Connect with us

Cyber Security

The Week in Ransomware – January 21st 2022

Published

on

It has been quite a busy week with ransomware, with law enforcement making arrests, data-wiping attacks, and the return of the Qlocker ransomware.

This week’s biggest news is Russia’s arrest of fourteen suspected members of the REvil ransomware operation. In addition, a senior Biden administration official said that one of the fourteen suspects is responsible for the Colonial Pipeline ransomware attack.

Europol also conducted a law enforcement operation against VPNLab, a platform commonly used by ransomware gangs. Law enforcement operatives seized 15 servers used by the VPNLab.net service and took down its main site, making the platform no longer available.

While it was a good week for law enforcement, sadly, new attacks were discovered.

Microsoft disclosed attacks on Ukrainian organizations using data-wiping malware disguised as ransomware. This malware is named “WhisperGate,” and has been attributed by Ukrainian officials as being conducted by, or at the behest, of the Russian government.

For consumers and small businesses, we saw the unfortunate return of Qlocker, notorious ransomware that encrypted thousands of QNAP NAS devices last year.

Finally, in research released by security companies we learned that White Rabbit ransomware is linked to FIN8 hackers, new analysis of the BlackCat/ArchV and Avaddon ransomware operations, and the FBI linking Diavol to the TrickBot Group.

Contributors and those who provided new ransomware information and stories this week include: @serghei, @VK_Intel, @billtoulas, @struppigel, @Ionut_Ilascu, @malwareforme, @jorntvdw, @Seifreed, @FourOctets, @PolarToffee, @DanielGallagher, @malwrhunterteam, @fwosar, @LawrenceAbrams, @BleepinComputer, @demonslay335, @fbgwls245, @Amigo_A_,@JakubKroustek, @pcrisk, @TrendMicro, @LabsSentinel, @MsftSecIntel, @Mandiant, and @GrujaRS.

January 15th 2022

Qlocker ransomware returns to target QNAP NAS devices worldwide

Threat actors behind the Qlocker ransomware are once again targeting Internet-exposed QNAP Network Attached Storage (NAS) devices worldwide.

Russia charges 8 suspected REvil ransomware gang members

Eight members of the REvil ransomware operation that have been detained by Russian officers are currently facing criminal charges for their illegal activity.

January 16th 2022

Microsoft: Fake ransomware targets Ukraine in data-wiping attacks

Microsoft is warning of destructive data-wiping malware disguised as ransomware being used in attacks against multiple organizations in Ukraine.

January 17th 2022

New STOP ransomware variants

PCrisk found two new STOP ransomware variants that append the .vfgj and .fhkf extensions.

New Chaos Ransomware variant

dnwls0719 found a new Chaos ransomware variant that appends the .AZ extension.

January 18th 2022

New White Rabbit ransomware linked to FIN8 hacking group

A new ransomware family called ‘White Rabbit’ appeared in the wild recently, and according to recent research findings, could be a side-operation of the FIN8 hacking group.

Fashion giant Moncler confirms data breach after ransomware attack

Italian luxury fashion giant Moncler confirmed that they suffered a data breach after files were stolen by the AlphV/BlackCat ransomware operation in December and published today on the dark web.

Europol shuts down VPN service used by ransomware groups

Law enforcement authorities from 10 countries took down VPNLab.net, a VPN service provider used by ransomware operators and malware actors.

BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims

BlackCat (aka AlphaVM, AlphaV) is a newly established RaaS (Ransomware as a Service) with payloads written in Rust. While BlackCat is not the first ransomware written in the Rust language, it joins a small (yet growing) sliver of the malware landscape making use of this popular cross-platform language.

New Dharma Ransomware variant

dnwls0719 found a new Dharma ransomware variant that appends the .MTX extension.

January 19th 2022

Marketing giant RRD confirms data theft in Conti ransomware attack

RR Donnelly has confirmed that threat actors stole data in a December cyberattack, confirmed by BleepingComputer to be a Conti ransomware attack.

One Source to Rule Them All: Chasing AVADDON Ransomware

This blog post explores activity, similarities and overlaps between multiple ransomware families related to AVADDON ransomware, serving as a case study to understand how ransomware operators think and continue to turn a profit in a constantly evolving cybercrime ecosystem.

New Dharma ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .cip extension.

