You're listening to the Cyberwire Network, powered by N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. Hello, everyone, and welcome to the Cyberwire's Research Saturday. I'm Dave Bitner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. On and around early May, around May 2nd, Artipwolf began monitoring deployment of the new ransomware variant referred to as FOG. What we saw was that cross-victim organizations, most of them, were in the U.S., with about 80% of the victims in the education sector, and about 20% in the recreation sector. That's Carrie Shafer Page, Vice President of Digital Forensics and Incident Response at Artipwolf. The research we're discussing today is titled "Lost in the FOG, A New Ransomware Threat." So the threat actors showed an interesting rapid encryption of VM storage data, and then ransom payment for decryption of the said data. So this is pretty common, but what we didn't see is the actual exfiltration, and something I should point out to when it comes to the education sector. This is often a understaffed and underfunded sector, right? So they don't have a lot of IT support. So it's an easy target for them not to have all the security operation controls they should have in place. So oftentimes, threat actors, when they're able to kind of get a foothold, it's not surprising that once they get into the environment, they're able to move laterally quickly. And then the big thing is being able to elevate their privilege, which is actually how they get to the content of concern, which was the cases that we saw. Well, let's dig into some of the technical details here. I mean, can you walk us through what does a typical infection look like? How does someone find themselves falling victim to this? Yeah, I mean, even if you have different controls in place, I mean, these were VPN credentials that were compromised as the initial attack vector, right? So in one of the early cases, we saw what's called past the hash activity where the administrator accounts were subsequently used and then remote desk protocol, RDP connections to window servers, running Hyper-V and Veeam were used. We also saw credential stuffing. And if you're familiar with that, that's where, you know, often credentials are used across variable different applications and not changed, right? So a bot is often used to try to leverage repeatedly going after to try to get in. But in all of the cases, we actually saw where PS exec was deployed to several of the hosts and then again, an RDP and SMB were used to access those targeted hosts. And you say that they want to get in here sort of quickly and do the things they're going to do. Does that mean that in that process they're also being particularly noisy? In some cases, I mean, that's where it's awesome to have security operations in place and MDR type solution where, you know, any abnormal network traffic is actually detected. But in some cases, you know, they can be quite stealth, right? You do see, we didn't see it in this particular instance, but you do kind of see where threat actors will come in and there's what's called, you know, a long dwell time, right? Where they're watching the patterns and the behaviors of the end users and the environment and figuring out how best to leverage and get to where they want. So even with the right credentials and controls in place, right, we often see that if you've got on the front end, good protection, but they've gotten in and moved laterally, they're not using, you know, protecting the privilege escalation, which is the biggest thing, right? In order to get, you know, whether it's domain admin or any type of credential like that that allows them to get to the data, we often see that's where organizations fall down from a structure standpoint and keeping those controls current. And what are you seeing in terms of the ask, a dollar amount for a ransom? Do you have data there? Well, we can't disclose on our cases what the financial ask is, but, you know, they're, you know, ultimately thread and the nice thing about Arctic Wolf as well, we have a threat actor communication team, right? So ideally you always want a client not to have to pay, but as we all recognize, especially when you're dealing with the data as sensitive as education, right, where you have a lot of PII, there may be a need for a client to have to pay. So in that case, it's that negotiation piece that takes over, but ultimately you're always going into it with the communications with the client to say, look, ultimately, you'd like not to pay, and if they have to, then it's about that negotiation piece that comes in, right? How do we reduce that ransom if they do have to? And then it's also making sure, too, there's this concern. It's called double extortion, right? In some cases, unfortunately, you see a client pay because they need a decryptor key, and then they turn around and they've paid for that. They may be able to unlock their data, but a threat actor has exfiltrated a version of a copy of it, and they still release it to the dark web, right? So I'm talking in general of what you see when you have those concerns about negotiation with the threat actor. We have not, in these circumstances, seen any evidence of double extortion here. We'll be right back. And now a word from our sponsor, No Before. It's all connected, and we're not talking conspiracy theories. When it comes to InfoSec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. No Before, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. No Before's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike, and Cisco, 35 vendor integrations and counting. Security coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real-time coaching campaigns targeting risky users based on those events from your network, endpoint, identity, or web security vendors. Then, coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack, or email. And more at nobefore.com/securitycoach. That's nobefore.com/securitycoach, and we thank No Before for sponsoring our show. I guess where I'm coming at this from is you mentioned at the outset that the education sector in particular is often underfunded and so I'm curious, do we see a comparatively low-ask relative to other ransomware situations that we've heard of, perhaps taking into mind that the education sector is underfunded and would not be able to fund a big ransomware ask. You see where I'm going with that? I totally see where you're going and you're right, I mean, sometimes you do see threat actors have a heart, right, where they'll, you know, it's a funny thing to say, isn't it? Exactly. They'll feel bad. Oh, no. I hit a children's hospital, maybe we'll do something different, but yeah, we have not