WEBVTT

1
00:00:01.639 --> 00:00:09.839
Produced by PI Media. Hi,
and welcome to SIPI Radio. I'm your

2
00:00:09.839 --> 00:00:17.640
host, Ran Levy. Once a
year, Checkpoint Research releases a media report,

3
00:00:18.000 --> 00:00:22.640
a summary of the first half of
the calendar year in cybersecurity, including

4
00:00:22.719 --> 00:00:27.399
all of the major changes, trends, and events that be fined January through

5
00:00:27.600 --> 00:00:32.159
June. Obviously, a lot happens
in that time, and so the reports

6
00:00:32.439 --> 00:00:37.399
end up rather along, which is
why sometimes we'll do one of these episodes

7
00:00:37.439 --> 00:00:43.320
to summarize not every detail, but
the biggest, most important things you should

8
00:00:43.439 --> 00:00:47.439
know. The interviews are hosted by
Nate Nelson, the writer of our show,

9
00:00:47.799 --> 00:00:53.079
and feature one of Checkpoint's research lead
intelligence analysts. This time a familiar

10
00:00:53.159 --> 00:00:58.280
fakes. You have a rad pinkas
so sit back. Over the next twenty

11
00:00:58.280 --> 00:01:00.719
five minutes or so, Nathan you
are, We'll give you a brief picture

12
00:01:00.920 --> 00:01:06.439
of the first half of the year
twenty twenty three in case you missed any

13
00:01:06.480 --> 00:01:10.599
of it, or maybe you just
need a refresher. I'll see you at

14
00:01:10.640 --> 00:01:19.879
the end of it. Enjoy.
Heyov, welcome back to the program.

15
00:01:19.079 --> 00:01:23.000
Want to let listeners know what we
have in store for them in this episode.

16
00:01:23.480 --> 00:01:27.920
Hi, Nie, good to be
here again. The last time we

17
00:01:29.000 --> 00:01:34.120
talked, we discussed Checkpoint Research's twenty
twenty three annual Report, and this time

18
00:01:34.159 --> 00:01:38.760
we have the twenty twenty three Media
Report, which we published just a few

19
00:01:38.760 --> 00:01:44.519
weeks ago. This edition is more
concise but has the same general structure as

20
00:01:44.599 --> 00:01:49.959
before, and it is based on
the analysis of anonymized data collected from hundreds

21
00:01:49.959 --> 00:01:57.000
of thousands of gateways of our customers
throughout the world. This data, combined

22
00:01:57.040 --> 00:02:01.560
with Ostin's research, gives us a
pretty good picture of the current trends in

23
00:02:01.840 --> 00:02:07.960
cyber attack scene. So in this
report, we analyze the major trends in

24
00:02:08.039 --> 00:02:15.719
cyber attacks and present the data concerning
the major attack industries, infection methods,

25
00:02:16.000 --> 00:02:21.879
tope, malware, and more.
Maybe you can be a little more specific

26
00:02:22.000 --> 00:02:28.599
about exactly what's covered in the report. The report itself includes an analysis of

27
00:02:28.719 --> 00:02:34.800
the ransomware ecosystem and its developments,
which will go into in a minute,

28
00:02:34.840 --> 00:02:39.319
but also reviews developments in activism,
the recent threats in the mobile arena.

29
00:02:40.000 --> 00:02:46.840
We review what is probably going to
be the major theme for which twenty twenty

30
00:02:46.840 --> 00:02:52.840
three will be remembered in history is
the developments in AI and their implications over

31
00:02:52.879 --> 00:02:58.400
the cyberfield, and much much more. Of course, we don't have nearly

32
00:02:58.479 --> 00:03:01.360
enough time to cover every one of
these subjects, so today let's just focus

33
00:03:01.479 --> 00:03:07.000
on a few that we think are
extra important. Firstly, what's happening with

34
00:03:07.319 --> 00:03:14.000
ransomware, So ransomer I'm still considered
the number one threat for businesses of all

35
00:03:14.080 --> 00:03:20.560
sizes in the sense of the damage
that degenerates in both direct and indirect damages.

