1
00:00:01,639 --> 00:00:09,839
Produced by PI Media. Hi,
and welcome to SIPI Radio. I'm your

2
00:00:09,839 --> 00:00:17,640
host, Ran Levy. Once a
year, Checkpoint Research releases a media report,

3
00:00:18,000 --> 00:00:22,640
a summary of the first half of
the calendar year in cybersecurity, including

4
00:00:22,719 --> 00:00:27,399
all of the major changes, trends, and events that be fined January through

5
00:00:27,600 --> 00:00:32,159
June. Obviously, a lot happens
in that time, and so the reports

6
00:00:32,439 --> 00:00:37,399
end up rather along, which is
why sometimes we'll do one of these episodes

7
00:00:37,439 --> 00:00:43,320
to summarize not every detail, but
the biggest, most important things you should

8
00:00:43,439 --> 00:00:47,439
know. The interviews are hosted by
Nate Nelson, the writer of our show,

9
00:00:47,799 --> 00:00:53,079
and feature one of Checkpoint's research lead
intelligence analysts. This time a familiar

10
00:00:53,159 --> 00:00:58,280
fakes. You have a rad pinkas
so sit back. Over the next twenty

11
00:00:58,280 --> 00:01:00,719
five minutes or so, Nathan you
are, We'll give you a brief picture

12
00:01:00,920 --> 00:01:06,439
of the first half of the year
twenty twenty three in case you missed any

13
00:01:06,480 --> 00:01:10,599
of it, or maybe you just
need a refresher. I'll see you at

14
00:01:10,640 --> 00:01:19,879
the end of it. Enjoy.
Heyov, welcome back to the program.

15
00:01:19,079 --> 00:01:23,000
Want to let listeners know what we
have in store for them in this episode.

16
00:01:23,480 --> 00:01:27,920
Hi, Nie, good to be
here again. The last time we

17
00:01:29,000 --> 00:01:34,120
talked, we discussed Checkpoint Research's twenty
twenty three annual Report, and this time

18
00:01:34,159 --> 00:01:38,760
we have the twenty twenty three Media
Report, which we published just a few

19
00:01:38,760 --> 00:01:44,519
weeks ago. This edition is more
concise but has the same general structure as

20
00:01:44,599 --> 00:01:49,959
before, and it is based on
the analysis of anonymized data collected from hundreds

21
00:01:49,959 --> 00:01:57,000
of thousands of gateways of our customers
throughout the world. This data, combined

22
00:01:57,040 --> 00:02:01,560
with Ostin's research, gives us a
pretty good picture of the current trends in

23
00:02:01,840 --> 00:02:07,960
cyber attack scene. So in this
report, we analyze the major trends in

24
00:02:08,039 --> 00:02:15,719
cyber attacks and present the data concerning
the major attack industries, infection methods,

25
00:02:16,000 --> 00:02:21,879
tope, malware, and more.
Maybe you can be a little more specific

26
00:02:22,000 --> 00:02:28,599
about exactly what's covered in the report. The report itself includes an analysis of

27
00:02:28,719 --> 00:02:34,800
the ransomware ecosystem and its developments,
which will go into in a minute,

28
00:02:34,840 --> 00:02:39,319
but also reviews developments in activism,
the recent threats in the mobile arena.

29
00:02:40,000 --> 00:02:46,840
We review what is probably going to
be the major theme for which twenty twenty

30
00:02:46,840 --> 00:02:52,840
three will be remembered in history is
the developments in AI and their implications over

31
00:02:52,879 --> 00:02:58,400
the cyberfield, and much much more. Of course, we don't have nearly

32
00:02:58,479 --> 00:03:01,360
enough time to cover every one of
these subjects, so today let's just focus

33
00:03:01,479 --> 00:03:07,000
on a few that we think are
extra important. Firstly, what's happening with

34
00:03:07,319 --> 00:03:14,000
ransomware, So ransomer I'm still considered
the number one threat for businesses of all

35
00:03:14,080 --> 00:03:20,560
sizes in the sense of the damage
that degenerates in both direct and indirect damages.

