State of Cybercrime

Hackers Swatting Victims

Episode Summary

As cyber threats evolve, so do the targets. From the shocking “swatting” incidents at Fred Hutchinson's Cancer Center to the alarming rise of fake hack-back offers after ransomware attacks, the landscape of cybercrime is constantly shifting.

Episode Notes

Enjoy our first State of Cybercrime episode of 2024 as Matt Radolec and David Gibson cover:

Mentioned in this episode:

Episode Transcription

[00:00:00]

Matt Radolec: Oh, David, it's awesome to be back, man. 

David Gibson: Hey, happy New Year. I'm good. How are you doing? 

Matt Radolec: I'm awesome. Happy New Year to you, too. Hello, everybody. My name is Matt Radolec. I'm joined by my co host, David Gibson. Fun fact, has more dad jokes than the chat bot for dad jokes does. 

I wonder where everybody's joining us in from today.

I'm home today in in Maryland. What about you, David? 

David Gibson: I am in Connecticut, and Jersey City, good, [00:01:00] getting the chat going, Kentucky, loving that, awesome. 

Matt Radolec: I'm glad it still works in 2024, if people still know how to do the chat. We got somebody else in Maryland, I'm wondering where you're from. 

David Gibson: Oh wow, Alaska.

Calgary, London, Tennessee, 

Matt Radolec: we got, okay, hello, bonjour from Lyon we got somebody coming in all the way from India, great to have you here, a couple people from Florida, awesome, somebody from Vegas, from the Bay Area, Mexico, Madrid. We are well represented. It's a global presence on today's show, so 

David Gibson: we really are.

Matt Radolec: Yeah, and we've got a lot to cover today. We've even got a brand new segment today. So we'll go over good news because everybody's always got to hear something good that's happening in cyber security. We'll talk about 1 of our brand new segments, AI Vey, because I know everybody's already tired of hearing about it.

We'll jump on the danger zone. We'll also cover a brand new vulnerability never before covered before found by Varonis Threat Labs. So make sure to stay tuned at the end. 

And as always, we hope we get the chance to interact with you along [00:02:00] the way. 

But let's crack right into it. 

We always like to start the show with some good news in cybersecurity because oftentimes everybody has this doom and gloom outlook. They're worried about the end is coming from a cyber standpoint, but sometimes the good guys do get ahead. 

First and foremost,

David Gibson: they do.

Matt Radolec: Yeah, this HAECHI IV operation was a massive success. Law enforcement from over 34 different countries came together over the course of 6 months to take more, take down more than 3500 cyber criminals for a myriad of different criminal enterprise activities. They had the phishing scams, the romance scams, the sextortion, the investment fraud, money laundering, illegal gambling, business Email Compromise, E Commerce Fraud, and so much more. 

One of the more notable crypto scams that I picked out, though, was it's called a rug pull crypto scam and some hackers, Rio were arrested for that. This is where they hype a new cryptocurrency just [00:03:00] enough to get some people interested in buying it and then they dump it, they let it go to nothing.

So they get other people to buy into that cryptocurrency and it's purely a fraud scheme to just make a little bit of money and then completely devalue the currency by selling out their entire inventory and assets of it. Thought that was really interesting. In total, David, and I'm sure audience might be shocked by this too, 200 million in cold, hard cash was seized and 100 million in crypto assets were seized. So 300 million from 3500 cybercriminals. I think that tells you though that cybercrime is still a pretty lucrative business. 

David Gibson: It is. And one, one interesting quote that I read in one of the articles about this was the central commodity of this illicit economy is stolen data.

Go figure, right? It, this is what makes that huge Cash and crypto exchange go. 

Matt Radolec: Yeah, there used to be that saying, all roads lead to Rome. I feel like that's outdated. It's all breaches lead to [00:04:00] Rome, yeah. But that's not the only good news we have to cover. I think that there was something else, something related to cause of a breach.

David Gibson: Yeah, I, is this good news? I I'm looking at this story, 23andMe genetic data and kind of the reason that it looks like thousands of their about 14, 000 of their 14 million customers were brute forced. Actually it's credential stuffing, right? So they reused passwords, go figure and multi factor was not required.

But then because they had chosen to share their genetic data, there's an option to share your genetic data with your relatives. The amount of people that were affected by this breach was closer to 7 million, about 6. 9 million. 

And I think really, after this they required MFA but obviously not before. And I guess, really the question is, your bank doesn't let you [00:05:00] not use MFA anymore. Is this and I think we have a poll question in a minute, but just, is this data worth protecting in the same way that you I don't know what you think about that, Matt. 