36
00:03:21.439 --> 00:03:24.759
These are the ransom payments, but
also lots of business and exposure to

37
00:03:25.000 --> 00:03:34.520
lawsuits GDPR related for both customers and
employees, but not just the damages.

38
00:03:35.000 --> 00:03:39.639
It's also more widespread, I think
than you might think. So from analyzing

39
00:03:39.680 --> 00:03:46.759
the cases handled by our incident response
team, we find that almost half of

40
00:03:46.800 --> 00:03:52.759
all the cases that they investigate are
ransomer related cases. So many of the

41
00:03:52.840 --> 00:03:57.960
smaller incidents we see, if they're
not handled properly, could develop into full

42
00:03:58.000 --> 00:04:02.680
blown ransomware attacks. Now, when
we say ransomware today, we mean not

43
00:04:03.120 --> 00:04:09.879
that it's an attack where data is
encrypted or not just, but rather that

44
00:04:10.000 --> 00:04:16.199
the motivation behind the attack is to
generate financial profit through the extortion of the

45
00:04:16.279 --> 00:04:23.720
victims. This is now an entire
ecosystem whose main actors are ransomware as a

46
00:04:23.759 --> 00:04:30.040
service RUSS threat actors that operate in
a double extortion model. This means that

47
00:04:30.360 --> 00:04:34.519
threat doctors like lock Beat Club and
many others that we'll talk about the other

48
00:04:34.560 --> 00:04:41.360
ones that are responsible for the Malwa
development, but the actual operation of the

49
00:04:41.399 --> 00:04:47.120
attack is conducted by affiliates. The
affiliates pay for the use or show part

50
00:04:47.120 --> 00:04:53.319
of the revenue with the ransomware as
a service actors, and in return they

51
00:04:53.319 --> 00:04:59.560
can use the ransomware encryptor and other
infrastructure related services, including the reputation of

52
00:04:59.600 --> 00:05:02.839
the of the runs of worth the
service actors. Yeah, can you expand

53
00:05:02.839 --> 00:05:08.079
on that idea, because I think
it might be strange to those unfamiliar that

54
00:05:08.160 --> 00:05:15.040
ransomware groups would have anything resembling a
good reputation. Ironically, reputation is an

55
00:05:15.120 --> 00:05:21.279
important element in this sector of crime
industry, since victims who pay large sums

56
00:05:21.279 --> 00:05:28.639
in extortion moneies rely on the reputation
of the attacker for receiving decryption keys in

57
00:05:28.720 --> 00:05:33.680
return for their payment. These attacks
normally include two strategies of extortion, both

58
00:05:33.720 --> 00:05:40.920
the encryption of data and the victim
system and by stealing the data and threatening

59
00:05:40.959 --> 00:05:47.480
to publish it later. This is
the double element in double extortion. This

60
00:05:47.600 --> 00:05:53.319
model of operation, which is based
on outsourcing the initiative to the affiliates,

61
00:05:53.360 --> 00:05:59.560
has created a competition between ransom as
service actors on the attention of affiliates and

62
00:06:00.040 --> 00:06:05.120
how to recruit them, and this
competition in turn pushes for continuous development of

63
00:06:05.160 --> 00:06:12.319
additional features in the ransomware malware and
services. All of this is relevant today,

64
00:06:12.360 --> 00:06:15.439
of course, but it's not new
either. So what's changed in ransomware

65
00:06:15.639 --> 00:06:21.720
in twenty twenty three. One such
important ability that was pushed and added to

66
00:06:21.800 --> 00:06:30.600
many ransomware families this year has been
ransomware versatility to additional operating systems, mostly

67
00:06:30.680 --> 00:06:36.319
Linox. This ability opens the potential
attach surface to many more systems and possible

68
00:06:36.399 --> 00:06:44.399
victims. So Linox dedicated ransomware is
now offered by a Lockbit, by Royal,

69
00:06:44.600 --> 00:06:48.680
by Club, Bian, Lion by
Society, and it really has become

