ISMG Editors: Ransomware Groups Aiming for Smaller TargetsAlso: BEC Attack Headaches and Inside the Nomad Bridge Hack
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including key takeaways from ISMG's recent Government Summit, how hackers siphoned nearly $200 million from cryptocurrency bridge Nomad and how midsized businesses are the new frontier for ransomware demands.
The panelists - Anna Delaney, director, productions; Tom Field, vice president, editorial; Mathew Schwartz, executive editor, DataBreachToday & Europe; and Rashmi Ramesh, senior subeditor, global news desk - discuss:
- Highlights from ISMG's recent Government Summit;
- How dozens of hackers converged on trading platform Nomad to drain nearly $200 million in digital assets held by the U.S. cryptocurrency firm in an attack described by an observer as a "frenzied free-for-all";
- How ransomware groups are moving away from targeting larger enterprises and instead attacking midsize and smaller organizations.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the July 22 edition discussing how the FBI clawed back cryptocurrency ransoms paid to North Koreans and the July 29 Privacy Special edition with Lisa Sotto.
Anna Delaney: Hello, welcome to the ISMG Editors' Panel. I'm Anna Delaney and this is a roundup and analysis of the week's top stories with some of ISMG's leading journalists. Introducing today's team: Tom Field, senior vice president of editorial, Rashmi Ramesh, senior sub editor for ISMG's global news desk and Mathew Schwartz, executive editor, DataBreachToday and Europe. Great to see you all. Rashmi, where are you? Looks amazing. I want to jump in.
Rashmi Ramesh: So, I am currently in India's Northeastern state of Meghalaya. Behind me is a living root bridge, which is a suspension bridge made entirely of live roots of trees around it. Most of them are about 500 years old and there are many of these in the state. I think this specific one is about 180 years old, so quite young.
Delaney: Yeah, quite young.
Tom Field: By Indian standards.
Delaney: Tom, very different backdrop to Rashmi's.
Field: Also quite young. Yes, this was flying en route from Washington DC to New York City last week and spent a little time circling around Manhattan and Manhattan was kind enough to pose.
Delaney: Very good, and Mathew, back in the wild.
Mathew Schwartz: Back in the wilds of Dundee, Scotland. Yes, the nation's fourth-largest city. This is the law, which is a hill in Scots and this is the largest hill in Dundee. There's a war memorial on the top. But it's a lovely walk to get up, especially when there's a beautiful weekend like we just had.
Delaney: Gorgeous. And I'm back to showcasing the South of France in a marvelous quaint town called Ramatuelle. It's my favorite time of the day: dusk, aperol o'clock.
Delaney: Tom, how does it feel not to be flying this week and to be grounded?
Field: It is good. It's been a busy month between what we had in New York, Healthcare Summit, we had a Washington DC Government Summit, Roundtables in Chicago, in Charlotte and New York, and wherever else I'm forgetting. It's good to be home for a little bit. But it's a good time to reflect as well on everything that I've been privileged to see over the past month or so.
Delaney: So, talk to us about Government Summit or other Roundtables. What were some highlights for you?
Field: I think the Government Summit was important. It's the first time we've been back in Washington, DC since December of 2019. A lot has changed since then, particularly, we've had the 2021 Executive Order from President Biden that handed down mandates about zero trust and multifactor authentication and public-private partnerships. And these themes were strong. At our event last week, I was pleased to see great representation on our stage from the alphabet agencies, CISA, NSA, FBI, Secret Service, we had excellent leadership there, and we did talk about the progress that agencies have made in moving forward with zero trust architectures. And it was good to get beyond the conversation of what is zero trust, what's misunderstood about zero trust, to hear how organizations are pursuing it and the challenges that they're having with connected devices that we don't think about, including the Defense Department weaponry. So, excellent conversations on the stage about that. The theme of public-private partnership beyond this is something we need to do. And this is something that government wants to hear that the private sector is ready for this and pursuing this now. And there are technologies that are available to not only ensure real-time data sharing, but to anonymize that data. So no particular organization is exposed and everybody wants the same thing. We want to see what's coming so they can be able to respond proactively and not just check and say "you saw what we saw." So, encouraging to see that that was a consistent theme throughout the day. I say one of the other topics that I found fascinating was seeing the Secret Service and the FBI coming together to talk about business email compromise. This gets overlooked. This Matt