Home / Robin's Newsletter

Robin’s Newsletter #150

Babuk ransomware operators demand $50M from DC police. BoJo's phone number available online. Emotet deactivated. And, burrowing beavers.

 Vol. 4  Iss. 18  02/05/2021   Robin Oldham  ~6 Minutes

Subscribe to Robin's Newsletter

This week

Babuk ransomware attack on D.C. Police

The Metropolitan Police Department (MPD) received an ultimatum from the Babuk ransomware group this week: pay us $50 million or we will release the details of confidential informants to criminal gangs.

MPD is the police force of Washington D.C. and represents an audacious target for a ransomware operator. It’s hard to see a situation where a police force would capitulate with the demands. There is a clear risk to safety for individuals co-operating with law enforcement though if the group has compromised this information, then the damage is already done and MPD should be acting as such and offering additional protection to those individuals.

The cybercriminals also released alleged files from a claimed 250GB of data that they have exfiltrated appearing to show police disciplinary files and case files from investigations, such as January’s Capitol riots. These sort of files are likely to cause greater embarrassment and play into ongoing policing brutality and governance stories in the U.S. media.

In a series of messages, the Babuk group first announced that compromising the MPD was their goal would cease operations and open-source their malware source code, only to make a further update that they would continue in the extortion business, simply by stealing files rather than also encrypting them.

Many ransomware operators have made announcements that they are getting out of the business (vol. 2, iss. 22), or even returning ransom payments (vol. 4, iss. 14), in attempts to reduce attention on their operations and avoid arrest.
 Also this week The Ransomware Taskforce released its report setting out a framework for combatting ransomware. The group, primarily led by industry with representatives from some government agencies, presents ransomware as a national security issue and makes recommendations under banners to deter, disrupt, prepare (for) and respond (to) ransomware.

Specific focus is given to cryptocurrencies and the ability to ‘collapse’ the payment systems that cybercriminal gangs use to transfer funds. Pressure also is recommended to be placed on nations that are known to harbour ransomware operators.
 The move away from operational disruption by Babuk, who claim to be “the best pentesters of dark net”, is interesting and shows the continued evolution of the tactics employed by cybercriminals. 
 This new ‘leak only’ model in part shifts the focus from two-way interaction between criminal actor and victim organisation to a more complex framing where the organisation is painted as the ‘bad guy’ and their customer’s as the victims. In essence, outsourcing the pressure onto outraged customers of the organisation, in a similar way that denial of service attacks seek flaws in protocols to act as amplification attacks.

Perhaps it shows that there have been sufficient improvements in many organisation’s operational resilience while reputational resilience is much harder to achieve. As Warren Buffet says, “it takes 20 years to build a reputation and five minutes to ruin it.”

Babuk/MPD: arstechnica.com, scmagazine.com, bleepingcomputer.com, Ransomware Taskforce: scmagazine.com, securityandtechnology.org

Interesting stats

$220,298 mean ransomware payment in Q1 2021, $78,398 median payment, according to CoveWare, both up on Q4 2020, but lower than previous highs bleepingcomputer.com

Other newsy bits

U.K. Prime Minister’s personal mobile number has been online for 15 years

Amidst ongoing rows over ‘access’ to senior government officials, it has come to light this week that U.K. Prime Minister Boris Johnson’s mobile number has been available online for the last 15 years.

Access to that number reduces the barrier to many vectors, especially when the individual will be targeted by foreign adversaries. That may include location tracking of an individual. Call interception through SS7 hijacking. SIM-jacking attacks to transfer the line to another SIM (though these tend to be one-time affairs as they quickly are discovered by the victim).

A primary concern though would be how much easier it makes it to target the individual with ‘smishing’ attacks to phish credentials that may give access to other personal accounts.

Non-technical issues also abound: circling back to ‘who has access?’ and the potential for distraction from important matters, it also increases the opportunity for nefarious, or perhaps just mischievous, calls from impostors such as when impressionist Jon Culshaw got through to Tony Blair while posing as William Hague (see Youtube video). theguardian.com, ft.com, youtube.com

Law enforcement activate Emotet kill switch

In January law enforcement from the Netherlands and German seized control of core parts of the Emotet botnet and pushed out an update to 1.6 million infected devices (vol. 4, iss. 5). This week that update prevented the malware from running automatically and uninstalled it from infected devices. The Emotet botnet was used by cybercriminal groups for distributing malware and sending spam and phishing emails. A list of 4.3 million email addresses harvested by the Emotet have been handed over to the Have I Been Pwned? breach notification service and subscribers notified. cyberscoop.com, zdnet.com

In brief

Attacks, incidents & breaches

  • Experian API allowed lookups or credit scores using only name and address krebsonsecurity.com
  • Cloud provider DigitalOcean says 1% of customer billing profiles breached including name, address, last four digits and expiry date techcrunch.com
  • REvil keeping up the pressure on Quanta with promises to leak further Apple schematics, logos and personal information of the companies employees bleepingcomputer.com
  • MerseyRail victim of ransomware attack, organisation’s own email accounts used to send notifications to journalists theregister.com

Threat intel

  • A look into a high-stakes business email compromise attack unfolding against a hedge fund and family office ft.com
  • Scammers targeting gig economy workers, phishing credentials, changing bank details and stealing payouts vice.com
  • U.S. Cybersecurity agency publishes details on TTPs of Russia’s SVR cyber operations: low and slow password spraying and WELLNESS malware cisa.gov
  • Linux backdoor RotaJakiro discovered by Qihoo 360 Netlab, undetected for almost two years theregister.com

Vulnerabilities

  • Vulnerability fixed that allowed boobytrapped documents to bypass macOS’ Gatekeeper and run code without user interaction techcrunch.com
  • Internet Systems Consortium urges organisations to update BIND DNS servers zdnet.com

Security engineering

  • New Microsoft Graph APIs for managing updates available as public preview, allows control and staging over updates and how they are deployed across Windows fleets microsoft.com
  • Github exploring new policies on hosting proof of concepts and exploits scmagazine.com

Internet of Things

  • Microsoft research finds buffer overflow vulnerabilities all-too-common in IoT and industrial systems theregister.com

Public policy

  • U.S. Department of Justice launches review of cyber policies: ransomware and Solarwinds/supply chain attacks drive investigation into cryptocurrencies and monitoring of domestic cloud platforms cyberscoop.com
  • Five-part test proposed for military intervention in cybercrime operations (includes overseas focus as assumed that the FBI would handle domestic interventions) lawfareblog.com

Law enforcement

  • Administrator of Bitcoin Fog cryptocurrency service arrested in Los Angeles and charged for role in laundering $336M wired.com

Mergers, acquisitions and investments

  • Thoma Bravo announces plans to add Proofpoint to cyber security portfolio and take company private in $12.3B cash deal techcrunch.com
  • Accenture acquires French company Openminded to bolster European capabilities of Accenture Security business zdnet.com
  • DarkTrace completes IPO shares up 40% on first day of trading ft.com

And finally

Burrowing beavers block browsing by breaking B.C. borough’s broadband backhaul

Meanwhile, in Canada, beavers have caused an outage of 36 hours to internet, mobile and TV to uptown 900 residents of Tumbler Ridge, in the foothills of Canadian Rockies. Over 800 beavers are laying siege to Tumbler Ridge and the town’s mayor, Tom Arnold, has called for greater flexibility in dealing with Canada’s national animal, saying that “the beavers have to be eradicated.” Animals and Mother Nature are an oft-underestimated threat to the availability of large-scale infrastructure, with squirrels and birds sometimes using infrastructure for their purposes (see YouTube video). bbc.co.uk, youtube.com