A Grab Bag of Pulse Reports

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 164 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Recorded Future’s Allan Liska is our guest once again this week. This time, he brings a collection of interesting trends and anomalies that he and his team have been tracking. They publish these on the Recorded Future website under the title of “pulse reports.”

We’ll take a closer look at ransomware in international financial institutions, credential leaks in the biotech and pharmaceutical industries, as well as the rise of retail phishing campaigns in the midst of the global pandemic.

Well Allan, it's always great to have you back. We're going to do a little bit of a grab bag episode today here. You and some of your teammates there at Recorded Future have published a series of reports that I believe you're calling “Pulse Reports.”

Allan Liska:

Right. That's correct. It's great to be here Dave. Always love getting a chance to talk to you.

The Pulse Reports are just short, quick hits on trends that we're noticing. They're not anything that we're necessarily doing in-depth analysis on, but they're things that are probably worth mentioning.

Dave Bittner:

Well, let's start off with ... There's one that you all published. This is tracking the rise in retail-focused phishing campaigns while we're in the midst of this pandemic. What's going on here?

Allan Liska:

Normally what you see is in December, you see a big rise in phishing campaigns that use retail lures. Whether that's Macy's, Rolex, Walmart, Amazon, et cetera, you see that big rise, and then it drops in January and February and stays pretty low throughout the year until it gets back to the shopping season again. There are some exceptions, like Amazon is always being used, Apple's always being used, et cetera — the big retail brands. But we've seen a specific rise across the entire retail sector of phishing lures that are designed to look like retail brands, both regular retail brands, so your Walmarts, your Apples, your Amazons, as well as luxury brands, so Rolex ... I don't shop enough luxury to know what all the luxury brands are, but whatever you're thinking, it's those.

And uniquely something we hadn't seen before, phishing lures that are targeting food delivery services and grocery stores, which is a sector we had never seen covered, not covered extensively at least, in these phishing lures. It makes sense. The bad guys are aware of what people are doing, what's going on. And there's been so much chatter about grocery store delivery, food delivery from these food services that the bad guys, the criminals are going to figure out ways to monetize that, and so we would expect to see an increase in that, and it was pretty significant.

Dave Bittner:

How significant was it? What sort of numbers are you tracking here?

Allan Liska:

It's hard to give the level of significance of it for those in particular because it was a non-existing category this time last year. So the fact that we've tracked at least 70 different campaigns using Grubhub numbers, another 70 or more that were using DoorDash, more than a hundred that used Kroger lures, that is a significant jump. It's insignificant compared to the total number of phishing campaigns that we see, but since it was almost non-existent in years prior, the fact that you see such a jump, it makes it significant in terms of percentages.

Dave Bittner:

Now, are they going after credentials trying to get people to log in to a lookalike site?

Allan Liska:

We see some of that, absolutely. We see that combination of, “Hey, go to this site, it's Amazon's log-in, et cetera.” A lot of what we're seeing is just give me your credit card information to make fake purchases, et cetera. So it's that combination of fake sites, and then just ways to get credit card and other data.

Dave Bittner:

Do you see something that would be the, I don't know, the equivalent of a landgrab with these sorts of things? In other words, I'm imagining that due to the pandemic, you have a whole lot of people who are signing up for these sorts of delivery services who have never used them before. Does that trigger the bad guys saying, “I got to get to that opportunity first?”

Allan Liska:

Yes, absolutely. That's exactly what we're seeing is that again, the bad guys follow the trend that they know what is occurring, what people are talking about, essentially what the sentiment is, and they're mimicking that, and they're adapting very quickly. So if suddenly everybody was talking about ordering llamas online, I'm sure we would see bad guys that were taking advantage of that. They're very adaptive, and they've set up their phishing infrastructure so it's very easy just to slap a new skin on top of it. All they have to do is figure out the hook and the lure to be able to send those emails out to people.

Dave Bittner:

Interesting. Another thing that you all are tracking, you've seen a spike in credential leaks in the pharmaceutical and biotech industry. What's going on here?

Allan Liska:

I don't know. This is one of those things where, as an analyst, it drives me nuts because I want to have an explanation for the trends that I see. It makes sense. I understand why the bad guys are engaging in additional phishing lures associated with food delivery and grocery stores. But yes, we've seen a huge spike, a statistically significant spike in the overall percentage of credential leaks that are tied to the biotech and pharmaceutical industries.

The reason that I phrase it that way is that the number of credential leaks we see can vary greatly from month to month. One month we might see six million credential leaks. The next month we might see a hundred million depending on who's doing dumps, whether they're considered new credential leaks, or that it's just rehashing of existing credential leaks, et cetera. So what I look at is, I look at the percentages.

Overall the biotech and pharmaceutical industry accounted for about 0.03 percent of all credential leaks. That was pretty consistent across the board up until November, when that number spiked to over one percent, then it dropped down to 0.3 percent in December, and then it went back up in January, February and March. April was flat. And then May, which numbers we just got, were back up there, back to 0.07 percent. So overall it's a very small percentage of the leak credentials, but it's still statistically significant that we're seeing that kind of jump in these credentials.

Dave Bittner:

Yeah, that's fascinating. My first thought and I'm sure it was yours too, is that was there some dump of a database full of people who are in pharmaceutical and biotech that got peppered throughout all of the normal places folks get credentials?

Allan Liska:

Right. And that's what I was looking for. But we haven't seen anything like that. We haven't seen a data breach notification or anything like that from these companies.