will tell you. Ransomware gets the headlines every time. Everyone is attracted to the ransomware drama. Phishing within organizations gets the attention of security leaders just because the volume of phishing attempts but business email compromise consistently is taking billions of dollars from organizations every year. And those are just the cases that are reported. So many aren't reported. Now, the concern from law enforcement is that these cases are continuing to grow. And as Rashmi knows, as the cyber criminals move more toward cryptocurrency, once this money is taken, transferred and gone, it's a lot harder to get back now and it moves a lot faster. So, there's urgency on the part of law enforcement to find out about these incidents as quickly as possible so they can respond. And if they can respond quickly, they can return a lot of this money. Now I bring this up, because just last evening, I hosted a Roundtable event with abnormal security on email-borne threats. And we talked a lot about business email compromise. Significant organizations in the room, JPMorgan Chase, Blue Cross Blue Shield, other financial institutions said the email-borne threats are a top priority for their organization, as one of the leaders said, "This is a main control for us." And yet, they all have got significant concerns about their defenses. There's a feeling that they're trying to respond to 2022 threats with 2012 technology. And they're particularly concerned about third-party relationships. Certainly, once someone gets into a third party, they're already trusted. And then they've got access to their own systems. And then what I'm seeing and hearing from the security leaders is a change in attitude. 10 years ago, I would go to these Roundtables and we would talk about phishing exercises, for instance, you phish your employees and you see who clicks on the suspicious link or opens up the attachment. And the reporting click rates are always very high. And the discussion then was "okay, if you have someone that consistently clicks on these links, and opens these attachments, what do you do?" Do you discipline them? Is termination, ultimately, an objective if you've got someone that's consistently exposing him? That's changed, it's turning now into how can we get people to not be scared of us and to report these things sooner, even if they do click on that link or open that attachment? The security leaders are trying to bring the employees more on their side and report these things so they can respond a lot sooner. And that's a significant change in the attitude of organizations. So, over the past few weeks, those are the types of things that I've been observing.
Delaney: And Matt, at our recent UK Summit, I think there was a lot about the change of attitude and helping our employees, and how psychology plays a big part of that.
Schwartz: Yes, one of the things that I hate to hear and we're hearing less of it now is that humans are the weakest link. And I think that says more about the person saying it than it does about the reality and the imperative today. In an ideal world, I always say none of us would have to screw around with password managers or cybersecurity best practices, everything would just work and be secure. If engineers can't build systems that do that, if they're relying on people to help, they need to do more than meet them halfway. And I think there needs to be a real attitude shift still that posits users not as a hindrance, but as people that you need to work with. And so, we've been hearing a lot more about that, a lot more attempts to study psychology, how we work, how we tick, because certainly, criminals are studying that. They're expert at how to hack the human. So, we all need to do a better job. And like you said, there's a lot of good motion and thinking and initiatives around that. Although, still in engineering-first mindset, I think too often. So there's a little ways to go.
Delaney: And Rashmi, you recently took part in a summit in Bengaluru. I'm not asking you for an analysis because I know how much has happened in between, but was there a dominant theme of the day for you?
Ramesh: The one thing that stood out to me was that every single person that I spoke to after the summit said that “we attend a lot of summits over the years, and we've attended a lot of summits after the pandemic because you finally you get to socialize. But the one thing that ISMG stands out with their summits is that every single session had something that I could implement in my company.” So they spoke to the speakers after the event. They had a chat with each other. We did a lot of leadership interviews. But that made a lot of difference because people had lots of implementable takeaways after the summit. And I think that's the point of all of this.
Delaney: Tip to our organizers. That is fantastic to hear. So the next is in New Delhi, I believe.
Ramesh: 24th, yeah.
Delaney: 24th of August. Rashmi, you have a fascinating story this week. It's been described as the chaotic viral Nomad attack. Talk us through the sort of frenzied, free-for-all hack.
