Friday Five 6/11
TrickBot indictments, ransomware negotiations, and a massive sting operation using an FBI-run phone network - catch up on all of the week's infosec news with the Friday Five!
1. How an Obscure Company Took Down Big Chunks of the Internet by Brian Barrett
For about an hour Tuesday morning, one of the biggest CDN providers in the world crashed, which led to large portions of the internet temporarily shutting down. Though the problem was quickly solved by the provider, Fastly, it served as a reminder of how fragile and interconnected internet infrastructure can be. For some background, CDN providers serve as a way to reduce the distance between a device and the server or cloud platform that hosts the information or content. Services like Fastly also help direct traffic across the internet and vastly improve user experience by increasing the speed of performance. To reduce future disruptions, companies are encouraged to work with multiple CDN providers, though it can be difficult as only three main companies are operating in the space.
2. Trickbot indictment demonstrates how one hacking tool built on older malware by Sean Lyngaas
This story examines the history of TrickBot and how it evolved from Dyre, a well-known piece of malicious software responsible for the loss of tens of millions of dollars before it was disrupted in 2015. The details of how Dyre became TrickBot emerged in a recently unsealed U.S. indictment. The evolution points to the continued problem with lax Russian law enforcement on domestic cybercriminals and how those lax policies can lead to dangerous malware surviving and morphing into something even more potent. There are also interesting details in the indictment on TrickBot itself, like how Alla Witte, the 55-year-old Latvian woman charged by the DOJ last week, allegedly tried to develop a ransomware module for TrickBot. The story illustrates how hard it will be to combat ransomware or malware if the U.S. cannot pressure the Russian government into a more aggressive crackdown on cybercrime.
3. How To Negotiate With Ransomware Hackers by Rachel Monroe
This story looks at the massive growth of the ransomware economy and how professionalizing the ransomware economy can lead to better outcomes for everyone involved. This can be a difficult conversation, as there is understandable reticence about making it easier for cybercriminals to get paid. As an example, the story provides the parallel of traditional extortion through kidnapping. An example of best outcomes in a traditional kidnapping would be the victim gets returned without harm, the kidnappers get paid, and the insurance companies or targeted individuals pay a number they can afford to pay; all of which prompts an audit to improve best practices and reduce future extortion. The author argues that it should be the same process for ransomware and then tells the story of a professional ransomware negotiator and how they’ve been able to facilitate those best outcomes.
4. Trojan Shield: How the FBI Secretly Ran a Phone Network for Criminals by Joseph Cox
In a rather remarkable story, the FBI has arrested hundreds of criminals in a massive sting operation that involved secretly running an encryption communications app used by criminals. To make the operation work, the FBI took control of the app, Anom, in its early days and helped facilitate its growth. The operation was a masterclass in patience and distribution to get the app into as wide use by criminals as possible. In total, the operation recorded 20 million messages from over 11,800 devices and is a massive win for the agency in its fight against criminal activity.
5. How Did the Feds Seize the Colonial Pipeline Ransomware Bitcoins? by Andrew Hayward
After Colonial Pipeline, a large east-coast fuel supplier, paid a ransom to get its systems back online, the DOJ announced this week that it had recovered 63.7 of the original 75 bitcoins paid in the exchange. The announcement was somewhat surprising, as it’s rare to recover ransoms paid to cybercriminals. The money was recovered by tracing the payment on the blockchain from the original wallet to other wallets, with the sum ultimately recovered from a wallet that the FBI had gained access to through the private key. As far as further details, some are speculating that the FBI gained access to the wallet because it may have existed on a crypto exchange or server within their jurisdiction. Though the news likely doesn’t signal a major shift, it’s always good to hear about a win in the fight versus ransomware.