Matt Radolec: Yeah, when we have damage that could be done from health information, I put it right up there with financial information. You could find out about relatives you didn't want to know you have, or maybe you were trying to hide, you could find out those, family medical history that can often be like, very intimate and people like, they want to keep that private.

I think about this and blaming your users, which is also your customers I want to add. Generally not a recommended business practice, but when we look at it, who's fault is it? I'm curious what people say in the chat as well as, answering this poll question. If the user used a password and it got breached somewhere else, and they reused it on 23andMe, is it their fault?

Curious to see what you guys have to say about that. And also, how harmful you think this breach would be. 

David Gibson: The other thing that I find with this is, you're allowing one person to make a bad decision that affects a [00:06:00] lot of people. And so that I feel like changes that equation.

If you were allowed to use a terrible password for your money, for your bank account and you lost your money the impact of that breach is contained. But it's much bigger. 

Matt Radolec: Yeah, I like what John said. John said, I can't even pay an electric bill without MFA.

That's to pay somebody. Yes. Even to get data, that's to pay somebody else. I also liked what was said by Krishna, which is around the it could expose reproductive information un, unneeded reproductive information. Definitely. Definitely. 

Now everybody loves talking about AI. And that's why we put a whole segment together called AI Vey, because who doesn't want us to hear about all the dangers or all the happenings inside of AI? Now, I might have leaked to you guys earlier that there is a dad joke chatbot from OpenAI, but OpenAI has got a whole now custom store for custom chatbots.

Now, not that I think that my first instinct is we're going to have hackers exploiting this, [00:07:00] though it does sound like it's probably something that's going to happen. My gut says we're probably gonna have a lot more customer service robots than we did in the past. But the thing that this kind of makes me think about though, and I'd like to see what our audience says on this.

Are you guys using chatbots now? Or is your organization leveraging AI in a productive way already? Like one that you'd want to share? Or have you tried to and there's been a challenge? It's again, something that you want to share with the rest of the audience or anything you want to add, David? 

David Gibson: Just that my large language model of dad jokes is really precious to me.

And I take a lot of, a lot of care to secure that data set. But actually I was curious what people think on this as well the big app stores like, Apple the App Store, and, Google, the Play Store, they take a lot of pains to make sure that there aren't malicious applications in those stores and this I think similar, I don't think you can charge money yet, but I think you will be able to soon.

I'm not [00:08:00] sure, whether this same kind of level of rigor is being anticipated as needed for the OpenAI. This is something where there's not a lot of scrutiny. 

Matt Radolec: There's a lot of things, Like they, and there's been a handful of things that have slipped through over time, but by and large, it's been pretty robust in keeping out things like malware or, like fraud scams in the actual apps themselves. That is a danger that people have to be concerned about is, do you know what the full intention of the chatbot that you're using? 

David Gibson: Yeah I actually, I did actually search for dad joke chat bots in, I've subscribed to chat GPT 4 and there are a bunch of them.

One of them actually tried to take me to an external place and I'm just like, oh God, is it happening already? It it said, do you want to allow access? And I was like, oh my God, here we go. I am curious about how this is going to play out. 

Matt Radolec: It seems like most of our audience is treading pretty lightly when it comes to AI and chatbots and leveraging it more heavily.

Seems like everybody's like not doing anything officially [00:09:00] yet. They're exploring things, but lots of red flags being thrown around. 

Speaking of red flags, let's jump on in the danger zone. Let's talk about a couple of attacks that we think everybody should be aware about. 

One of those is there are huge crypto schemes going on where some sort of crypto actor will take over X or a Twitter account handle from popular regulators or even things like cybersecurity companies to promote NFTs and other types of cryptocurrencies.

It's really just to grab a little bit of attention, I think, in the media for a short amount of time so that people then look up that cryptocurrency, see if it's worth investing in, who knows, it could even be the front for another type of pump and dump scan and what all these Xs and Twitter compromises remind me of is almost a decade ago, I attended a security conference at a Goldman Sachs building in in lower Manhattan.

And it was all around what corporations need to do to secure their social media identities. And 1 of the things that was really profound for [00:10:00] me as it hit me, a big bank, like a Goldman Sachs, them tweeting something could have drastic impacts on the markets. People like news outlets, the entire world watches what the banks are doing and tries to make money like the banks do.

And so they talked about how they actually broke up their social media account passwords into chunks, and gave certain people a chunk, so that if you wanted to tweet on behalf of the bank, you needed five people to come together and share their one little chunk of the password. And then those passwords were rotated after each tweet.