Ramesh: Yes. So, this week, the hackers drained about 190 million from a cross-chain bridge called Nomad, so it was one of the biggest hacks of the year in the space. And the biggest was Iranian network about at around 600 million, followed by Wormhole around 300 million. But what stands out to me, as a trend, is that there's been a lot of action in the blockchain bridge space, two billion worth of action. So that's how much has been lost in blockchain bridges attacks this year. And it's the first week of August now. So this is the number four in the last seven months and 69% of all crypto thefts this year have happened on cross-chain purchase. So, that's chainalysis. But it's crazy. Like a technology application you haven't probably even heard of back in 2020 is now causing such significant damage. So, the obvious questions that came up to me when I looked at it as a trend were why are these bridges such an attractive target for criminals? Why now? And how do we secure them? And this is where I drop a plug for a story that I'm currently working on, where blockchain security experts answer all of these questions. But for you, here's a little bit of a sneak peek. Why are crossing bridges a target? To understand that, we need to understand what they are. Crossing bridges allow users to exchange digital assets like crypto tokens between otherwise siloed blockchains. For instance, if I have a token and blockchain A and I want to token in blockchain B, I would send token A to a bridge protocol where the funds will be locked into a contract as collateral and I will be issued a wrapped token B equivalent to the value of token A. So the rap token is like a representation of my funds like a gift card also. So I can redeem it for token B or just go through the same process in reverse to get token A back. Now, the funds locked into the contract have to be stored in a reserve. That reserve, if not stored with proper security measures can become a treasure trove for hackers. And this is just one of the many vulnerabilities that are plaguing bridges right now. So I'll stop here for now, and hope that your interest is piqued enough to read my story.
Delaney: I think you have whetted our appetites. Thank you, Rashmi. But also, what's interesting about this is there's no one culprit, no one group. There's 40 or so exploiters. And it's a curious case of the better criminals are going to get away with this, but some less experienced decided not to conceal their real-life identity. So what's next is law enforcement on the case?
Ramesh: Apparently. So, we don't know yet. But the company has said that they have contacted law enforcement. They've got blockchain forensics team working on it. They've got white hat hackers who have apparently taken some of the money for safekeeping. There's no protocol yet on how they can return the funds. But that apparently is in progress.
Delaney: Call to action to our audience. Here is Rashmi.
Field: Rashmi, could I get you to do a promotion? A teaser for the next interview I do? I think I need you. Matt, how about you? Let's get Rashmi on our side here?
Schwartz: Definitely. We'll be in touch, Rashmi.
Delaney: So Matt, what's happening on the ransomware scene I hear is not so good news for SMEs.
Schwartz: That's correct. It's always not so good news. And to amplify what Tom was saying, business email compromise attacks, phishing, when you look at the total volume of damage being caused, bear in first and second place. Now ransomware gets a lot of attention. And I think that's probably because of the disruptive elements of it. I do worry sometimes we focus on it too much. Russian hackers wielding nasty code against corporate America, corporate Britain, corporate everybody. It's a hard story to not pursue, but it's important to remember that it's one of the various types of cybercrime that's been happening, and it's interesting as well, because the business model being wielded by ransomware groups, individuals, sometimes continues to get tweaked in order to cause maximum profit for the criminals at the expense of the victims. So, SMBs have been a particular focus of these groups, following on the disastrous Colonial Pipeline hack in May 2021, which disrupted the pipeline, not directly, but because the pipeline took its billing system offline. And because you couldn't make money because systems were disrupted, it caused panic: long lines to buy gasoline, a very unhappy President Biden decrying these attacks, and much more focus on a law enforcement front for disrupting these groups. So, what we've seen is that the big brands appear to be under pressure. One of the big groups that was left, DarkSide flamed out after it attacked Colonial Pipeline, the REvil Group, also known as Sodinokibi hit big targets in the middle of that last year, appears to have been targeted, possibly by US Cyber Command and disrupted. It's gone by the wayside. Conti managed to hang on until this spring, when it disastrously backed, as in Putin's invasion of Ukraine, which I heard at RSA Conference in San Francisco, could have led to a change in its legal status. Thus, it was believed to have been a cyber criminal operation before. I suspect, nobody has given me proof of this. But I expect that US Cyber Command, NSA said "They've come out in support of Russia's war, or I think they're a target." And what did happen is that fewer victims were paying Conti because Conti had said it was an extension of the geopolitical aims of Moscow. So, a lot of damage caused there by this support. And Conti, unfortunately, appears to have been smart, it started up a number of brands, and then later announced that it was shutting down. So, it's not clear to what extent Conti has gone away since it's shut down. But what we have seen is that brands such as Conti, and some of the other big brands appear to be a big target. And that's good news because it means that smaller operations are having to spin up to try and stay under the radar of law enforcement. And smaller is better, because they have a harder time hitting so many victims, things that Conti used to do was to provide centralized services. So groups such as Conti - not all of them did all these things - but they would negotiate with all the victims, for example, they would possibly engage call centers to phone victims and put on pressure or to phone the customers evicted from pressure. And there is this centralized operation, a lot of bang for the buck to bring pressure. The fact that these big brands now are under fire means that it's harder to have these large operations and things are being left in the hands of individual attackers, typically affiliates or business partners have these ransomware operations, that means they're not going to be able to do so many of these things, it's going to be harder for them to make attacks that end up with them getting paid. All of that is great news. As you said, the criminal groups that hit big victims tend to get big law enforcement attention. So, they've been looking at more small and mid-sized groups. And unfortunately, the ransomware incident response firms who track these attacks, say that the SMBs are under fire. And they've got relatively less spend on their cybersecurity, relatively less expertise. So this is a great reality for businesses of this size. And it's a good reminder that anybody can and potentially will get hit by ransomware. So, everybody should be putting the right defenses in place.