36
00:03:21,439 --> 00:03:24,759
These are the ransom payments, but
also lots of business and exposure to

37
00:03:25,000 --> 00:03:34,520
lawsuits GDPR related for both customers and
employees, but not just the damages.

38
00:03:35,000 --> 00:03:39,639
It's also more widespread, I think
than you might think. So from analyzing

39
00:03:39,680 --> 00:03:46,759
the cases handled by our incident response
team, we find that almost half of

40
00:03:46,800 --> 00:03:52,759
all the cases that they investigate are
ransomer related cases. So many of the

41
00:03:52,840 --> 00:03:57,960
smaller incidents we see, if they're
not handled properly, could develop into full

42
00:03:58,000 --> 00:04:02,680
blown ransomware attacks. Now, when
we say ransomware today, we mean not

43
00:04:03,120 --> 00:04:09,879
that it's an attack where data is
encrypted or not just, but rather that

44
00:04:10,000 --> 00:04:16,199
the motivation behind the attack is to
generate financial profit through the extortion of the

45
00:04:16,279 --> 00:04:23,720
victims. This is now an entire
ecosystem whose main actors are ransomware as a

46
00:04:23,759 --> 00:04:30,040
service RUSS threat actors that operate in
a double extortion model. This means that

47
00:04:30,360 --> 00:04:34,519
threat doctors like lock Beat Club and
many others that we'll talk about the other

48
00:04:34,560 --> 00:04:41,360
ones that are responsible for the Malwa
development, but the actual operation of the

49
00:04:41,399 --> 00:04:47,120
attack is conducted by affiliates. The
affiliates pay for the use or show part

50
00:04:47,120 --> 00:04:53,319
of the revenue with the ransomware as
a service actors, and in return they

51
00:04:53,319 --> 00:04:59,560
can use the ransomware encryptor and other
infrastructure related services, including the reputation of

52
00:04:59,600 --> 00:05:02,839
the of the runs of worth the
service actors. Yeah, can you expand

53
00:05:02,839 --> 00:05:08,079
on that idea, because I think
it might be strange to those unfamiliar that

54
00:05:08,160 --> 00:05:15,040
ransomware groups would have anything resembling a
good reputation. Ironically, reputation is an

55
00:05:15,120 --> 00:05:21,279
important element in this sector of crime
industry, since victims who pay large sums

56
00:05:21,279 --> 00:05:28,639
in extortion moneies rely on the reputation
of the attacker for receiving decryption keys in

57
00:05:28,720 --> 00:05:33,680
return for their payment. These attacks
normally include two strategies of extortion, both

58
00:05:33,720 --> 00:05:40,920
the encryption of data and the victim
system and by stealing the data and threatening

59
00:05:40,959 --> 00:05:47,480
to publish it later. This is
the double element in double extortion. This

60
00:05:47,600 --> 00:05:53,319
model of operation, which is based
on outsourcing the initiative to the affiliates,

61
00:05:53,360 --> 00:05:59,560
has created a competition between ransom as
service actors on the attention of affiliates and

62
00:06:00,040 --> 00:06:05,120
how to recruit them, and this
competition in turn pushes for continuous development of

63
00:06:05,160 --> 00:06:12,319
additional features in the ransomware malware and
services. All of this is relevant today,

64
00:06:12,360 --> 00:06:15,439
of course, but it's not new
either. So what's changed in ransomware

65
00:06:15,639 --> 00:06:21,720
in twenty twenty three. One such
important ability that was pushed and added to

66
00:06:21,800 --> 00:06:30,600
many ransomware families this year has been
ransomware versatility to additional operating systems, mostly

67
00:06:30,680 --> 00:06:36,319
Linox. This ability opens the potential
attach surface to many more systems and possible

68
00:06:36,399 --> 00:06:44,399
victims. So Linox dedicated ransomware is
now offered by a Lockbit, by Royal,

69
00:06:44,600 --> 00:06:48,680
by Club, Bian, Lion by
Society, and it really has become