January 20th 2022

FBI links Diavol ransomware to the TrickBot cybercrime group

The FBI has formally linked the Diavol ransomware operation to the TrickBot Group, the malware developers behind the notorious TrickBot banking trojan.

New STOP Ransomware variant

Jakub Kroustek found a new STOP ransomware variant that appends the .maak extension.

New Trap ransomware discovered

Amigo-A spotted the new Trap ransomware that appends the .trap extension and drops a ransom note named RESTORE.txt.

New Makop ransomware variant

GrujaRS found a new Makop ransomware variant that appends the .factfull extension.

January 21st 2022

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .ELBOW extension.

That’s it for this week! Hope everyone has a nice weekend!



Source link

Cyber Security

Cybercriminals are increasingly using info-stealing malware to target victims

Published

on

Cybercriminals are increasingly shifting from automated scam-as-a-service to more advanced info stealer malware distributors as the competition for resources increases, and they look for new way to make profits, according to a report by Group-IB. 

The cybersecurity company has identified 34 Russian-speaking groups distributing info-stealing malware under the stealer-as-a-service model.

Info stealer malware collects users’ credentials stored in browsers, gaming accounts, email services, social media, bank card details, and crypto wallet information from infected computers, and sends the data to the malware operator. This data is then sold or used for fraud on the dark web. 

The identified threat actors coordinate via Telegram groups to conduct their operations. The low entry barrier and a fully automated process makes the scheme popular among beginners. 

“Beginners do not need to have advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and drive traffic to it,” Group-IB noted. 

Substantial malware increase in 2022

Telegram groups and bots designed to distribute info stealers first appeared in early 2021, according to Group-IB Digital Risk Protection team. However, a substantial increase was observed in the first seven months of this year, with more than 890,000 devices infected across 111 countries. This is almost twice the number of infected devices in 2021, when 538,000 devices were compromised. 

In the first seven months of this year, threat actors stole over 50 million passwords, 2 billion cookie files, details of 103,150 bank cards, and data from 113,204 crypto wallets. 

“The underground market value of just the stolen logs and compromised card details is around $5.8 million,” Group-IB estimates. 

Paypal and Amazon were the most targeted services, with Paypal accounting for more than 16% and Amazon for more than 13% of the attacks. 

However, cases of stealing passwords for gaming services such as Steam, EpicGames, Roblox have increased almost five-fold, the report noted.  

The top 5 most attacked countries are United States, Brazil, India, Germany, and Indonesia. 

RedLine and Racoon stealer used the most

Among the 34 groups examined, the most used stealer was RedLine, which was used by 23 groups, while the second most used tool was Racoon, used by eight groups. Custom stealers were found to be used by three groups, Group-IB noted. 

The group members are provided with both the tools in exchange for a share of the stolen data, or money. 

“However, the malware in question is offered for rent on the dark web for $150-$200 per month. Some groups use 3 stealers at the same time, while others have only one stealer in their arsenal,” the report said. 

On an average, the 34 identified info stealer distributor groups on Telegram have 200 active members. The task of the members of the group is to drive traffic to bait scam websites impersonating well-known companies and convince victims to download malicious files. 

“Cybercriminals embed links for downloading stealers into video reviews of popular games on YouTube, into mining software or NFT files on specialized forums and direct communication with NFT artists, and into lucky draws and lotteries on social media,” Group-IB noted. 

Safeguarding against the attacks

To prevent such attacks, Group-IB recommends that users avoid downloading software from suspicious sources, use isolated virtual machines or alternative operating systems for installation, stop saving passwords in browsers, and regularly clear browser cookies. 

It also recommends companies to have a proactive approach towards digital security and using modern technologies for monitoring and response to the attacks. 

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

EPSS explained: How does it compare to CVSS?

Published

on

The Common Vulnerability Scanning System (CVSS) is the most frequently cited rating system to assess the severity of security vulnerabilities. It has been criticized, however, as not being appropriate to assess and prioritize risk from those vulnerabilities. For this reason, some have called for using the Exploit Prediction Scoring System (EPSS) or combining CVSS and EPSS to make vulnerability metrics more actionable and efficient. Like CVSS, EPSS is governed by the Forum of Incident Response and Security Teams (FIRST).

