The ongoing cyber crime boom

easyDNS is pleased to sponsor Jesse Hirsh‘s “Future Fibre / Future Tools” segments of his new email list, Metaviews

The kind of crime optimized for this crisis

It should come as no surprise that the one area of the economy that continues to thrive and prosper is cyber crime. It was booming before, but unlike much of the rest of the economy, that boom has only increased in scale and scope.

In no small part because the computer criminal economy is remarkably accessible. If desperate times call for desperate measures, and many people remain in self-isolation, engaging in remote criminal work may be a convenient or desperate action for people to take. Not to mention that with everyone inside, there’s less opportunity for crime elsewhere, as well as increased risk of detection.

To be clear, I am not in anyway advising this as a course of action, quite the opposite, while cyber crime is easy to get into, it is not easy to cover your tracks, or get away with it, or prevent other criminals from preying upon you. Rather we should pay attention to cyber crime in general, and cybersecurity in particular, so we can protect ourselves.

Although for those who are intellectually curious, there’s also quite a bit of fascinating details to the way in which cyber crime constantly evolves. For example, the details around LockBit, an effective and potent piece of malware, illustrate the kinds of threats that are circulating:

Many LockBit competitors like Ryuk rely on live human hackers who, once having gained access, spend large amounts of time surveying and surveilling a target’s network, before unleashing the code that will encrypt it. LockBit worked differently.

“The interesting part about this piece of ransomware is that it is completely self-spreading,” said Patrick van Looy, a cybersecurity specialist at Northwave, one of the firms that responded to the infection. “Hence, the attacker was only inside the network for a few hours. Normally we see that an attacker is inside the network for days or even weeks and does this reconnaissance of the network manually.”

After getting in, LockBit used a dual method to map out and infect the victimized network. ARP tables, which map local IP addresses to device MAC addresses, helped to locate accessible systems, and server message block, a protocol used for sharing files and folders among networked machines, allowed the infected nodes to connect to uninfected ones. LockBit would then execute a PowerShell script that spread the ransomware to those machines.

This kind of efficiency allows for attacks that combine speed and stealth. The result is an ability to take over a network quickly, before a response can be mobilized, creating more pressure to make a ransom payment.

Although as is often the case with these sophisticated attacks, there’s a geopolitical dynamic:

LockBit had another clever trick. Before the ransomware encrypted data, it connected to an attacker-controlled server and then used the machine’s IP address to determine where it was located. If it resided in Russia or another country belonging to the Commonwealth of Independent States, it would abort the process. The reason is most likely to prevent being prosecuted by law enforcement authorities there.

As well as anonymous tech support:

Using a Tor site, the organization paid the ransom and, after several hours, used the same anonymous service to obtain the decryption key. Like many other ransomware operators, those behind this attack had a support desk that communicated over the anonymized Jabber messenger to resolve several problems the organization had in rebuilding the locked-up network.

My point about accessibility, is that software like LockBit is sold (relatively) openly.

LockBit is sold in underground broker forums that often require sellers to put up a deposit that customers can recover in the event the wares don’t perform as advertised. In a testament to their confidence and determination, the LockBit sellers have forked out almost $75,000.

There’s a large market for cyber crime tools and software that illustrate that the only barrier to entry is the willingness and lack of morality to do so. While high end software like LockBit costs money, there are both free tools, as well as tools that appear free, but actually have back doors in place that ensure your work secretly benefits someone else.

There’s more detail about LockBit via this McAfee blog post:

As we highlighted in the first two articles, targeted ransomware attacks have increased massively over the past months. Many of them are all using a similar, quite manual, attack pattern as we highlighted. In this article, we provided an in-depth view of a relatively new ransomware family named LockBit. Based on a real-life case as encountered by Northwave, we described a typical ransomware attack including the modus operandi of attackers, the recovery process, an insight in the underground that advertises the ransomware and a full technical break-down of the ransomware itself.

While it is important to recognize the threat that malware poses, it doesn’t have to increase your anxiety or fear, as there are measures that can be taken if and when a ransomware infection occurs.

The No More Ransom! website has a wide range of tools and resources, including solutions for a growing number of ransomware types that allow you to decrypt the data without having to pay the ransom.

In many cases, protecting yourself from cybersecurity threats really comes down to knowledge, literacy, and recognizing the resources are there, when required.

Yet part of what makes cyber crime so effective and lucrative is that it constantly evolves.