So they took it incredibly seriously. Who, and again, this was almost a decade ago. Incredibly seriously the power that came from almost like exactly like launch codes is what somebody said. They took that responsibility of tweeting on behalf of the bank incredibly seriously.

And I'm just wondering, are people out there, are they at least using MFA for their corporate social media accounts? Are they doing things like making sure that complex passwords are [00:11:00] there and it doesn't just sit, within a social media intern or something like that? 

David Gibson: Yeah, it's it's crazy with something you just said. Michael, that just talked about the launch codes, when a tweet when you need to secure it, like you do a nuclear bomb, it's pretty crazy the amount of damage that these things can do. 

Matt Radolec: Yeah, and talking about damage, we're seeing some kinetic consequences of cyber attacks, and this was something I put as my big predictor in 2023, and it looks like it's already come true.

David Gibson: Yeah, it seems like one common theme here with these stories is, there's a lot of deception, a lot of ways to try to collect and extract money and when a ransomware gang goes after a victim, like a healthcare provider and the healthcare provider doesn't pay then the threat actors go after the customers or the patients for that healthcare provider.

We've heard stories of them, saying you need to pay us or we'll charge you and then, the swatting, really making making life miserable by sending law enforcement teams [00:12:00] after these innocent folks. It's just another step. And I also, of course it has a side effect, it's potentially a denial of service for services that are pretty needed, right? As well. 

Matt Radolec: Yeah, I mean in just in case anybody's unfamiliar with that term swatting, right? So the, the hospital was the victim of a ransomware attack. Inside of that, that data set from that hospital was information about patients. And so what the threat actors were doing is having calling the authorities and saying, there's like a hostage situation or an active shooter at 1 of these patients houses, causing a SWAT team to show up at their house, probably even break down their door try to stop this active crime that is purportedly taking place, all to punish the hospital for not paying the ransom, or try to persuade the hospital to not pay a ransom. And so, one of our audiences said, this is a new low to target hospitals. It's actually a low below that low. They're targeting patients.

These people were not the ones that refused to pay the ransom, right? They had nothing to do with the, yeah, exactly. Targeting a cancer patient [00:13:00] that's going to a hospital to get care because they're on a list of files that got exfiltrated. It's truly like heinous is the only word I could come up with.

David Gibson: It sure is. And so much medical information, right? 

Matt Radolec: Yeah, a lot of vulnerable people. Yes. Yeah, and I, sorry, I didn't mean to cut you off there, David. I was just thinking about vulnerable members of society and then it got me thinking about the vulnerable vulnerabilities that we usually talk about next. And, when we think about health care information, I just want to double down it.

I feel like I read about health care breaches on a nearly weekly basis. And, when we think about some of the sources, some of these breaches, oftentimes health care companies are also the ones that can't patch things like Log4Shell or Harplead or all these other kind of long standing vulnerabilities everybody knows about that get taken advantage of in attacks and expose patient information. But I think, one of those kind of vulnerabilities that you really wanted to cover, David, it has to deal with this Androxgh0st malware and taking credentials. This was one that you [00:14:00] and I had a ton of back and forth about.

David Gibson: Yeah, I thought this was pretty interesting. There were some exploits and vulnerabilities that were exploited, but it was to target env files. And so these are files that containers use like a docker container would use during startup if I'm, if I'm not, keep me honest here, Matt, but, this is 

Matt Radolec: It usually sits in the root file of the docker container, right? It's got like different startup things and variables that need to be called out. It often contains things like a key. 

David Gibson: Exactly. And if you think about it, it's okay, so the container has to do something. So it's got to connect to other stuff. So you have to give it instructions when it starts up on how to connect to the other stuff.

And so a lot of folks put credentials in these ENV files. I read one string where somebody's like trying to do it with environment variables and everybody's yeah, no, that's not going to help, and I just thought it's like, because it has to start somewhere. It sounds like some external sources, like you really have [00:15:00] to build in some layers here.

It's not an easy problem to find. And because these credentials are so critical and they can lead to more access to more critical stores like AWS, right? And in Azure, right? And other cloud resources, you gotta protect those keys, right? 

Matt Radolec: I think there's two other things to this that you have to think about too.

One Obviously, cybercrimes happen all the time, but the FBI doesn't tell us about every little thing. So this usually, from my experiences, indicates that there's like an active campaign, with active victims or multiple active victims, and they're trying to warn the community. If you've got, credentials or containers that you run inside of your cloud, now is a really great time to ask yourself the question, do I have plain text secrets, passwords, or keys sitting inside of containers? or sitting inside of storing a blob storage or object storage or publicly accessible on some sort of SaaS application that are going to put my organization at risk because we're not storing those credentials properly. 