70
00:06:49,399 --> 00:06:56,600
the standard for ransomware. Another aspect
that ransomware has been improving in is the

71
00:06:56,759 --> 00:07:00,519
speed of encryption, which has long
been the subject of ransomware advertisements. I

72
00:07:00,560 --> 00:07:06,800
remember two years ago Lockbeat published an
advertisement with an operational analysis of all available

73
00:07:06,839 --> 00:07:13,800
ransomware payloads, comparing their encryption speeds
and claiming to be the fastest. Why

74
00:07:13,879 --> 00:07:18,519
is this important because the faster the
encryption, the less time defenders have to

75
00:07:18,680 --> 00:07:24,959
detect and intercept the attacks, and
the more chance criminals have at encrypting valuable

76
00:07:25,079 --> 00:07:30,920
data. This is also why most
attacks conduct this critical but noisy encryption phase

77
00:07:30,199 --> 00:07:35,680
at non working hours, so the
attacks are mostly during nighttime or weekends or

78
00:07:35,680 --> 00:07:44,120
holidays, and they try to be
as quick as possible. CPR has recently

79
00:07:44,120 --> 00:07:49,800
published an analysis of the fastest encryption
ransomware we dubbed it woshot, which was

80
00:07:49,920 --> 00:07:57,600
used against an American company. The
average time that attackers now spend in breached

81
00:07:57,639 --> 00:08:01,720
networks is also getting shorter, from
weeks in the past to less than a

82
00:08:01,839 --> 00:08:07,839
day for actors to stay in a
breached network, locate and breach backup servers

83
00:08:09,680 --> 00:08:16,199
or active directories. So to summarize, ransomware, attackers are targeting previously untouched

84
00:08:16,240 --> 00:08:22,399
operating systems and moving faster than ever. What else Another aspect that transfer service

85
00:08:22,480 --> 00:08:28,879
providers are working on improving is their
evasion techniques. These are basically all the

86
00:08:28,920 --> 00:08:35,039
features intended to work around security mechanisms. For example, we see that mechanisms

87
00:08:35,120 --> 00:08:43,159
like restarting safe mode. That's when
the intruding ransomware restarts the machine in safe

88
00:08:43,159 --> 00:08:48,480
mode to exclude most security mechanisms,
so this has become another common feature again

89
00:08:48,519 --> 00:08:54,840
almost as standard. Leading examples are
lock Beats, Alpha Black, Busta,

90
00:08:54,320 --> 00:09:00,759
and Avhaslocker and where have we seen
all these trends bear out? Tell me

91
00:09:00,840 --> 00:09:05,840
about some of the notable attacks that
happen this year. Maybe the trend of

92
00:09:05,919 --> 00:09:11,159
the first half of twenty twenty three
is the mega ransomware attacks, where attackers

93
00:09:11,240 --> 00:09:18,240
breach dozens, sometimes hundreds of companies
in one go. The three largest examples

94
00:09:18,279 --> 00:09:26,039
of this are the Lockbeat exploitation of
the Cloud fifty one service provider that has

95
00:09:26,120 --> 00:09:31,679
led to the breach of sixty other
companies, and two attacks by Cloud,

96
00:09:31,279 --> 00:09:37,879
both targeting file transfer tools. The
first attack was through a service called go

97
00:09:37,000 --> 00:09:43,039
Anywhere that brought down one hundred and
thirty victims, and the second by exploiting

98
00:09:43,039 --> 00:09:48,480
a zero day vulnerability in the movie
tool, which is now confirmed to have

99
00:09:48,559 --> 00:09:54,600
taken down one hundred probably more than
seven hundred companies, including Shell, Deutsche

100
00:09:54,639 --> 00:10:01,320
Bank, British Airways and many many. This is a major change from what

101
00:10:01,360 --> 00:10:09,320
we've become used to in this ecosystem
until now there's been the gradual outsourcing of

102
00:10:09,440 --> 00:10:16,600
various parts of the attack operation to
many subcontractors. So affiliates produce the attack,

103
00:10:16,720 --> 00:10:22,200
but they buy infections from initial access
brokers, and the initial access brokers

