Home / Robin's Newsletter

Robin’s Newsletter #141

IABs charge just $7,100 for access to victims networks. Accellion file transfer appliances popped left, right, centre. Former SolarWinds CEO says it is all the interns fault.

 Vol. 4  Iss. 9  28/02/2021   Robin Oldham  ~5 Minutes

Subscribe to Robin's Newsletter

This week

Initial Access Brokers (IABs) and the evolving economics of cybercrime

Interesting research from the folks at Digital Shadows into the rise of what they have dubbed ‘Initial Access Brokers’ (IABs). These groups spend their time attempting to gain access to organisations and then sell this proven access to other cyber threat actors. IABs are closely linked with the rise of ransomware operations that are largely now manual operations design to inflict maximum pressure on a victim.

Retail, financial services and technology top the sector chart (below) by count, while engineering and construction, technology and e-commerce commanded the highest prices.

Industries targeted and asking prices

Most targeted industries and the average prices of access. Source: Digital Shadows

I find it an interesting area because of the dynamics on defenders: moving from a broad spread of probabilities towards a more binary outcome of compromised, or not.

There are only a finite number of bad actors in the world and they have a limited bandwidth to carry out nefarious activities. Much is made of the ‘asymmetric threat’ where ‘attackers only need to get It right once’ however in many cases that was also offset by a question of whether you were actually interesting as a target or not.

Automation is helping IABs to improve their efficiency and, crucially, with a low-cost base they are not as fussy about who or what they find. With purely commercial objectives, ransomware operators don’t care about how interesting you are.

This reduction in cost base is a blessing: you don’t need to spend a huge amount of resources to combat this automation. Making sure you have secure any Remote Desktop Protocol (RDP) servers and turning on multi-factor authentication are great ways of sending automated scanning tools a message that you’re not worth the effort. They’re looking for the lowest hanging fruit.

digitalshadows.com

Interesting stats

$7,100 average price asked by network access brokers on criminal forums for proven access to a victims network, according to Digital Shadows [above]

£10M in costs and investment by Hackney Council to recover from the ransomware attack that crippled their services in October last year (vol. 3, iss. 42) hackneycitizen.co.uk

35% of attack investigated by IBM’s X-Force division in 2020 were ‘scan and exploit’, surpassing 31% for phishing ‘for the first time in years’ ibm.com

Other newsy bits

The relationships between different cybercrime operators

An interesting map here of the relationship between different operators and malware from the folks at CrowdStrike and their 2021 Global Threat Report:

Relationships between different cybercrime operators

crowdstrike.com, also a summary on zdnet.com

Accellion file transfer appliances compromised for 33% of customers

A group claiming to be the ‘CLOP ransomware team’ compromised file transfer devices used by Accellion’s customers to steal sensitive information and attempt to extort them. Companies including aerospace firm Bombardier, law firm Jones Day (who worked for Trump) and Asian telco SingTel have all been listed on the groups ‘leak site’. The vendor’s PR team tried to downplay the attacks, saying there were “fewer than 25 appear to have suffered significant data theft”. The attacks appear to largely be ‘smash and grab’ with little evidence of lateral movement or persistence being established. Mandient has linked the attacks to a criminal attacker they refer to as UNC2546, and that the data was stolen through December 2020 and January 2021. The U.S. Cybersecurity and Infrastructure Agency has published technical details of the vulnerabilities and indicators of compromise. vice.com, cyberscoop.com, zdnet.com, cisa.gov

In brief

Attacks, incidents & breaches

  • DDOS attacks on Ukrainian government websites from Russian IP addresses may be retaliation for Egregor arrests bleepingcomputer.com, also reports ‘hacker spy group’ from the Russian Federation for attack on government document management system zdnet.com
  • U.S. Federal Reserve suffers ~90 minute outage caused by ‘operator error’ that take down wire transfers and ACH transactions bleepingcomputer.com
  • University of Oxford lab investigating COVID-19 compromised by attackers selling access forbes.com
  • Ecuadorian finance ministry and largest bank compromised by ‘Hotarus Corp’ bleepingcomputer.com

Threat intel

  • Chinese group was using the NSA’s ‘EpMe’ years before Shadow Brokers dumped parts of the NSA’s tooling wired.com, cyberscoop.com
  • Ransomware attacks on universities up 100% year on year leveraging pressures from online learning, according to BlueVoyant zdnet.com
  • Hackers for hire: Cisco points to grey area between organised cybercriminals and nation state actors scmagazine.com
  • ‘Kamacite’ group attempting to maintain persistence within U.S. electric grid, according to Dragos wired.com
  • LazyScripter group has been targeting airline industry since 2018, posing as IATA and infecting victims with remote access trojans bleepingcomputer.com
  • Ryuk ransomware gains self-spreading, worm-like capabilities to target Windows devices bleepingcomputer.com

Vulnerabilities

Security engineering

  • Security of skills for Amazon’s Alexa found lacking in new research study, with checks focussing on initial submission theregister.com

Internet of Things

  • Hard-coded key in Rockwell Automation Logix programmable logic controllers allows authentication bypass arstechnica.com

Privacy

  • Online trackers starting to use sub-domains to bypass same-origin restrictions on cookies theregister.com
  • Insider threat: McDonald’s allegedly monitoring social media to identify restaurant staff that may be ‘Fight for $15’ organisers vice.com

Public policy

  • Tech lagging policy: software bugs reportedly keep Arizona inmates jailed past release dates arstechnica.com
  • U.S. considering Russian sanctions for Solorigate attack ft.com

Mergers, acquisitions and investments

  • RedHat latest to make Kubernetes deal, closing $100M acquisition of StackRox zdnet.com

And finally

 It’s not the intern’s fault you got hacked, SolarWinds

Former SolarWinds CEO Kevin Thompson has suggested that the basic ‘solarwinds123’ password on a file server (that may or may not be linked to the wider Solorigate breach) was the fault of an intern. If true — and, hey, we have no reason to doubt Thompson’s testimony — then the company’s culture, practices, technical solutions, or assure activities must also have therefore been pretty spectacularly lax: because nothing says ‘good corporate governance’ like getting the intern to set up the build process for a ~$1Bn software company, and then not checking what or how they did it. The company expects to spend $20M - $25M in 2021 as part of efforts to improve product security. cnn.com, zdnet.com