And this isn't, when it comes to containers like Docker, that's not necessarily an [00:16:00] easy fix either to stop using a startup command that includes a key.

You may have to think about other ways that you can harden that container or prevent someone from observing or stealing that key, or even thinking about using like more sophisticated secret and key management, with the least privileged concept in mind. So that even if someone did get that key, it wouldn't be very useful for anything.

David Gibson: Yeah, I think you hit on something really important. It's if you don't know where these container files live and where they may be, where they may store credentials that, that is potentially a risk vector. And I think you're right about the FBI warning there. That's probably what's going on.

Matt Radolec: Yeah, and if you think about the sort of the long, let me rephrase that, it takes one key or one secret or one password to have a bad breach. And I look back to the Uber breach that everybody remembered where they caught it and they found that username and password on that file server that got them into the H1N1 database and then like 600, 000 Uber drivers and riders had all this information [00:17:00] exposed. And that's something that, you've got to, you've got to really like, have as a reality check for yourself. Do you have 1 of these master keys sitting in plain text in your environment that someone could take advantage of?

And also I saw 1 of our audience members. How do we know not to make a priority? I'm sorry, I might have been misinterpreted. What we're trying to say here is that if the FBI is issuing a warning, it absolutely should be a priority for an organization to tackle these things. You definitely want to be aware of it and make yourself aware of the dangers of having keys being exposed.

And if this is something you're totally unfamiliar with, if you're sitting on the show today, and you're like, I don't even know where to start. We have that question poll at the end of our of our shows. We have people from Varonis that could help you teach you about that and even talk about ways you can help find and scan for keys.

As I saw a couple of people in the chat kind of say that not really sure, not don't really understand this space a whole lot. Now one of the other things I thought was really interesting, David, is we've seen a rise in hack back campaigns. Now, let's go back to the swatting that we talked about earlier and use this as an example, right?

[00:18:00] Hackers are now offering to hack back the ransomware operators on your behalf to avoid paying for things. So instead of paying the ransom, now the option exists for you, I don't strongly don't recommend this by the way, definitely a violation of the Computer Fraud and Abuse Act especially if you're located in the United States, but the hacking as a service or hiring hackers to hack back the ransomware operators to try to recover some of your data or recover some of the Bitcoin.

I think I even saw that in one case, they were able to recover 200, 000 of Bitcoin that the victim itself had sent to the to the hackers. Anything more on that, David? 

David Gibson: Yeah, it's just, everybody you could see in the chat reacted to like the swatting with, it makes you angry.

Just, these victims are getting swatted like this and really inconvenienced when they're already potentially sick. This is a ransomware group that actually is harnessing that anger and there is some speculation that the [00:19:00] same group is doing the hacking back that is doing the initial ransomware.

Clever. But again, despicable. We're going to hack you, and then Pose is somebody that's going to go seek revenge on that hacker. So that's I think they're just definitely playing on the emotions there. 

Matt Radolec: Oh, yeah. Just like a hacker ception here. You're just going to find yourself in this loop.

You've got to have hackers to hack those hackers, but then they're going to mess with you, so you're going to need hackers to hack those hackers. Next thing you know, you've got nothing left and all your crypto is gone. 

We teased at the beginning that we have a new vulnerability to talk about and Varonis Threat Labs has been pretty hard at work collaborating with Microsoft on this one.

You want to tell people what is this new NTLM leak vulnerability and why should people be concerned about it? 

David Gibson: Yeah, I give it up for Varonis Threat Labs basically finding this and then getting the folks Microsoft mostly, to patch it. But essentially, we found, or Varonis Threat Labs found, three separate [00:20:00] mechanisms where a host will authenticate, or try to authenticate, to a server on the internet, and inadvertently, or And inadvertently, really, it's by design, share the NTLM version 2 hash with that remote host.

And so there are three separate vulnerabilities. One is in Outlook and that's through calendar sharing. There, there's a vulnerability there. We'll, we can talk about that a little bit. One's in Windows Performance Analyzer. And another is just in good old Windows Explorer. And so we should talk a little bit about how this works.

But in all three cases, You've got an NTLM hash going out to the internet, which then, you can use that, like you can brute force it offline or write to something called an authentication relay, right? If you want to explain how that works too. 

Matt Radolec: Yeah, and let's talk about the Outlook one, right?