EPSS definition

EPSS prides itself on being an open and data-driven effort that aims to estimate the probability that a software vulnerability will be exploited in the wild. CVSS focuses on the innate characteristics of vulnerabilities culminating in a severity score. The severity score alone doesn’t indicate a likelihood of exploitation, which is critical information for vulnerability management professionals who need to prioritize their vulnerability remediation and mitigation efforts to maximize their impact on reducing organizational risk.

EPSS has a special interest group (SIG) that is open to the public for those interested in participating in the effort. EPSS is volunteer driven and led by researchers, security practitioners, academics, and government personnel. FIRST can and does own the rights to update the model and the associated guidance as the organization sees fit, despite this industry collaboration driven approach. The group boasts chairs and creators from organizations such as RAND, Cyentia, Virginia Tech, and Kenna Security among many members from a variety of organizations. EPSS has several related papers that dive into associated topics such as attack prediction, vulnerability modeling and disclosure, and software exploitation. 

The EPSS model 

EPSS aims to help security practitioners and their organizations improve vulnerability prioritization efforts. There are an exponentially growing number of vulnerabilities in today’s digital landscape and that number is increasing due to factors such as the increased digitization of systems and society, increased scrutiny of digital products, and improved research and reporting capabilities.

Organizations generally can only fix between 5% and 20% of vulnerabilities each month, EPSS claims. Fewer than 10% of published vulnerabilities are ever known to be exploited in the wild. Longstanding workforce issues are also at play, such as the annual ISC2 Cybersecurity Workforce Study, which shows shortages exceeding two million cybersecurity professionals globally. These factors warrant organizations having a coherent and effective approach to aid in prioritizing vulnerabilities that pose the highest risk to their organization to avoid wasting limited resources and time.

The EPSS model aims to provide some support by producing probability scores that a vulnerability will be exploited in the next 30 days and the scores range between 0 and 1 or 0% and 100%. To provide these scores and projections, EPSS uses data from sources such as the MITRE CVE list, data about CVEs such as days since publication, and observations from exploitation-in-the-wild activity from security vendors such as AlienVault and Fortinet. 

The EPSS team published data to support their approach of using CVSS scores with EPSS scoring data to lead to more effective vulnerability remediation efforts. For example, many organizations mandate that vulnerabilities with a specific CVSS score or higher must be remediated, such as a 7 or above. However, this prioritizes vulnerability remediation based on only the CVSS score, not if the vulnerability is known to be exploited or not. Coupling EPSS with CVSS is more effective because that prioritizes vulnerabilities based on both their severity rating and if they are known to be actively exploited. This lets organizations address CVEs that pose the greatest risk to the organization. 

EPSS focuses on two core metrics  – efficiency and coverage. Efficiency examines how well organizations are using resources to resolve the percentage of remediated vulnerabilities. EPSS points out that it is more efficient for most of an organization’s resources to be spent remediating mostly known-exploited vulnerabilities, as opposed to random vulnerabilities based on only severity scores via CVSS. Coverage is a look at the percentage of exploited vulnerabilities that were remediated. 

To show the efficiency in their proposed approach, EPSS conducted a study in 2021 evaluating CVSS v3 base scores and EPSS v1 and EPSS v2 data over a 30-day period to determine the total number of CVEs, the number of remediated CVEs and the number of exploited CVEs.

Initially, the study showed that most CVEs aren’t remediated. Secondly, the number of exploited CVEs that are remediated is just a subset of the total remediated CVEs. This means that organizations don’t remediate most CVEs, and among those they do, many aren’t actively known to be exploited and potentially don’t pose the greatest risk.

The study also demonstrates that the EPSS v2 further improves the efficiency of vulnerability remediation efforts by maximizing the percentage of exploited vulnerabilities that are remediated. When organizations have resource challenges with cybersecurity practitioners, it is crucial to maximize their return on investment by having the resources focus on the vulnerabilities that pose the greatest risk to the organization. Ultimately, EPSS is trying to help organizations make more efficient use of their limited resources and improve their effectiveness of driving down organizational risk. 

EPSS shortcomings

Like CVSS, EPSS has its critics from the industry and academia. One article titled Probably Don’t Rely on EPSS Yet comes from Carnegie Mellon University’s Software Engineering Institute’s blog. SEI originally published a paper titled Towards Improving CVSS, which laid out some sharp criticisms of CVSS, from which EPSS originated shortly after the publication. 