104
00:10:22,559 --> 00:10:28,279
base their activity on information and leads
they buy in dark web markets where it

105
00:10:28,360 --> 00:10:35,799
is sold by often less technical actors
who operate infostealers. But with mega attacks,

106
00:10:37,000 --> 00:10:43,440
one actor utilizes an expensive zero their
vulnerability to penetrate multiple victims. This

107
00:10:43,559 --> 00:10:50,840
creates a substantial management challenge for the
threat actor. Just imagine the management of

108
00:10:50,879 --> 00:10:56,240
such an operation. You need to
search and networks of hundreds of companies,

109
00:10:56,320 --> 00:11:00,799
you need to identify important information,
you need to download and story, you

110
00:11:00,919 --> 00:11:07,000
conduct negotiations, you need to leak
it. It's really a considerable logistical challenge,

111
00:11:07,840 --> 00:11:13,480
and this is probably one of the
reasons why they now skip the encryption

112
00:11:13,600 --> 00:11:20,879
phase altogether and resort to only data
extortion that means they demand money or else

113
00:11:20,960 --> 00:11:26,440
they would publish the story information.
Interestingly, this is the main trend we

114
00:11:26,559 --> 00:11:31,480
recognize and outlined in the previous report
in December, when we noticed that threat

115
00:11:31,519 --> 00:11:37,279
doctors started to conduct effective DOTA extortion
without encryption. And these groups are well

116
00:11:37,320 --> 00:11:43,120
equipped to manage gigantic breaches of so
many organizations at once on operation in this

117
00:11:43,279 --> 00:11:46,759
magnitude, there's other challenges. For
example, in order to download the gigabyte

118
00:11:46,720 --> 00:11:54,399
of data from a from tour infrastructure, that could take relatively long time and

119
00:11:54,480 --> 00:12:01,399
thus makes the extortion threat less effective. And that's why Globe has experimented with

120
00:12:01,480 --> 00:12:05,440
leaking the data not in its Onion
infrastructure but rather on the clear Net,

121
00:12:07,080 --> 00:12:11,600
and in August, just a couple
of weeks ago, they transformed their entire

122
00:12:11,679 --> 00:12:16,679
leak infrastructure to torrents. That makes
it both much faster, therefore a more

123
00:12:16,720 --> 00:12:24,559
substantial threat for victims and more challenging
for law enforcement to take the databasis of

124
00:12:24,679 --> 00:12:30,360
flying anything else. Before we move
on from the ran square topic, in

125
00:12:30,399 --> 00:12:35,240
this report, we also publish an
analysis of data scrap from ransomware threat acts

126
00:12:35,320 --> 00:12:43,519
shame sight. These are the sites
where they publish the identity and lay the

127
00:12:43,639 --> 00:12:48,039
data of non paying victims, so
it's a partial view, but it's still

128
00:12:48,759 --> 00:12:54,200
insightful. So what we routinely do
is we monitor more than one hundred and

129
00:12:54,240 --> 00:13:00,559
seventy Onion sites which are operated by
over one hundred and twenty criminal group and

130
00:13:00,679 --> 00:13:03,759
in the first half of twenty twenty
three. These were used to publish the

131
00:13:03,840 --> 00:13:11,399
identity of more than twenty two hundred
victims by nearly fifty active groups. Lockbit

132
00:13:11,639 --> 00:13:18,559
was the most prolific actor, accounting
for more than a quarter of all victims

133
00:13:18,879 --> 00:13:24,320
before the count of the club's movie
Bridge, which occurred in May but was

134
00:13:24,320 --> 00:13:30,080
published and added to the victim count
in later months. So Lockbit had the

135
00:13:30,120 --> 00:13:35,919
most victims, and Alpha also known
as black Cat and Clob followed. Alphav

136
00:13:37,000 --> 00:13:41,600
is, the actor responsible for the
recent breach of MGM Resorts International. In

137
00:13:41,679 --> 00:13:46,559
terms of geographical distribution, we see
that almost half of the victims are US

138
00:13:46,639 --> 00:13:54,279
companies. That could explain the intensive
activity of American law enforcement dentities against this

139
00:13:54,759 --> 00:14:01,480
criminal industry. They've led operations like
the high ransomware group takes down in January

140
00:14:01,840 --> 00:14:07,200
this year and lead much of the
international activity. Who I'm curious are the

141
00:14:07,279 --> 00:14:11,399
victims of these stories, whether it
be industry, geography, what have you.