In many ways, the COVID-19 pandemic has been a boon to cybercriminals: With unprecedented numbers of people working from home and anxious for news about the virus outbreak, it’s hard to imagine a more target-rich environment for phishers, scammers and malware purveyors. In addition, many crooks are finding the outbreak has helped them better market their cybercriminal wares and services. But it’s not all good news: The Coronavirus also has driven up costs and disrupted key supply lines for many cybercriminals. Here’s a look at how they’re adjusting to these new realities.

The article details some of the disruptions to reshipping practices, that use intermediaries to fence goods bought with stolen credit cards, and the ways in which criminals are adapting. In many cases “mules” became reluctant to head out to the post office or big box retailers to pick up products out of fear of infection.

This led to a larger, albeit paradoxical discussion around morals and ethics (of criminal activity):

Interestingly, the Coronavirus appears to have prompted discussion on a topic that seldom comes up in cybercrime communities — i.e., the moral and ethical ramifications of their work. Specifically, there seems to be much talk these days about the potential karmic consequences of cashing in on the misery wrought by a global pandemic.

For example, Digital Shadows said some have started to question the morality of targeting healthcare providers, or collecting funds in the name of Coronavirus causes and then pocketing the money.

“One post on the gated Russian-language cybercriminal forum Korovka laid bare the question of threat actors’ moral obligation,” the company wrote. “A user initiated a thread to canvass opinion on the feasibility of faking a charitable cause and collecting donations. They added that while they recognized that such a plan was ‘cruel,’ they found themselves in an ‘extremely difficult financial situation.’ Responses to the proposal were mixed, with one forum user calling the plan ‘amoral,’ and another pointing out that cybercrime is inherently an immoral affair.”

It does raise the larger question of whether this crisis is causing a reconfiguration for society, as we reassess our values and in some cases have our principles tested under pressure.

While for the vast majority of us, this does not involve contemplating our life in crime, it does however put pressure on privacy and security practices. I think of this myself in terms of past habits of buying many products with cash, that I’m now compelled to buy online. The data I’m now leaking back into the world has increased substantially.

The same is true with the technology use. Where pre-crisis we might have been more careful or vigilant about our choices, now we’re often forced to go along with the crowd, and use what others are using if we hope to connect, collaborate, or interact with them.

This guidance from the NSA is interesting:

Because of COVID-19, many U.S. Government employees and military service members are working from home to provide continuity of government services. Malicious cyber actors are taking advantage of this.

NSA’s recently released Selecting and Safely Using Collaboration Services for Telework, cybersecurity guidance contains a snapshot of current, commercially-available collaboration tools available for use, along with a list of security criteria to consider when selecting which capability to leverage. In addition, the guidance contains a high-level security assessment of how each capability measures up against the defined security criteria, which can be used to more quickly identify the risks and features associated with each tool.

An extended version of Selecting and Safely Using Collaboration Services for Telework is also available.

NSA encourages all who are working from home to review this guidance to make more informed decisions about which collaboration capability best meets their particular need. By following the practical guidelines listed in the CSI, users can mitigate some of the risks posed by malicious cyber threat actors.

The above is a fairly sensible document and provides a quick comparative overview of which tools are more secure than others. A by-product perhaps of the government being just as unprepared to work from home as the rest of us.

There are similar resources being prepared by people outside of government, if for whatever reason you choose not to trust the NSA:

Although it’s not just remote workers that are of concern, as this is also a boom time for cyber criminals (and cyber spies) tar getting health care organizations and those engaged in COVID-19 research:

Not surprising given the global rush to buy up personal protective equipment, and the impact that demand has had on prices as a result of limited supply. Safe to assume that research around testing, vaccine development, and treatment, would involve a similar if not greater level of global intrigue, subterfuge, and espionage. Or am I just being cynical?

What do you think? What can we be doing as a society to better protect our networks and computers? Now that you’re probably depending upon your home internet and devices more, are you giving greater though to their security and maintenance? What sort of actions would you take to do so? How might you stay informed about such issues in the future?

View comments

Most of the cybersecurity issues or examples touched upon in this issue reflect the kind of innovation taking place, but some of the older methods can be just as effective:

Finally this webinar provides a good overview of what’s been happening and some of the challenges arising as a result of our current situation.

Leave a Reply

Your email address will not be published. Required fields are marked *