Living Off the Land Is the New Normal + When Hacks Upset Housing Markets

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on Substack.

Living Of the Land Is the New Normal

Cybersecurity firm Huntress has confirmed what organizations like the National Security Agency (NSA) have been saying—that “living off the land” is the new normal.

We’ve covered the shift toward living off the land techniques (abusing legitimate tools already present in the host environment) by both Russian and Chinese APT actors. According to a new Huntress report focused on threats to small and medium-sized businesses (SMBs), more than half of incidents involved LOLbins (living off the land binaries) and were “malware free.”

One type of legitimate software that is commonly abused by threat actors to gain and maintain access to targeted environments is remote monitoring and management (RMM) software. Huntress found that 65 percent of all types of SMB security incidents involved RMM software such as ConnectWise, ScreenConnect, AnyDesk or TeamViewer. These types of software are not detected as malware, and their use is often not audited, especially in small organizations.

Living off the land techniques are also being used by the most concerning threat actors that this newsletter has covered in recent months, including cybercrime groups (see our reports on Octo Tempest or Scattered Spider) and state-backed groups such as China’s Volt Typhoon.

Volt Typhoon’s campaign is genuinely concerning. Microsoft thought the group was “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”

In a recent Risky Business podcast, Morgan Adamski, the director of the NSA’s Cybersecurity Collaboration Center, said she was worried about the “scope, scale and sophistication” of Chinese APT activity. One element of this was the shift to living off the land.

“We’re going to have to up our game,” Adamski said. “You’ve got to know what your sys admins are doing, are they in every single day, are they actually supposed to be doing the activity that you see them doing?”

“And so it is going to take a concerted effort across everyone in the industry, as well as the net defenders, to really put a lot of time and effort behind this.”

Living off the land is here to stay, and cybersecurity organizations are going to have to adapt their practices to cope.

Hacks at Key Firms Upset Housing Markets

When key firms that provide services to a range of clients are hit by cyber incidents, the damage ripples through the economy. For example, in the U.K. and the U.S., attacks on companies that provide services to the real estate industry have impacted house sales.

The consequences of breaches like these mean key service providers need to be held to very high standards of security.

Last week, Fidelity National Financial (FNF), a U.S. Fortune 500 company that provides insurance and settlement services to the real estate industry, announced it had blocked access to some of its systems after detecting a breach.

FNF, which owns a suite of related companies, stated that “the services we provide related to title insurance, escrow and other title-related services, mortgage transaction services, and technology to the real estate and mortgage industries, have been affected by these measures.”

The AlphV/Black Cat ransomware gang claimed responsibility for the hack on their leak site the day after FNF’s announcement, while also mocking Mandiant, presumably the firm AlphV believes FNF has engaged for incident response.

The fallout was described as a “catastrophe” by TechCrunch, with prospective buyers being unable to close house purchases and left in the dark about their status. When TechCrunch called IPX 1031, an FNF subsidiary, a voicemail responded that “Fidelity National Financial is still experiencing a system-wide outage. We do not have access to send or receive email or access to any system. We appreciate your patience.”

In the U.K., an attack on CTS, a provider of managed information technology services for law firms, is also affecting home purchases by disrupting the legal sector.

CTS announced on Nov. 23 that it was experiencing a service outage caused by a cyber incident that had “impacted a portion of the services we deliver to some of our clients.”

Today’s Conveyancer, a real estate lawyer publication, reported the incident was affecting around 80 firms across the country and wrote that it “risks bringing exchanges and completions to a standstill.” The impact felt by each firm varied depending on its reliance on cloud-based services. One CTS client told Today’s Conveyancer:

Depending on your cloud dependency you may, like us, still be able to find workarounds for matters exchanging and completing this week. Other firms have been more affected and are unable to access phone, emails, or case management systems. As a result some transactions are still going ahead today.

A number of U.K. law firms spoke to the U.K.’s Property Eye property trade publication, confirming that the incident’s impact was widespread. O’Neil Patient, for example, said that “this issue is impacting a number of organisations across the sector, as our provider is a specialist in secure legal systems for many law firms and barrister’s chambers.”

One lesson here is that service providers are high-impact targets, and because so many customers rely on them, they need top-notch cybersecurity standards.

While we do not know how FNF and CTS were breached, cybersecurity researcher Kevin Beaumont, using information from Shodan, notes both were slow to patch the latest Citrix NetScaler vulnerabilities.

It is standard practice for cybercrime gangs to take any vulnerability in internet-facing enterprise software and exploit it at scale either for data-theft extortion or for network access. The Cybersecurity & Infrastructure Security Agency warned last week that these vulnerabilities were being actively exploited by cybercrime groups, and they have already been implicated in the high-profile compromises of Boeing and the Industrial and Commercial Bank of China.

A patch for these Citrix NetScaler vulnerabilities was released on Oct. 10. Perhaps the more straightforward lesson here is that organizations need to get much much faster at upgrading and patching their internet-facing vulnerabilities.