142
00:14:13,360 --> 00:14:16,720
Most of the victims are from Western
countries like UK, the UK,

143
00:14:16,039 --> 00:14:22,200
Canada, Italy, Germany and France, but interestingly we had some Russian victims

144
00:14:22,200 --> 00:14:28,039
this year. Now, normally most
of these groups refrained from attacking exusar countries

145
00:14:28,120 --> 00:14:33,879
or just generally Russian language systems,
but we did see now a substantial number

146
00:14:33,879 --> 00:14:41,000
of Russian victim companies. These were
almost exclusively victims of the Mala Sloker threat

147
00:14:41,080 --> 00:14:46,559
actor. This group, which emerged
earlier this year, is unique not just

148
00:14:46,600 --> 00:14:50,159
for the identity of its victims,
but also for their extraordinary ransom demand.

149
00:14:50,840 --> 00:14:56,840
The group asks victims to make a
donation to a charity of their choice instead

150
00:14:56,840 --> 00:15:03,679
of paying a ransom payment directly to
the group. On something maybe similar,

151
00:15:03,759 --> 00:15:09,600
we've again extraordinarily seen some Iranian victims
in August. All of them were breached

152
00:15:09,600 --> 00:15:15,399
by a group called Alvin Club,
which is traditionally focused on Iran. Another

153
00:15:15,440 --> 00:15:20,279
interesting finding is the analysis of affected
industries by ransomware. So what we see

154
00:15:20,360 --> 00:15:26,919
is that sectors that cannot or systematically
would not play ransomware less affected by it.

155
00:15:28,799 --> 00:15:33,840
So government and military, education and
research institutes, which we find at

156
00:15:33,879 --> 00:15:39,080
the top of our most sector index
when we review general cyber attacks, are

157
00:15:39,120 --> 00:15:46,559
not at the top of the ransomware
victim industry index. They're pushed down in

158
00:15:46,639 --> 00:15:52,320
the ranking of most attacks sectors by
manufacturing companies and retail entities who are more

159
00:15:52,879 --> 00:16:00,759
income oriented and generally more willing to
negotiate and pay ransomware. By use law,

160
00:16:00,799 --> 00:16:06,399
it's forbidden, that is, to
negotiate and pay ransomware. And from

161
00:16:06,399 --> 00:16:11,440
this analysis we can see that as
an industry this principle is actually effective and

162
00:16:11,480 --> 00:16:18,799
we see less of the public sector
at the top of the most attack ransomware

163
00:16:18,279 --> 00:16:22,600
index. Before we finish up here, you have there is another major trend

164
00:16:22,679 --> 00:16:30,159
that you wanted to talk about.
On another interesting issue we highlight in this

165
00:16:30,240 --> 00:16:37,399
report the re emergence of an old
infection method that's of using USB drives.

166
00:16:37,240 --> 00:16:42,080
This is when thread uctors either distribute
or sent by mail USB devices that have

167
00:16:42,159 --> 00:16:48,639
malicious mechanisms either automatic or use IT
dependent, or even infections that use occasional

168
00:16:48,759 --> 00:16:55,159
USB drives to transfer infections from one
machine to the other. Now, already

169
00:16:55,159 --> 00:17:00,000
in twenty twenty two, the FBI
issued a warning about campaign aiming at US

170
00:17:00,279 --> 00:17:07,079
defense firms, with the attackers mailing
USB drives loaded with malicious payloads. And

171
00:17:07,680 --> 00:17:11,599
during the past few months, CPR
reviewed a couple of malware families with extensive