70
00:06:49.399 --> 00:06:56.600
the standard for ransomware. Another aspect
that ransomware has been improving in is the

71
00:06:56.759 --> 00:07:00.519
speed of encryption, which has long
been the subject of ransomware advertisements. I

72
00:07:00.560 --> 00:07:06.800
remember two years ago Lockbeat published an
advertisement with an operational analysis of all available

73
00:07:06.839 --> 00:07:13.800
ransomware payloads, comparing their encryption speeds
and claiming to be the fastest. Why

74
00:07:13.879 --> 00:07:18.519
is this important because the faster the
encryption, the less time defenders have to

75
00:07:18.680 --> 00:07:24.959
detect and intercept the attacks, and
the more chance criminals have at encrypting valuable

76
00:07:25.079 --> 00:07:30.920
data. This is also why most
attacks conduct this critical but noisy encryption phase

77
00:07:30.199 --> 00:07:35.680
at non working hours, so the
attacks are mostly during nighttime or weekends or

78
00:07:35.680 --> 00:07:44.120
holidays, and they try to be
as quick as possible. CPR has recently

79
00:07:44.120 --> 00:07:49.800
published an analysis of the fastest encryption
ransomware we dubbed it woshot, which was

80
00:07:49.920 --> 00:07:57.600
used against an American company. The
average time that attackers now spend in breached

81
00:07:57.639 --> 00:08:01.720
networks is also getting shorter, from
weeks in the past to less than a

82
00:08:01.839 --> 00:08:07.839
day for actors to stay in a
breached network, locate and breach backup servers

83
00:08:09.680 --> 00:08:16.199
or active directories. So to summarize, ransomware, attackers are targeting previously untouched

84
00:08:16.240 --> 00:08:22.399
operating systems and moving faster than ever. What else Another aspect that transfer service

85
00:08:22.480 --> 00:08:28.879
providers are working on improving is their
evasion techniques. These are basically all the

86
00:08:28.920 --> 00:08:35.039
features intended to work around security mechanisms. For example, we see that mechanisms

87
00:08:35.120 --> 00:08:43.159
like restarting safe mode. That's when
the intruding ransomware restarts the machine in safe

88
00:08:43.159 --> 00:08:48.480
mode to exclude most security mechanisms,
so this has become another common feature again

89
00:08:48.519 --> 00:08:54.840
almost as standard. Leading examples are
lock Beats, Alpha Black, Busta,

90
00:08:54.320 --> 00:09:00.759
and Avhaslocker and where have we seen
all these trends bear out? Tell me

91
00:09:00.840 --> 00:09:05.840
about some of the notable attacks that
happen this year. Maybe the trend of

92
00:09:05.919 --> 00:09:11.159
the first half of twenty twenty three
is the mega ransomware attacks, where attackers

93
00:09:11.240 --> 00:09:18.240
breach dozens, sometimes hundreds of companies
in one go. The three largest examples

94
00:09:18.279 --> 00:09:26.039
of this are the Lockbeat exploitation of
the Cloud fifty one service provider that has

95
00:09:26.120 --> 00:09:31.679
led to the breach of sixty other
companies, and two attacks by Cloud,

96
00:09:31.279 --> 00:09:37.879
both targeting file transfer tools. The
first attack was through a service called go

97
00:09:37.000 --> 00:09:43.039
Anywhere that brought down one hundred and
thirty victims, and the second by exploiting

98
00:09:43.039 --> 00:09:48.480
a zero day vulnerability in the movie
tool, which is now confirmed to have

99
00:09:48.559 --> 00:09:54.600
taken down one hundred probably more than
seven hundred companies, including Shell, Deutsche

100
00:09:54.639 --> 00:10:01.320
Bank, British Airways and many many. This is a major change from what

101
00:10:01.360 --> 00:10:09.320
we've become used to in this ecosystem
until now there's been the gradual outsourcing of

102
00:10:09.440 --> 00:10:16.600
various parts of the attack operation to
many subcontractors. So affiliates produce the attack,