Delaney: I'm not sure if you came across it yet. But this week, the Atlantic Council published some interesting recommendations with a surge of ransomware attacks and some sound suggestions, including legislation, mandatory reporting of all ransomware incidents, but also tax relief programs for SMBs to encourage them to implement best security practices, and also employ people with cybersecurity expertise. So, what do we do with the SMEs? Because I don't know about the rest of the world, but apparently in the UK, they comprise 99% of our economy. And as you say, perhaps no CISO, no SOC, no security budget, what do we do?
Schwartz: They're a huge part of the critical infrastructure. Often, we think of massive organizations being critical infrastructure. But it can be as small as a municipality wastewater treatment plant. It's got 40-year old equipment that's been hooked up to the internet and is suddenly at risk of somebody remoting in and doing something bad. Great points. It's all fine and dandy to talk about the threat posed by ransomware. But what we're increasingly seeing is not a law enforcement focus, increasing diplomatic efforts, but also a focus on resiliency. And that means getting domestic organizations to up their game. And that needs to include a lot of things that needs to include tax credits, because money is tight, especially at the moment. So, what can be done to create incentives to get better cybersecurity in place? I think mandatory reporting should also be mandatory. We simply don't know about so much of this ransomware problem because the criminals with their business model have designed things in a way to get victims to pay quickly and quietly. If the FBI doesn't learn about attacks, it doesn't know maybe which groups are the worst, or the tactics they're bringing to bear. All of this helps criminals operate from the shadows, which is what they want to do. That is the best way for them to keep making a payday and ransomware has been lucrative. So these initiatives to bring light to the actual problem are essential because people are not stepping up and doing it on their own.
Delaney: Here we are voting Mathew Schwartz for president.
Field: Prime Minister, today.
Schwartz: Britain's shorter Prime Minister.
Delaney: There is a job for you there. Apply now.
Schwartz: I'll be like the Elon Musk of prime ministerial.
Delaney: Finally, imagine a world where instead of writing and analyzing cybersecurity stories, you are putting your hand into creating a solution for all the challenges we discuss. You are the founder and/or CEO of the latest cybersecurity company on the market. What would you call it? Oh, Tom, are you ready with the branding?
Schwartz: Wow. I feel on equal to this.
Field: That would be Initech.
Field: If you're a fan of the 1990s film Office Space, you'll know exactly what I mean. If you don't know it, I'll send you the memo. Did you receive the memo, Anna?
Field: I'll get the memo.
Delaney: You need to send it.
Ramesh: I want to take Tom's word on camera that I won't get fired for what I'm about to do. Do I have it?
Field: I'll send you the memo as well.
Ramesh: I'll give you two clues and two seconds to get the name of my company. The first clue is I like puns and I cover crypto. And the second clue is Superman can never be near my company. So what is my company's name?
Schwartz: Pun alert! Kryptonite!
Ramesh: Yes. Perfect.
Delaney: Like it. I'm surprised that's not on the market yet. That's a good one.
Schwartz: I'm imagining a vivid green logo.
Schwartz: I've got nothing so good as either of those. Mine is going to be the Cyber Bomb. Why? Because it's the Cyber Bomb.
Field: The one that can get funding.
Delaney: I was going to turn to Greek mythology for some information. Cerberus, the vile three-headed dog who's guarding the gates of the underworld. If that can't scare hackers away, what can?
Schwartz: Add a crypto before it and I think you've got funding as well.
Delaney: Will have to work on it maybe. Well, I look forward to seeing all these products online soon. Thank you very much, everyone. Matt, Rashmi and Tom. It's been a pleasure.
Schwartz: Yours in branding Anna.
Field: We will send you the memo.
Delaney: Fantastic. Look forward to it and thank you so much for watching. Until next time.