172
00:17:11,640 --> 00:17:19,880
exploitation of USB devices. The first
was the Raspberry robin worm, currently one

173
00:17:19,880 --> 00:17:26,640
of the most widespread multipurpose malware families
that has been recorded giving access to infections

174
00:17:26,680 --> 00:17:33,640
such as club and lockwit, So
Raspberry Robin can be considered as an access

175
00:17:33,640 --> 00:17:38,960
broker agent in this ecosystem, and
one of Raspberry Robin's infection vectors is through

176
00:17:40,079 --> 00:17:45,200
creating malicious lank files on USB storage
devices, which infect the next machine they're

177
00:17:45,200 --> 00:17:49,960
inserted too. Now, this is
not a primitive malware and it is designed

178
00:17:49,960 --> 00:17:56,920
with an extensive set of anti analysis
mechanisms, and it is interesting to see

179
00:17:56,359 --> 00:18:03,759
that it still bases much of its
initial infections on USB tribes, which suggest

180
00:18:03,240 --> 00:18:10,759
that this is still an effective attach
vector. We've also seen reports of nation

181
00:18:10,920 --> 00:18:18,480
state apts like China related Camaro Dragon
that we published a research about and the

182
00:18:18,559 --> 00:18:23,920
Russian affiliated Shockworm, which were also
reported to utilize the USB drives for infections,

183
00:18:23,960 --> 00:18:30,200
so again, take care beware.
At the beginning of the episode,

184
00:18:30,400 --> 00:18:34,240
you mentioned that the report covers shifting
infection vectors, So what's going on in

185
00:18:34,279 --> 00:18:41,359
that realm? We've measured a significant
decline in the use of office files for

186
00:18:41,480 --> 00:18:45,920
infection. This is due to Microsoft's
restriction on Office macros, and we have

187
00:18:45,960 --> 00:18:52,359
a separate podcast chapter with Sam Handelman
discussing this. But it's very clear from

188
00:18:52,400 --> 00:18:57,559
our current gateway data that this has
changed the way threat actors act. We

189
00:18:57,599 --> 00:19:04,559
see rustick drop of eighty to ninety
five percent in the malicious use of Excel

190
00:19:04,640 --> 00:19:11,079
files of different types, and instead
we see previously seldom used attack factors like

191
00:19:11,160 --> 00:19:18,640
one note files which despite being click
intensive meaning that they require multiple activation by

192
00:19:18,640 --> 00:19:23,519
the user, they have been used
to distribute malwer like cuboat Agent, Tesla,

193
00:19:23,640 --> 00:19:33,119
redline and others. Anything else before
we head off what else? We

194
00:19:33,200 --> 00:19:40,079
also see further use of various archives
and container files, both password protected and

195
00:19:40,279 --> 00:19:47,279
not most popular Z files, which
make up almost thirty percent of email attached

196
00:19:47,400 --> 00:19:52,119
archives and allow files, but also
image and EASO files. We've also seen

197
00:19:52,160 --> 00:19:57,039
an increase of forty five percent of
attached L and K files, and PDF

198
00:19:57,119 --> 00:20:02,839
files are on the rise, so
threat actors like qboard and many others are

199
00:20:02,880 --> 00:20:10,200
still exploring alternative infection chains to replace
the block ones. I think that is

200
00:20:10,240 --> 00:20:14,119
it for this review. There's much
more in the full edition, and you're

201
00:20:14,480 --> 00:20:18,920
very invited to our web page.
And that's it. Thank you, and

202
00:20:18,960 --> 00:20:25,480
I hope to see you next time. That's it for this episode. Thank

203
00:20:25,519 --> 00:20:30,640
you for listening to find this year's
full media report. Visit Research dot checkpoint

204
00:20:30,759 --> 00:20:36,240
dot com, and if you click
the CPR podcast channel in the top menu,

205
00:20:36,599 --> 00:20:41,039
you'll find all of our past episodes. Seepy Radio is produced by PI

206
00:20:41,200 --> 00:20:52,279
Media. Hilas Emish is our producer. See you next episode. Bye bye.