103
00:10:16.720 --> 00:10:22.200
but they buy infections from initial access
brokers, and the initial access brokers

104
00:10:22.559 --> 00:10:28.279
base their activity on information and leads
they buy in dark web markets where it

105
00:10:28.360 --> 00:10:35.799
is sold by often less technical actors
who operate infostealers. But with mega attacks,

106
00:10:37.000 --> 00:10:43.440
one actor utilizes an expensive zero their
vulnerability to penetrate multiple victims. This

107
00:10:43.559 --> 00:10:50.840
creates a substantial management challenge for the
threat actor. Just imagine the management of

108
00:10:50.879 --> 00:10:56.240
such an operation. You need to
search and networks of hundreds of companies,

109
00:10:56.320 --> 00:11:00.799
you need to identify important information,
you need to download and story, you

110
00:11:00.919 --> 00:11:07.000
conduct negotiations, you need to leak
it. It's really a considerable logistical challenge,

111
00:11:07.840 --> 00:11:13.480
and this is probably one of the
reasons why they now skip the encryption

112
00:11:13.600 --> 00:11:20.879
phase altogether and resort to only data
extortion that means they demand money or else

113
00:11:20.960 --> 00:11:26.440
they would publish the story information.
Interestingly, this is the main trend we

114
00:11:26.559 --> 00:11:31.480
recognize and outlined in the previous report
in December, when we noticed that threat

115
00:11:31.519 --> 00:11:37.279
doctors started to conduct effective DOTA extortion
without encryption. And these groups are well

116
00:11:37.320 --> 00:11:43.120
equipped to manage gigantic breaches of so
many organizations at once on operation in this

117
00:11:43.279 --> 00:11:46.759
magnitude, there's other challenges. For
example, in order to download the gigabyte

118
00:11:46.720 --> 00:11:54.399
of data from a from tour infrastructure, that could take relatively long time and

119
00:11:54.480 --> 00:12:01.399
thus makes the extortion threat less effective. And that's why Globe has experimented with

120
00:12:01.480 --> 00:12:05.440
leaking the data not in its Onion
infrastructure but rather on the clear Net,

121
00:12:07.080 --> 00:12:11.600
and in August, just a couple
of weeks ago, they transformed their entire

122
00:12:11.679 --> 00:12:16.679
leak infrastructure to torrents. That makes
it both much faster, therefore a more

123
00:12:16.720 --> 00:12:24.559
substantial threat for victims and more challenging
for law enforcement to take the databasis of

124
00:12:24.679 --> 00:12:30.360
flying anything else. Before we move
on from the ran square topic, in

125
00:12:30.399 --> 00:12:35.240
this report, we also publish an
analysis of data scrap from ransomware threat acts

126
00:12:35.320 --> 00:12:43.519
shame sight. These are the sites
where they publish the identity and lay the

127
00:12:43.639 --> 00:12:48.039
data of non paying victims, so
it's a partial view, but it's still

128
00:12:48.759 --> 00:12:54.200
insightful. So what we routinely do
is we monitor more than one hundred and

129
00:12:54.240 --> 00:13:00.559
seventy Onion sites which are operated by
over one hundred and twenty criminal group and

130
00:13:00.679 --> 00:13:03.759
in the first half of twenty twenty
three. These were used to publish the

131
00:13:03.840 --> 00:13:11.399
identity of more than twenty two hundred
victims by nearly fifty active groups. Lockbit

132
00:13:11.639 --> 00:13:18.559
was the most prolific actor, accounting
for more than a quarter of all victims

133
00:13:18.879 --> 00:13:24.320
before the count of the club's movie
Bridge, which occurred in May but was

134
00:13:24.320 --> 00:13:30.080
published and added to the victim count
in later months. So Lockbit had the

135
00:13:30.120 --> 00:13:35.919
most victims, and Alpha also known
as black Cat and Clob followed. Alphav

136
00:13:37.000 --> 00:13:41.600
is, the actor responsible for the
recent breach of MGM Resorts International. In

137
00:13:41.679 --> 00:13:46.559
terms of geographical distribution, we see
that almost half of the victims are US

138
00:13:46.639 --> 00:13:54.279
companies. That could explain the intensive
activity of American law enforcement dentities against this

139
00:13:54.759 --> 00:14:01.480
criminal industry. They've led operations like
the high ransomware group takes down in January

140
00:14:01.840 --> 00:14:07.200
this year and lead much of the
international activity. Who I'm curious are the

141
00:14:07.279 --> 00:14:11.399
victims of these stories, whether it
be industry, geography, what have you.