It's so novel. I always think man, I'm sure other attackers have figured this out. We were just the first ones to report it to try to get it to be fixed. But, when you open someone [00:21:00] else's calendar, right? You have to authenticate to that calendar to get the permission to view that object. Now, it's really common for an organization internally to have read calendar privileges across the board, maybe not for the details, but at least for availability.

It's a super common setting, right? Or even just the ability to request it. Even that request alone you're actually using like a, a hash copy of your password of MTLMv2 to be able to do that. So as soon as they click open that cal Or if an attacker is able to coerce someone into doing that, they're actually going to send that hash token directly to their computer.

And I think the, with the Windows Performance Analyzer, it's actually a little bit worse, David, where it really is just actively trying to authenticate over the open Internet with with NTLM 

David Gibson: Yeah, in all cases that there's this hash that's basically going over the internet, but with WPA it just uses like a straight up URI handler.

It's like a, like HTTP colon, but for WPA. And then it, it basically opens and tries to authenticate to that host. And [00:22:00] I guess that this is, the good news is it's only developers usually that have the Windows Performance Analyzer installed, so not everybody is going to have that, but developers also typically have high levels of privileges too, so it makes sense to, to really worry about that a little bit.

Matt Radolec: There is hope. There are mitigations, SMB signing, which is like a standard feature in Windows 11 2022. You can also block NTLM authentication. Hopefully this isn't the first time you're hearing about the dangers of NTLM. In general, it's considered a dated authentication protocol and people are moving off of it because of things like, pass the hash or hash cracking and password dumping and just like the popularity of how easy it is to get big rainbow tables.

You can buy them on eBay. Spin them up on Amazon for like dollars per day and be able to crunch through a lot of password hashes. Definitely something to be aware of. And obviously if it's something you can't mitigate, you have to think about compensating controls like, monitoring or even more aggressive password rotation.

David Gibson: Yeah. I definitely think [00:23:00] blocking outgoing NTLM that would be like first on my list. Especially if I didn't have all Windows 11 hosts that people are maybe running some older versions of Windows as well. That and hopefully this is another nail in the coffin for NTLM in general, right?

But it takes a long time to get rid of that stuff. 

Matt Radolec: Yeah, this is it. And we'll take a couple minutes now and see if any questions came in during the chat today. It was really nice to interact with everybody. The other thing I'll say, and like always, is the show is made possible by you guys, our audience.

So we really appreciate you being here. We're excited to make a habit out of the state of cybercrime here in 2024 and interact with you as often as we can on all the latest happenings in cyber and we're definitely gonna be talking about AI. It's something that David and I are super passionate about and covering both the pros and how security pros are using AI for the good, but also how attackers are using it or how organizations are misstepping with ai.

So thank you so much for coming today. Go ahead, David. 

David Gibson: I was just going to say thanks [00:24:00] everybody. It's great to kick off the year and I look forward to doing this again.

We did get one question about NTLM, right? how to check to see whether it's in use or not. 

Matt Radolec: Yeah, best, easiest way, Jeremiah, if you don't have AD events shipping somewhere like a Varonis go in and log on to a domain controller or have an admin of one of your domain controllers log on, pull up the security log, inside of the security log, you're going to look for those NTLM authentication events. And even if, interestingly enough, if somebody from the production team wants to Google Varonis NTLM, we could even drop a blog post into how to investigate NTLM authentications into the chat. 1 of the 1 of the members of the Varonis IR team put together a how to investigate NTLM.

It's in the context of a brute force attack, but in your case, you're just trying to look up for NTLM authentications. I'd also hate to say it's probably a guarantee you're using NTLM in some capacity. Most organizations cannot eliminate its use completely.[00:25:00] So it's more a question of compensating controls and how do we keep it from being abused.

1 of the easier ways to keep it from being abused is obviously long and complex passwords and rotating them frequently, such as the goal of a lot of privilege identity projects, but also privilege identity monitoring, being able to see when those admin accounts or service accounts are getting abused is another good compensating control.

David Gibson: Some viewers are interested in where they can find more discoveries from Varonis Threat Labs. 

Matt Radolec: I'll throw that one at the production team too to see if they can throw the Varonis Threat Labs blog or a link to the blog in the chat as well. 

David Gibson: Excellent. Yeah, the Varonis blog I think is a good source of that.

So I think there's a filter there you can use as well. 

Matt Radolec: Yeah, and then I think that pretty much wraps it up, so we'll drop a few other links in the chat, and again, we appreciate y'all being here, and we look forward to our next episode of State of Cybercrime. Thanks so much.

. .