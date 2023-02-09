Comment on this story Comment Gift Article Share

Welcome to The Cybersecurity 202!

Below: President Biden's top adviser for cybersecurity will retire next week, and Jamal Khashoggi's widow asks the United States and United Nations for help retrieving his devices. First:

A fresh worldwide ransomware attack has novel, worrisome elements

The phrase “global ransomware attack” has a legacy of havoc, with the twin 2017 NotPetya and WannaCry cyberattacks collectively infecting hundreds of thousands of machines and doing billions of dollars worth of damage.

We’re in the midst of another worldwide ransomware campaign that has prompted alerts from cybersecurity authorities in multiple countries in recent days. But it doesn’t appear to be as destructive as past campaigns.

So what gives?

The latest attacks — the less-flashy named “ESXiArgs” campaign — are believed to have infected at least 3,000 servers, but overall they seem to have caused much less chaos than past campaigns. There are a number of potential reasons for that, analysts say, from possible missteps from the attackers, to the experimental nature of this particular campaign, to few victims appearing to feel they need to pay because attacks didn’t necessarily hit vital systems.

That doesn’t mean, however, that it’s not serious, according to those same analysts. It also doesn’t mean that no one should be worried — especially because of what it might mean for future attack trends.

The nature of the beast

The campaign, which began Friday according to France’s computer emergency response team, is named after the VMware ESXi software that it attacks. VMware is a cloud technology provider, and the ESXi software monitors virtual machines, which are also known as VMs. The vulnerability the attackers are targeting appears to be two years old, and a patch has been available since early 2021.

VMware said in a blog post that the company “has not found evidence that suggests” that a previously-unknown vulnerability is helping “propagate” the hacks. It advised customers to update their software.

There are more than 3,800 victims, including Florida’s Supreme Court and universities in the United States and Europe, according to a Reuters analysis that relied in part on the crowdsourced Ransomware platform.

$88,000 in known ransoms for the attackers — a pretty small haul compared with the average single payment of more than $500,000 that Palo Alto Networks estimated That same platform found evidence that the ESXiArgs campaign has netted at leastfor the attackers — a pretty small haul compared with the average single payment of more than $500,000 that Palo Alto Networks estimated ransomware gangs got in 2021

The starting ESXiArgs ransom request is 2 bitcoin, or just under $50,000 — significantly less than the 2021 average ask of $2.2 million.

Florida’s Supreme Court notably said the attack hit a part of its systems that didn’t affect its main network, meaning it hasn’t impacted the court’s work.

It’s not clear yet who’s behind the campaign, although Italy’s government said it looks more like the work of cybercrooks than government-linked hackers.

The Cybersecurity and Infrastructure Security Agency and FBI issued an alert about the campaign on Wednesday. CISA also has released a script to help victims recover, albeit with a disclaimer that says the agency doesn’t accept liability for any damages the script might cause. But a new version of the malware appears to be preventing the script from recovering some files, Bleeping Computer's Lawrence Abrams reports.

The most interesting bits

There are a number of things that make ESXiArgs novel, worrisome or both, analysts say.

One of the things that makes them difficult to identify is that they don’t have their own leak site, nor do they seem to be stealing data at all. Ransomware gangs frequently host sites on the dark web, where they threaten to publish stolen data if victims don’t pay. Also unusual is that each ransom note appears to display a different wallet address, another element that makes it harder to zero in on who’s responsible.

The attackers also have used bits and pieces of tools from other ransomware gangs, which further obscures the hackers’ identities.

“It’s kind of like a Franken-ransomware, which is what we’re getting more and more of, or I guess if you’re going to be a pedant, a Frankenstein’s monster’s ransomware,” Allan Liska, senior security architect at cybersecurity firm Recorded Future, told me. “It’s becoming much more common, and it’s going to be a bigger problem going forward.”

Another interesting element is how the attackers chose — or didn’t choose — their targets, said Mark Manglicmot, senior vice president of security services at cybersecurity company Arctic Wolf.

“They’re targeting publicly facing VM servers for this, so they don’t have to break into a company’s environment to then do their ransomware campaign,” Manglicmot told me. “They’re able to do a little bit of pray-and-spray, or just kind of blast it out like a spam campaign without having to do a lot of research. It seems like a fast-and-dirty type of ransomware attack.”

