Best Infosec-Related Long Reads of the Week, 1/21/23
Infiltrating the LockBit gang, That funny feeling online chatbots can pass the Turing test, Time to start protecting submarine cables from threats, The meaningless advice to not pay ransoms
Metacurity is pleased to offer our free and paid subscribers this weekly digest of long-form infosec pieces and related articles that we couldn’t properly fit into our daily crush of news. Tell us what you think, and feel free to share your favorite long-reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!
Ransomware Diaries: Volume 1
Jon DiMaggio of Analyst1 tells the incredible story of how he spent months developing several online personas to gain access to the LockBit ransomware gang’s operation to learn more about the human side of the operation and the insights, motivations, and behaviors of the individuals on the other side of the keyboard.
Stealing and threatening to sell or release a victim organization’s sensitive data is often more damaging than encrypting their systems with ransomware. The data theft extortion tactic is lucrative for criminals but requires additional work and resources. For example, criminals must either know which data is most sensitive or steal a lot of it to ensure they have the most critical information. Transferring large amounts of data is noisy and often detected; this can be a problem for an adversary who wants to execute the attack quickly and efficiently while remaining undetected in the victim’s environment. While LockBit’s ransomware payload is one of the fastest data encryptors, it initially relied on legitimate publicly available tools, such as Rclone, to steal and exfiltrate data which was cumbersome and added time to the attack.
To address the issue, LockBit developed its own data exfiltration tool called “StealBit,” which is available to all affiliates supporting their program and is faster than Rclone. StealBit also includes built-in defense evasion techniques and can delete itself after use. LockBit made StealBit available to affiliates directly from the admin panel used to manage their ransomware attacks. This minor detail is important because it provides the attacker with a central management console that incorporates many attack features within a single graphical interface. This reduces the overhead and complexity of conducting ransomware attacks. Later, in April 2022, while conducting research for this paper, I received screenshots directly from LockBit showing the attacker’s view of the StealBit management console. While some of the features in this screenshot were not available in 2021, it provides context into how easy LockBit has made it to steal data from its victims.
How Smart Are the Robots Getting?
The New York Times’ Cade Metz offers this in-depth look into the new wave of online chatbots that makes it feel like machines have passed the human-detection Turing test, named after famed British code-breaker Alan Turing.
Bots like Franz Broseph have already passed the test in particular situations, like negotiating Diplomacy moves or calling a restaurant for dinner reservations. ChatGPT, a bot released in November by OpenAI, a San Francisco lab, leaves people feeling as if they were chatting with another person, not a bot. The lab said more than a million people had used it. Because ChatGPT can write just about anything, including term papers, universities are worried it will make a mockery of class work. When some people talk to these bots, they even describe them as sentient or conscious, believing that machines have somehow developed an awareness of the world around them.
Privately, OpenAI has built a system, GPT-4, that is even more powerful than ChatGPT. It may even generate images as well as words.
And yet these bots are not sentient. They are not conscious. They are not intelligent — at least not in the way that humans are intelligent. Even people building the technology acknowledge this point.
Cybersecurity Under the Ocean: Submarine Cables and US National Security
Justin Sherman, a nonresident fellow at the Atlantic Council's Cyber Statecraft Initiative and a senior fellow at Duke University's Sanford School of Public Policy, offers this twenty-page paper about the security and resiliency risks faced by submarine cables, which carry 95 percent of intercontinental internet traffic.
Citizens, the private sector, and the government have a stake in safeguarding the security and resilience of submarine cables. Enabling unfriendly foreign actors to spy on internet traffic can undermine US national security and enable other malicious activities, like the theft of trade secrets and other proprietary company and scientific information traversing the internet. Communications disruptions could also cause public backlash, degrade people’s ability to access online services, and undermine economic and national security once business, government, and other communications are slowed. It is also in the government’s interest to ensure damaged cables are repaired quickly—especially given that, again, most publicly recorded cable disruptions are due to natural weather events or accidents.
Policy makers have several options available to better protect the security and resilience of submarine cable infrastructure. Congress should statutorily authorize Team Telecom to provide it with the necessary funding, review authority, and formal structure to better screen foreign telecoms that own cable infrastructure. A lack of funding for both CFIUS and Team Telecom has led many of the agencies working on both groups to focus more on CFIUS reviews. The review committee has additionally lacked a formal structure for conducting security reviews and a formal process for monitoring company compliance with security agree-ments. Congress should also consider increasing the funding for the Cable Security Fleet— given the importance of rapid cable repairs to internet connectivity, economic security, and national security.
Lessons from Down Under's Data Disasters Pt. 3
Ciaran Martin, former head of the UK’s National Cyber Security Centre and currently a professor at Blavatnik School of Government at the University of Oxford has the third in a five-part series looking at the implications of two major data breaches in Australia in the period September to November 2022, this time examining more closely the topic of paying ransoms.
It is easy for public authorities to ‘advise’ companies not to pay. That advice is genuine but, to a company in serious crisis, it is often meaningless. Governments understand this, and sometimes the don’t pay ‘advice’ is accompanied by thoughtful nods indicating that the authorities understand if the organisation takes the ‘wrong’ decision.
That is why stories like the Harris Federation’s gloriously stubborn refusal to pay - and saving money in the process - are so important. It is why understanding that extortion for availability and extortion for data protection are completely different things is so important. It’s why the Barracuda research that 80 per cent of organizations who paid got hit again is so important. It’s why research such as that by Hiscox Insurance, which shows that 29 per cent of victims of data extortion who paid up still had some data leaked is so important.
It’s also why the national dialogue in Australia about how to report and discuss the Medibank fiasco responsibly is so important (the subject of the next post in this series in two week’s time).