The primary criticisms leveled by the article include EPSS’s opacity as well as issues with its data and outputs. The article discusses how it isn’t clear how EPSS dictates the development processes, governance, or its intended audience. EPSS relies on pre-existing CVE IDs, meaning it wouldn’t be helpful for entities such as software suppliers, incident response teams, or bug bounty groups because many of the vulnerabilities these groups deal with don’t have CVE IDs yet and might never receive them. EPSS wouldn’t be helpful when dealing with zero-day vulnerabilities, given they gain visibility as exploitation is underway and have no CVE ID. 

The blog author also raises concerns about the openness and transparency of EPSS. While EPSS dubs itself an open and data-driven effort and has a public SIG, it and FIRST retain the right to change the site and model at any time without explanation. Even SIG members have no access to the code or data the underlying EPSS model uses. The SIG itself has no oversight or governance of the model, and the process by which the model is updated or modified isn’t transparent to the public, let alone SIG members. The article points out that the EPSS model and data could also be pulled back from the public domain given it is governed and managed by FIRST. 

The article notes that EPSS focuses on the probability that a vulnerability will be exploited in the next 30 days, but this requires a few fundamental things to exist for it to be projected. They include an existing CVE ID in the NVD with an associated CVSS v3 vector value, an IDS signature tied to an active attempted exploit of the CVE ID, contribution from AlienVault or Fortinet, and the model itself tied to the next 30 days.

As the author pointed out, only 10% of vulnerabilities with CVE IDs have accompanying IDS signatures, meaning 90% of vulnerabilities with CVE IDs may go undetected for exploitation. This also creates a dependency on Fortinet and AlienVault with regards to IDS sensors and associated data. This could be mitigated to some extent by further involvement from the broader security vendor community. While data from Fortinet and AlienVault is useful, it doesn’t represent the entire threat landscape or perspectives of the other major security vendors that could contribute to vulnerability exploitability probability.

While these are valid critiques, using EPSS gives organizations an opportunity to make the most of their scarce security resources to drive down organizational risk. Focusing on vulnerabilities with the highest probability of exploitation lets organizations make investments that have the highest chance to mitigate malicious actors and minimize friction on development teams.

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

DUCKTAIL malware campaign targeting Facebook business and ads accounts is back

Published

on

A group of attackers, likely based in Vietnam, that specializes in targeting employees with potential access to Facebook business and ads management accounts, has re-emerged with changes to its infrastructure, malware, and modus operandi after being initially outed a few months ago.

Dubbed DUCKTAIL by researchers from WithSecure, the group uses spear phishing to target individuals on LinkedIn who have job descriptions that could suggest they have access to manage Facebook business accounts. More recently, the attackers were also observed targeting victims via WhatsApp. The compromised Facebook business accounts are used to run ads on the platform for attackers’ financial gain.

DUCKTAIL attackers do their research

The account abuse is achieved using a victim’s browser through a malware program delivered under the guise of documents related to brands, products, and project planning. The attackers first build a list of companies that have business pages on Facebook. They then search for employees on LinkedIn and other sources who work for those companies and have job titles that could provide them with access to those business pages. These include managerial, digital marketing, digital media, and human resource roles.

The final step is to send a link to them with an archive that contains the malware masquerading as a .pdf, alongside images and videos that appear to be part of the same project. Some of the file names seen by the researchers include project “development plan,” “project information,” “products,” and “new project L’Oréal budget business plan.” Some of the files included country names, suggesting the attackers customize them for every victim and country based on their reconnaissance. The identified victims were spread around the world, so the attackers don’t target one particular region.

It’s believed the DUCKTAIL group has been operating this campaign since the second half of 2021. After WithSecure exposed their operation in August this year, the operation stopped and the attackers reworked some of their toolset.

Attackers switch to GlobalSign as certificate authority

Malware samples analyzed earlier this year were digitally signed with a legitimate code signing certificate obtained from Sectigo in the name of a Vietnamese company. Since that certificate has been reported and revoked, the attackers have switched to GlobalSign as their certificate authority. While they continued to request certificates from multiple CAs in the name of the original company, they’ve also set up six other businesses, all in Vietnamese, and have obtained code signing certificates using three of them. Code signing certificates require extended validation (EV) where the identity of the applicant is verified through various documents.

“At the time of writing, the threat actor has adapted to certificate revocations by utilizing timestamping as a countersignature method through DigiCert,” the WithSecure researchers said in a new report released this week.