Even though the hackers haven’t evidently made a lot of money yet, they also don’t seem to have had to work very hard to get it as a result of the wide targeting. “If you can put together something in an afternoon and make like $100,000 in two or three days, that’s a good return on investment,” Manglicmot said.

Despite the mixed results for the campaign, Liska says he expects future imitators.

“I think we’re going to see somebody who’s going to say, ‘Oh, that was interesting. Let’s see if we can make a better version of that,’” Liska said. “We see that a lot, where a bad guy tries something and it doesn’t work very well, but then the next bad guy comes in and they do it better.”

The keys

Khashoggi's wife asks U.S. and U.N. for help recovering husband's devices from Turkey

The widow of slain Saudi journalist Jamal Khashoggi is asking U.S. Director of National Intelligence Avril Haines and U.N. Secretary General António Guterres for help recovering her husband’s laptop, cellphones and tablet from the Turkish government, Phil McCausland reports for NBC News.

Khashoggi, a columnist for The Washington Post, was killed at the Saudi consulate in Istanbul in 2018. A U.S. intelligence report concluded that Saudi Crown Prince Mohammed bin Salman approved the killing.

Hanan Elatr Khashoggi’s requests come a year after she first requested the devices, indicating that she is ready to increase pressure on Turkey to hand them over so she can take legal action before the statute of limitations for filing a lawsuit over computer hacking runs out in the United States later this year.

In letters sent to Turkish President Recep Tayyip Erdogan in November and January, seen by NBC News, she said that she thinks the electronics “will reveal previously undisclosed details about my husband’s murder that are critical to knowing the full truth.”

Erdogan’s office and the Turkish Embassy in D.C. did not respond to a request for comment from NBC News.

In both letters, Elatr also named the Saudi and Emirati governments as targets of future lawsuits, as well as Israeli spyware firm NSO Group. The company’s Pegasus spyware was found on two of her phones in November 2021, months before Jamal’s death. Elatr says that the same spyware might have also been installed without their knowledge onto her husband’s devices.

An NSO Group spokesperson has repeatedly denied any involvement with the case, saying that “our technology was not associated in any way with the heinous murder of Jamal Khashoggi or any of his family members, including Hanan Elatr.”

Top White House cyber official to retire next week

National Cyber Director Chris Inglis is set to retire on Feb. 15 even though his office hasn’t yet released a long-awaited cybersecurity strategy, CNN’s Sean Lyngaas reports.

President Biden tapped Inglis to lead the office in 2021 to “bring coherence to how the executive branch responds to major hacks and to keep a close eye on how federal agencies manage their digital defenses,” Lyngaas writes.

His departure comes as the country continues to face a series of digital threats like ransomware and hacks of American businesses and federal agencies.

Some bipartisan lawmakers unsuccessfully called on Inglis to stay in the job until the office approved a finalized strategy. The strategy is expected to call for regulation of critical infrastructure organizations, The Post previously reported.

Kemba Eneas Walden, a former Microsoft executive who joined the cyber office in May, will serve as acting director until Biden nominates an official successor.

U.K. proposes making the sale and possession of “bespoke” encrypted phones illegal

The United Kingdom’s Home Office said it is eyeing a ban on the sale or possession of “bespoke” devices used for organized crime, but experts say that the proposal is too broad and undefined, Motherboard’s Joseph Cox reports.

It comes as the country’s law enforcement agencies are ramping up efforts to probe the encryption industry and other serious crimes via technical operations, undercover investigations and by creating their own phone company to secretly harvest messages.

According to activists, the measure, which would make having an encrypted phone a criminal offense on its own accord, could “sweep up other forms of secure communication used by the wider population if not adjusted,” Cox writes.

Plus, it “does not yet have a settled definition of what encompasses sophisticated encrypted communication devices, leaving open the question of what exactly the U.K. would be prepared to charge a person for possessing or selling,” Cox added.

This poses a legally binding threat to “human rights defenders, protesters and pretty much all of us who want to keep our data secure,” said Ioannis Kouvakas, a senior legal officer and assistant general counsel at the U.K.-based activism organization Privacy International.

However, the Home Office argues that it is hard to see a need for anyone to use such divides for legitimate, legal reasons. The government is soliciting public input on the proposal through March 21.

Industry report

Global cyberspace

Cyber insecurity