142
00:14:13.360 --> 00:14:16.720
Most of the victims are from Western
countries like UK, the UK,

143
00:14:16.039 --> 00:14:22.200
Canada, Italy, Germany and France, but interestingly we had some Russian victims

144
00:14:22.200 --> 00:14:28.039
this year. Now, normally most
of these groups refrained from attacking exusar countries

145
00:14:28.120 --> 00:14:33.879
or just generally Russian language systems,
but we did see now a substantial number

146
00:14:33.879 --> 00:14:41.000
of Russian victim companies. These were
almost exclusively victims of the Mala Sloker threat

147
00:14:41.080 --> 00:14:46.559
actor. This group, which emerged
earlier this year, is unique not just

148
00:14:46.600 --> 00:14:50.159
for the identity of its victims,
but also for their extraordinary ransom demand.

149
00:14:50.840 --> 00:14:56.840
The group asks victims to make a
donation to a charity of their choice instead

150
00:14:56.840 --> 00:15:03.679
of paying a ransom payment directly to
the group. On something maybe similar,

151
00:15:03.759 --> 00:15:09.600
we've again extraordinarily seen some Iranian victims
in August. All of them were breached

152
00:15:09.600 --> 00:15:15.399
by a group called Alvin Club,
which is traditionally focused on Iran. Another

153
00:15:15.440 --> 00:15:20.279
interesting finding is the analysis of affected
industries by ransomware. So what we see

154
00:15:20.360 --> 00:15:26.919
is that sectors that cannot or systematically
would not play ransomware less affected by it.

155
00:15:28.799 --> 00:15:33.840
So government and military, education and
research institutes, which we find at

156
00:15:33.879 --> 00:15:39.080
the top of our most sector index
when we review general cyber attacks, are

157
00:15:39.120 --> 00:15:46.559
not at the top of the ransomware
victim industry index. They're pushed down in

158
00:15:46.639 --> 00:15:52.320
the ranking of most attacks sectors by
manufacturing companies and retail entities who are more

159
00:15:52.879 --> 00:16:00.759
income oriented and generally more willing to
negotiate and pay ransomware. By use law,

160
00:16:00.799 --> 00:16:06.399
it's forbidden, that is, to
negotiate and pay ransomware. And from

161
00:16:06.399 --> 00:16:11.440
this analysis we can see that as
an industry this principle is actually effective and

162
00:16:11.480 --> 00:16:18.799
we see less of the public sector
at the top of the most attack ransomware

163
00:16:18.279 --> 00:16:22.600
index. Before we finish up here, you have there is another major trend

164
00:16:22.679 --> 00:16:30.159
that you wanted to talk about.
On another interesting issue we highlight in this

165
00:16:30.240 --> 00:16:37.399
report the re emergence of an old
infection method that's of using USB drives.

166
00:16:37.240 --> 00:16:42.080
This is when thread uctors either distribute
or sent by mail USB devices that have

167
00:16:42.159 --> 00:16:48.639
malicious mechanisms either automatic or use IT
dependent, or even infections that use occasional

168
00:16:48.759 --> 00:16:55.159
USB drives to transfer infections from one
machine to the other. Now, already

169
00:16:55.159 --> 00:17:00.000
in twenty twenty two, the FBI
issued a warning about campaign aiming at US

170
00:17:00.279 --> 00:17:07.079
defense firms, with the attackers mailing
USB drives loaded with malicious payloads. And

171
00:17:07.680 --> 00:17:11.599
during the past few months, CPR
reviewed a couple of malware families with extensive

