATCOM’ is typical government-ese (or nerd-ese) for satellite communications
- In this case, it’s not referring to any signals send and received by satellites, but specifically data networks carried by satellites (Internet connectivity, in other words)
- For remote locations, satellite is often either the best way or the only way to get high-speed data because terrestrial services (whether based on cables or on terrestrial radio like microwave towers) just doesn’t extend to all parts of the planet’s land mass
- For ships and remote islands, satellite is also the best bet for high-speed data
- Currently, CISA and the FBI said these are “possible threats” meaning they have not yet come to fruition
- If legitimate threats were to surface, it would depend A LOT on what specific satellite network was disrupted
- If a network that is principally involved in providing Internet access to remote locations, then statistically speaking for most Americans it wouldn’t be a big deal, but of course for those affected it would be—they’d lose an important part of their connection to the rest of the world, and to services that people have come to rely on day to day, including sometimes critical services such as health care or proper functioning of certain infrastructure
- For some SATCOM networks, it might act more like what you see when some other big chunk of internet infrastructure goes offline, like when a big datacenter goes offline.
- In this case we’re talking about transport rather than data at rest, but the net result could be similar.
- This warning comes after the KA-SAT network used by the Ukrainian military was affected by a cyberattack which led to outages
- CISA and the FBI are warning that essentially the same could occur here in the US, but keep in mind the impact would likely be very different
- In Ukraine, Russians are disabling as many different communications networks as possible, so satellite has become a last resort for many users (“users” being not just civilian end users, but also Ukraine’s army and government)
- As many folks by now know, this event is also what was behind the disabling of some 8,500 German wind turbines. It wasn’t initially understood that this was the root cause there
- The bottom line is that as long as Russia or some other actor didn’t also disable big chunks of other communications infrastructure, the impact wouldn’t be as dire as it is in Ukraine. But obviously it could still be quite disruptive
- One article we at DT read mentioned ships and how the loss of satellite communication could have major safety implications, not the least of which is the ability of the ship to send a reliable distress signal in case of emergency
- Ships do have other communication methods (such as long range HR radio), but it is still a significant impact
- The mitigation strategies CISA and the FBI detailed for SATCOM network providers will sound familiar
- Have good network segmentation
- Have strong authentication
- Look carefully at remote access policies
- Review service provider data policies
- Ensure you have good visibility and maybe step up your log monitoring
- Ensure your patching is as current as possible
- Enforce the principle of least privilege
- Most things in infosec boil down to “least privilege,” meaning, does this thing really need to be able to access this other thing?
- “Thing” here could mean a human accessing an account; it could mean a network having open ports to another network; it could also mean a process of talking to memory
- If every instance where packets move from one spot to another isn’t subject to well-engineered least privilege design or configuration, the likelihood for malicious actions increases
Two Truths and a Lie
Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.
You’ll have to tune in to find out!
This Week’s Hoodie/Goodie Scale
Con-TI for Two the initial access broker with ties to Conti
[Taylor]: 6/10 Hoodies
[Tim]: 5/10 Hoodies
SATCOM on Already: Threats to the SATCOM Networks
[Taylor]: 5.5/10 Hoodies
[Tim]: 7/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!