The other thought is we know that there's an increase in nation-state activity targeting pharmaceutical and biotech companies, because they're looking for information about COVID-19 vaccines and treatments, et cetera. But that doesn't explain why it started in November because we really haven't seen much ... The malicious activity that we saw picked up in February, March, April, which would make sense, but why all the way back in November. And then also, generally when you talk about nation-states, and it's hard to make generalizations across multiple nation-states, but generally nation-states don't leak credentials. They get credentials and they keep credentials; they generally don't leak them though.

Dave Bittner:

What about these stories we hear where you have folks who are by day working for nation-states and then by night freelancing, is that a possibility here?

Allan Liska:

That's an interesting idea, and I hadn't considered that. That is certainly a possibility, like if your day job is to go after the pharmaceutical industry, you may take those credentials you've stolen and used in your job operation, and then turn around and sell them on the dark web. It doesn't account for the November spike, because again, we didn't see these organizations heavily targeted until late January, early February area. On the other hand, there's been reporting that U.S. intelligence services were warning about the pandemic as early as November. So maybe just because we don't know about it it doesn't mean that it wasn't actually happening back then.

It's one of those things where, as an analyst, I can't make that generalization because I don't have anything to connect those dots, anything public.

Dave Bittner:

How often does it happen for you as an analyst where months might go by, years might go by, and then in retrospect perhaps some information comes back and you can look back on this thing that seemed to be an anomaly at the time and have new clarity on it?

Allan Liska:

It happens all the time. One of the things about being an analyst versus say a pundit on television, is I don't get to just make things up out of whole cloth.

Dave Bittner:

Well, you get to do it once, right?

Allan Liska:

Yeah exactly. You get one time, so make sure it's a good one.

I need to be able to back up what I say. That's why we use things like low confidence, medium confidence, high confidence, and why I can't even rate any of these theories as even low confidence, because I don't have any corroborating data to back it up. But I've definitely seen that where I'll see something happen six months from now and there'll be, “Oh, that explains that trend that I saw six months ago.” Now it all makes sense. We see this all the time where we have a really good idea that we're working on, we pool all the available data and it turns out that yeah, we actually don't have anything.

A great example is it appears there's been a lot more reporting on zero days. In general, across the board, it looks like based on reporting that the number of zero-day exploits have increased pretty significantly over the last six to eight months. We actually ran the numbers internally, and actually the number of zero days that are being released has been pretty consistent all the way up through the end of April at least, which is the last time we ran the number. So there may be an impression that there are more zero days out there because there may be more press coverage or for whatever reason, but it turns out the numbers actually have been fairly consistent. That's a week's worth of research and we actually don't have anything we can write up on that.

Dave Bittner:

I suppose too, that this points out the importance of even putting this information out there when you may not have a good explanation for it, because there might be another analyst somewhere who has a different piece of the puzzle and your information could be the piece that provides them with clarity.

Allan Liska:

Oh, absolutely. I'm a big, big fan of information sharing. I've worked closely with analysts at FireEye, at Anomali, at so many other intelligence companies, because they'll have some view of the data set, we'll have another view, and being able to tie them together absolutely can provide clarity that we just don't have, or they don't have.

Dave Bittner:

The other thing that you all have been tracking is an increase in ransomware at some financial institutions that are outside of the U.S..

Allan Liska:

I don't think this will come as a big shock to really anybody, but I wanted to codify the numbers if it was at all possible. We know that ransomware attackers love going after financial institutions, and the reason is the same reason that bank robbers used to go after banks is because that's where the money is.

For example, we see a lot of attacks against SWIFT and SWIFT transactions, and so on. We specifically wanted to look at ransomware. We know that ransomware attacks have been down ... One of the few segments they've been down in the United States is against financial institutions, and it's simply because of the investment that U.S. financial institutions have made in ransomware prevention techniques. We looked at the rest of the world and we actually have seen an increase in attacks against financial institutions in the rest of the world.

Just going from April of 2019 to April of 2020, we were able to track over 200 of these ransomware attacks against financial institutions outside of the U.S. Now outside of the U.S. is a pretty big broad term, and I realize that, but I wanted to just start somewhere to see what the data looked like. What was really interesting is that they seem to be on the increase. So as we've gotten closer into 2020, there seemed to be more of the attacks than there were in 2019.

Dave Bittner:

Yeah. Any insights here? Could it be as simple as folks in the U.S. are hardening their defenses, so there's low hanging fruit to be had elsewhere?

Allan Liska:

That's exactly it. Financial institutions are always a target for ransomware actors, but because financial institutions in the U.S. have really strengthened their defenses, they're looking elsewhere. The bad guys are looking elsewhere for targets, and they're finding them overseas. Keep in mind when I say financial institutions, I don't always mean banks, because even overseas, most banks are actually pretty hardened as well. I am talking about things like Travelex, which obviously late December, January, that was a big one. Eurofins is another one that was hit.

Those bank adjacent institutions are also being targeted again, for the same reason that banks have a pretty hardened infrastructure, but some of these other bank adjacent financial institutions do not.

Dave Bittner:

Alright. Well Allan Liska, thanks for joining us. These are the Pulse Reports. You can find them over on the Recorded Future website. Always a pleasure to talk to you Allan.

Allan Liska:

Dave it's always great to talk to you. Thank you very much.

Dave Bittner:

Our thanks to Recorded Future's Allan Liska for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.