Coincidentally, an updated version of the Australian Signals Directorate’s (ASD’s) “Essential Eight” strategies to mitigate cybersecurity incidents was released this week. One of the big changes is to place higher priority on rapid patching, and the ASD recommends that patches be applied “within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.” That’s a tall order for most organizations, but how much angst would have been saved in recent weeks alone if that recommendation had been implemented?

In the race to exploit or remediate these bugs, too often threat actors are winning.

Three Reasons to Be Cheerful This Week:

1. Swapping vulns for coins: The U.K.’s National Cyber Security Centre is launching a set of challenge coins it will give out to selected researchers who submit reports to its Vulnerability Reporting Service (VRS) and who it thinks have “shown themselves to be exemplars of the vulnerability disclosure community.” The VRS covers U.K. government services, and this is a good way of encouraging reports that appeals to security researchers’ sense of self-worth.
2. International ransomware group dismantled: Authorities from seven countries have collaborated to dismantle a ransomware group responsible for attacks in 71 countries. The group used a variety of ransomware strains, including LockerGoga, MegaCortex, HIVE, and Dharma, in attacks that affected over 1,800 victims worldwide. Coordinated raids took place at 30 locations, and the group’s leader and four accomplices were arrested in Ukraine.
3. Myanmar rebels battling cyber scams: The Three Brotherhood Alliance, a militia opposed to the Myanmar junta, has taken aim against online “pig butchering” compounds operating near the border with China. The People’s Republic of China has tried to pressure the Myanmar government to crack down on the crime, with limited success. So it’s a happy coincidence for the Chinese government that rebel forces have suddenly felt motivated to tackle cybercrime kingpins.

Shorts

DP World Australia has confirmed that ransomware was not deployed in a recent incident that we covered earlier this month. DP World Australia says “a small amount” of data was stolen during the incident, including the personal information of current and former employees.

This is a best-case scenario as the actual deployment of ransomware would have been far more damaging. As it was, the incident resulted in the shutdown of five ports across Australia, national news coverage, and a whole-of-government response. Australia’s Minister for Cyber Security, Clare O’Neil, even berated DP World for not patching its systems more rapidly. That’s more than a little angst. DP World Australia’s executive vice president, Nicolaj Noes, told the Australian Broadcasting Corporation that although getting cybersecurity right is complex, perhaps they should, in retrospect, have “done some things differently.”

The Qilin ransomware group (aka Agenda) has claimed responsibility for a cyber incident affecting production at Yanfeng Automotive Interiors, a Chinese automotive parts manufacturer. Bleeping Computer reports that Yanfeng employs 57,000 people in 240 locations worldwide and that the incident disrupted production at multinational automaker Stellantis’s North American assembly plants.

Just two weeks ago, in the wake of a ransomware attack on the U.S. subsidiary of China’s largest bank, we speculated about the Chinese government pressuring Russian officials to take action against ransomware crews. It’s not clear that Qilin is Russia based, although cybersecurity firm Group-IB reported earlier this year that a Qilin recruiter looking for affiliates wrote in Russian and said that the group does not work in CIS countries (countries that were formerly part of the Soviet Union).

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq look at the evolution of Russian electricity network cyberattacks.

From Risky Biz News:

Fastly to block domain fronting in 2024: Internet infrastructure company Fastly will block domain fronting on its cloud platform starting Feb. 27, 2024. Fastly joins a growing list of major cloud companies that have banned domain fronting. The list includes Amazon (banned in 2018), Google (2018), Microsoft (2022), and Cloudflare (2015).

Domain fronting is a technique to use different domain names on the same HTTPS connection. Because of its ability to hide backend infrastructure, domain fronting has also become popular with malware operations, being adopted by both financially and espionage-motivated groups.

[more on Risky Business News, including the history of domain fronting, its legitimate uses, and how it has been used by services like Signal and Tor to bypass internet censorship]

Cyber insurance catches on across the EU: A European Union Agency for Cyber Security (ENISA) report on NIS compliance spending has found that roughly 42 percent of the EU’s critical infrastructure and digital service provider operators have signed up for cyber insurance in 2022. The report notes that while cyber insurance coverage was at 43 percent in 2020 and just 30 percent in 2021, the cyber insurance market now appears to be active and developed all over the EU.

[more on Risky Business News, including how companies are complying with the EU’s NIS Directive]

Crypto-phishing service shuts down after stealing $71 million: A phishing platform that specializes in cryptocurrency thefts has shut down operations after stealing more than $71 million over the past nine months. Named Inferno Drainer, the platform launched in February this year. Spotted by Web3 security platform ScamSniffer, the service allowed threat actors to create phishing pages for more than 220 cryptocurrency brands. ScamSniffer researchers say Inferno Drainer was responsible for more than 10,000 phishing sites and helped hackers steal cryptocurrency from more than 103,000 victims since its launch.