DARK DAYS: Digital Asset Redemption's Monthly Newsletter - July 2024
Welcome to this month’s edition of DARK DAYS! There’s a lot of noise in the world of cyber readiness, and we're here to help you make sense of it. Let’s get to it.
In This Issue:
News Blotter
Some stories in the “we love to see it” category:
An international effort involving 61 countries landed a major shock to the scam network ecosystem of phishing, investment fraud, fake shopping sites, romantic impersonation scams (and more). This effort resulted in:
Europol also coordinated a massive operation across multiple countries/agencies and private enterprises that led to the shutdown of over 600 illegal Cobalt Strike servers. Cobalt Strike is a powerful red team tool, but over the years threat actors have stolen, jailbroken, and used it to for their own malicious purposes.
And, in the “ugh” category:
By now you’ve probably heard about AT&T’s massive data breach, affecting nearly every single AT&T customer. A few days after this, reports broke they had contracted a “security researcher” to pay the threat actor $373,646 to delete all the stolen phone records to ensure they wouldn’t be released and exploited on the dark web. There’s a lot to say about this hack (as evidenced by the DAR Team’s Slack), but there are some things worth mentioning:
Finally, some crypto platforms were the target of DNS hijacking recently. This means people trying to access these sites are automatically redirected to fake copycat sites run by threat actors that will phish crypto wallet information entered there by users thinking they were on the legitimate site. Security researchers are still looking into exactly why and how this crime spree happened, but here are some of the highlights:
Learning Corner: Ransomware Payments
There’s been a subtle (or maybe not-so-subtle) shift recently in how these ransomware events are being reported on and discussed, especially as it comes to payments. We touched on this above in the blotter, but from AT&T’s very public payment admission to CDK’s breach to UnitedHealth’s $22 million payment (that ended up being for naught), the topic of paying threat actors is becoming more and more prevalent.
We wanted to lend some insight and nuance to this discussion from our perspective as the ones who deal with and can pay threat actors. So let’s break down some of the more common talking points/misunderstandings we’ve seen or heard:
1. “Why do we trust criminals to do what they say? Won’t they just take the money and release the data anyway?”
We get this question a lot. And the answer is annoyingly a little complicated.
When dealing with criminals there is always – always – inherent risk involved. The saying goes there is no honor among thieves, and there are certainly instances where this happens, sometimes in a spectacularly public fashion, such as the above-mentioned UnitedHealth attack that ended in a ransomware group imploding and the company sending the payment and not receiving the promised goods from the threat actors. It’s estimated these attacks are going to cost UnitedHealth an eye-popping $2.3 billion this year.
It’s important to remember that not all ransomware attempts and negotiations end in payment. Sometimes negotiations are a stalling tactic while incident response teams evaluate the situation to see exactly how much damage has been done and if they can recover from their disaster recovery mechanisms and backup.
We also have to remember that these criminals are operating as businesses in a very specific ecosystem that generally rely on doing this repeatedly. If they don’t provide the decryption keys after payments, word gets out, and nobody will ever do business with them again, including other criminals. So generally speaking – very generally – these groups do tend to honor their word because like everyone these days, they need recurring revenue, not one-time hits.
Recommended by LinkedIn
The key to all of this, of course, is having good intelligence and incident response during the attack. You need people who have the ability to reasonably determine who exactly is conducting the attack, their history, if they’re on any sanctions lists or operating out of sanctioned countries such as Iran or North Korea, posing as Russian operators, as well as other considerations.
2. “If everyone agreed to stop paying threat actors at the same time, they wouldn’t be able to profit and would stop.”
We want nothing more than for threat actors to stop their misdeeds. And if this approach had any chance of working, we’d be all for it. But we also have to look at the reality of the world we live in. If you think it’s hard coordinating a group of more than three people for a brunch at the same time and place with many weeks’ notice, imagine getting every person, company, government, etc. in the world to do the right thing together, even if it would stop threat actors dead in their tracks.
Now imagine that you have agreed to these conditions, get attacked anyway, and you are forced between paying or closing your business and livelihood or providing critical services for those in need. These choices suddenly become much more difficult, and expecting victims of these crimes to sacrifice their wellbeing – and sometimes the wellbeing of others – isn’t the easy choice many think it is.
Second, threat actors wouldn’t stop, and might actually increase their efforts in worse ways to get their victims to break. Extortion is a profitable business for them, and when evildoers are backed into corners, they’ll respond in kind by potentially attacking even more where it truly hurts, such as even more hospitals, schools, critical infrastructure such as public works, etc. (In medical circles, this effect is sometimes referred to as an “extinction burst.”)
Refusing to pay the threat actors might sound like a solution on paper, but nothing happens in a vacuum. If threat actors are going to respond in kind by amping up their attacks, it’s not an exaggeration that human lives will be put in danger. Research is emerging, but a recent study out of the University of Minnesota shows that patient mortality rose up to 20% during a ransomware attack. Of course, correlation doesn’t equal causation, but it doesn’t take much imagination to understand that if, say, court records that were sealed to protect witnesses or victims were leaked what kinds of damage that could cause. These are the types of nuances that need to be integrated into these conversations.
3. “Governments should outlaw payments.”
This is a different flavor of “we should all stop paying threat actors,” but perhaps with a nod toward the reality of how we could get everyone to stop paying threat actors. Unfortunately, again, it’s just not that simple. Many of the same arguments are the same as the point above.
However, one of the main arguments against this approach is that this would be a mass exercise in punishing victims, which most countries aren’t fond of doing in policy. Government officials are always very careful not to confirm or deny what responsibility victims carry during these attacks but as long as there are nations such as Russia giving their threat actors essentially carte blanche to carry out these attacks so long as they’re not attacking CIS nations, it doesn’t seem that governments will be outlawing payments.
We are seeing more and more international cooperations and takedowns (like the two mentioned earlier!), so what government agencies will hold victims responsible for – such as sanctions violations – is always evolving and another reason this world is so complex.
Quick Tip: How To Check If Your Accounts Are Being Accessed by Someone Else
TechCrunch published this great guide on how to check for external access to your accounts through the services themselves.
This tells you where to find this information in: Gmail, Outlook/Microsoft, Yahoo, Apple ID, Facebook/Instagram, WhatsApp, Signal, and Twitter (nope, still won’t call it X).
We always love to see truly useful articles that help people stay safer!
DAR in the Wild (Events with DAR)
We're planning on some great events coming up, such as...
September 30 - October 2: NetDiligence Cyber Risk Summit
We'll be at NetDiligence's Cyber Risk Summit in Philadelphia. If you haven't been, this is one of our favorite events in the industry and we'd love to see you there.
That's all for now!
Thanks for taking the time to read this newsletter. If you have requests of what you'd like to see more, less, or anything else, please reach out!