seen that apply to these circumstances. So yeah, they don't seem to have a sensitivity there. Yeah. And you mentioned exfiltration or are we actually seeing exfiltration or is it just the ransoming itself, the locking up of the data? Yeah. We have not seen any exfiltration. It's just been the encryption and that's where I was using that kind of smash and grab, right? It looks like they're getting in and unfortunately because of the vulnerable opportunity or network, I should say they're able to kind of laterally move quickly and get that encryption taken care of. I see. Well, can we dig into some of the technical details here? I mean, that's something that you and your colleagues have shared the information. What are some of the highlights that you think folks should be aware of? You know, I think it's definitely, I mean, it's not unusual. We said that. So it didn't surprise us that we didn't see exfiltration, probably not. But I think what's most surprising to me is, again, it's the controls that we hope that, you know, organizations and clients kind of have in place, right, that, you know, you go through and even if you have an incident response plan, you know, people aren't turning around and updating those, it's just like you change the, you know, batteries in your smoke alarms, right? That needs to be a consistent thing that happens. So I think, you know, that's what really needs to kind of be taken into account is that, you know, especially when you're talking about VPN credentials, I mean, a lot of times that starts potentially, if it's not a product, you know, it starts with the end user. So it's the education, it's the security awareness of them onto, you know, how they're setting their passwords. Are you using a phrase? They're simple things of education that can happen with the end user. And then I think it's also, even if you have a small IT department that I referenced even for the education sector, it's like, where are you spending your money, right? Like, if you only could have, you know, one or two people that support it, make sure you're doing the controls that manage, you know, that matter. Make sure you're doing the identity and the access management, again, locking down privilege on devices that people don't need to have access to using LAPs. There's, you know, there's a lot of different means in order to organize that. And then, you know, you asked the question earlier with the abnormality of traffic. I think that's a really important one, right? If you could have any type of EDR solution or monitoring that's in place in order for you to help detect, you know, that type of abnormal traffic, like, how do you react to it? Or do some basics depending on whatever budget you come from in whatever sector that's important to work through? And even if you're, you know, having to get consult, if you were, you know, Arctic Wolf will do this as well. But a lot of IR firms do, you know, sitting down with a client and helping them go through these preventative steps, right? What do I need to do from a prevention and awareness standpoint so that I'm not the next victim? Yeah. When you look at this particular ransomware payload, how do you rate its sophistication? You know, it's hard to tell here too if this is one actual threat actor. As you know, you know, ransomware as a service is big business. You know, what we have seen from the casework that we analyzed is we do see a shared functional code block between the ransomware payloads. So definitely we consider that involvement from a, you know, a common entity. I would say it's, you know, not overly sophisticated, but it definitely, you know, was coming from somebody that's, that knows what they're doing and enough to the execution is achieving what they wanted to do, right, when it becomes from an encryption standpoint. So, you know, evidence is definitely tying these cases to, you know, potentially one sole threat actor, but it's not yet conclusive. So it'll be interesting to see if they're still, you know, now that they know they've gotten the attention, right? I think there's a lot of media that's picked it up. It'll be interesting if they take, you know, a greater stance and start attacking more and like we saw in the past with some other players like cactus and others, or, you know, even if they start, you know, identifying themselves, right, as to who they potentially might be an affiliate of. And how would you rate currently the scale of this threat? How wide spread are you seeing this? I mean, we've seen a fair amount of, you know, our self casework that we worked, but, you know, I can't actually, you know, comment on, you know, our peer industry teams of what they're seeing. I don't know if there's enough evidence yet. That's kind of, you know, been correlated to substantiate that. Our thanks to Carrie Shafer Page from Arctic Wolf for joining us. The research is titled "Lost in the Fog, A New Ransomware Threat." We'll have a link in the show notes. Enterprises today are using hundreds of SaaS apps. Are you reaping their productivity and innovation benefits? Or are you lost in the sprawl? Enter savvy security. They help you surface every SaaS app, identity and risk, so you can shine a light on shadow IT and risky identities. Savvy monitors your entire SaaS attack surface to help you efficiently eliminate toxic risk combinations and prevent attacks. So go on. Get savvy about SaaS and harness the productivity benefits, fuel innovation while closing security gaps. Visit savvy.security to learn more. And that's Research Saturday brought to you by N2K Cyberwire. We'd love to know what you think of this podcast, your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. They make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, we're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Carp. Timon Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here next time. [Music] Strata is your solution for securing on-prem and cloud apps without the hassle of refactoring. Modernize legacy systems with MFA or passwordless authentication and ensure continuous identity availability across multicloud environments. Say goodbye to tech debt and hello to seamless integration. Strata helps you reduce stress and gain control over your identity architecture, enhancing security and efficiency. Join industry leaders like 3M, Navy Federal, and Kroger, who trust Strata for their identity needs. Visit strata.io/cyberwire to share your biggest identity challenge and receive a complimentary pair of AirPods Pro. Don't miss out, transform your identity management today at strata.io/cyberwire, and our thanks to Strata for being a longtime friend and supporter of this podcast. (upbeat music) [BLANK_AUDIO]