172
00:17:11.640 --> 00:17:19.880
exploitation of USB devices. The first
was the Raspberry robin worm, currently one

173
00:17:19.880 --> 00:17:26.640
of the most widespread multipurpose malware families
that has been recorded giving access to infections

174
00:17:26.680 --> 00:17:33.640
such as club and lockwit, So
Raspberry Robin can be considered as an access

175
00:17:33.640 --> 00:17:38.960
broker agent in this ecosystem, and
one of Raspberry Robin's infection vectors is through

176
00:17:40.079 --> 00:17:45.200
creating malicious lank files on USB storage
devices, which infect the next machine they're

177
00:17:45.200 --> 00:17:49.960
inserted too. Now, this is
not a primitive malware and it is designed

178
00:17:49.960 --> 00:17:56.920
with an extensive set of anti analysis
mechanisms, and it is interesting to see

179
00:17:56.359 --> 00:18:03.759
that it still bases much of its
initial infections on USB tribes, which suggest

180
00:18:03.240 --> 00:18:10.759
that this is still an effective attach
vector. We've also seen reports of nation

181
00:18:10.920 --> 00:18:18.480
state apts like China related Camaro Dragon
that we published a research about and the

182
00:18:18.559 --> 00:18:23.920
Russian affiliated Shockworm, which were also
reported to utilize the USB drives for infections,

183
00:18:23.960 --> 00:18:30.200
so again, take care beware.
At the beginning of the episode,

184
00:18:30.400 --> 00:18:34.240
you mentioned that the report covers shifting
infection vectors, So what's going on in

185
00:18:34.279 --> 00:18:41.359
that realm? We've measured a significant
decline in the use of office files for

186
00:18:41.480 --> 00:18:45.920
infection. This is due to Microsoft's
restriction on Office macros, and we have

187
00:18:45.960 --> 00:18:52.359
a separate podcast chapter with Sam Handelman
discussing this. But it's very clear from

188
00:18:52.400 --> 00:18:57.559
our current gateway data that this has
changed the way threat actors act. We

189
00:18:57.599 --> 00:19:04.559
see rustick drop of eighty to ninety
five percent in the malicious use of Excel

190
00:19:04.640 --> 00:19:11.079
files of different types, and instead
we see previously seldom used attack factors like

191
00:19:11.160 --> 00:19:18.640
one note files which despite being click
intensive meaning that they require multiple activation by

192
00:19:18.640 --> 00:19:23.519
the user, they have been used
to distribute malwer like cuboat Agent, Tesla,

193
00:19:23.640 --> 00:19:33.119
redline and others. Anything else before
we head off what else? We

194
00:19:33.200 --> 00:19:40.079
also see further use of various archives
and container files, both password protected and

195
00:19:40.279 --> 00:19:47.279
not most popular Z files, which
make up almost thirty percent of email attached

196
00:19:47.400 --> 00:19:52.119
archives and allow files, but also
image and EASO files. We've also seen

197
00:19:52.160 --> 00:19:57.039
an increase of forty five percent of
attached L and K files, and PDF

198
00:19:57.119 --> 00:20:02.839
files are on the rise, so
threat actors like qboard and many others are

199
00:20:02.880 --> 00:20:10.200
still exploring alternative infection chains to replace
the block ones. I think that is

200
00:20:10.240 --> 00:20:14.119
it for this review. There's much
more in the full edition, and you're

201
00:20:14.480 --> 00:20:18.920
very invited to our web page.
And that's it. Thank you, and

202
00:20:18.960 --> 00:20:25.480
I hope to see you next time. That's it for this episode. Thank

203
00:20:25.519 --> 00:20:30.640
you for listening to find this year's
full media report. Visit Research dot checkpoint

204
00:20:30.759 --> 00:20:36.240
dot com, and if you click
the CPR podcast channel in the top menu,

205
00:20:36.599 --> 00:20:41.039
you'll find all of our past episodes. Seepy Radio is produced by PI

206
00:20:41.200 --> 00:20:52.279
Media. Hilas Emish is our producer. See you next episode. Bye bye.