The DUCKTAIL malware samples seen in late 2021 were written in .NET Core and were compiled using the framework’s single-file feature, which bundles all the required libraries and files into a single executable file, including the main assembly. This ensures the malware can be executed on any Windows computer regardless of whether it has the .NET runtime installed or not. Since August 2022, when the campaign halted, the WithSecure researchers observed multiple development DUCKTAIL samples uploaded to VirusTotal from Vietnam.

One of the samples was compiled using the NativeAOT of .NET 7, which provides similar capabilities as the single-file feature of .NET Core, allowing binaries to be compiled natively ahead of time. However, NativeAOT has limited support for third-party libraries, so the attackers reverted to .NET Core.

The bad actors have been experimenting

Other experimentation was observed as well, such as the inclusion of anti-analysis code from a GitHub project that was never actually turned on, the capability of sending a list of email addresses as a .txt file from the command-and-control server instead of hardcoding them in the malware, and launching a dummy file when the malware is executed in order to make the user less suspicious – document (.docx), spreadsheet (.xlsx) and video (.mp4) dummy files were observed.

The attackers are also testing multistage loaders to deploy malware, such as an Excel add-in file (.xll), which extracts a secondary loader from an encrypted blob and then finally downloads the infostealer malware. The researchers also identified a downloader written in .NET that they associate with high confidence to DUCKTAIL, which executes a PowerShell command that downloads the infostealer from Discord.

The infostealer malware uses Telegram channels for command and control. The attackers have better locked down these channels since they were outed in August and some channels now have multiple administrators, which could suggest they are running an affiliate program similar to ransomware gangs. “This is further strengthened by increased chat activity and the new file encryption mechanism that ensures only certain users will be able to decrypt certain exfiltrated files,” the researchers say.

Browser hijacking

Once deployed, the DUCKTAIL malware scans for browsers installed on the system and the path to their cookie storage. It then steals all the stored cookies, including any Facebook session cookie stored inside. A session cookie is a small identifier set by a website inside a browser after authentication is completed successfully to remember the user has been logged in for a period of time.

The malware uses the Facebook session cookie to interact with Facebook pages directly or to send requests to the Facebook Graph API to obtain information. This information includes name, email, birthday, and user ID for personal accounts; name, verification status, ad limit, pending users and clients from Facebook business pages to which the personal accounts have access; name, ID, account status, ads payment cycle, currency, adtrust DSL, and amount spent for any associated Facebook Ads accounts.

The malware also checks whether two-factor authentication is enabled for the hijacked accounts and uses the active session to obtain backup codes for the 2FA when enabled. “Information stolen from the victim’s machine also allows the threat actor to attempt these activities (as well as other malicious activities) from outside the victim’s machine,” the researchers said. “Information such as stolen session cookies, access tokens, 2FA codes, user agents, IP address and geolocation, as well as general account information (such as name and birthday) could be used to cloak and impersonate the victim.”

The malware aims to attempt to add email addresses controlled by attackers to the hijacked Facebook business accounts with the highest possible roles: admin and finance editor. According to Facebook owner Meta’s documentation, admins have full control over the account, while finance editors have control over credit card information stored in the account as well as transactions, invoices, and spending on the account. They can also add external businesses to stored credit cards and monthly invoices allowing those businesses to use the same payment method.

Impersonating legitimate account manager identities

“In instances where the targeted victims did not have sufficient access to allow the malware to add the threat actor’s email addresses into the intended business accounts, the threat actor relied on the information that was exfiltrated from the victims’ machines and Facebook accounts to impersonate them and achieve their post-compromise objectives via hands-on activity,” the researchers said in their new report.

In one instance that WithSecure incident responders investigated, the victim used an Apple machine and had never logged into Facebook from a Windows computer. No malware was found on the system and the initial access vector could not be determined. It’s unclear if this was related to DUCKTAIL, but the researchers established that the attackers were also from Vietnam.

Facebook Business administrators are advised to regularly review users added under Business Manager > Settings > People and revoke access to any unknown users granted admin access or finance editor roles.

“Across our investigations, WithSecure Incident Response team found that business history logs and targeted individuals’ Facebook data were relevant to analysis of the incident,” the researchers said. “However, for logs relating to the individual’s Facebook account, inconsistencies are widely present between what is visible on the web portal compared to what you would get if you were to download a copy of your data. As a recommendation to other investigators, the WithSecure Incident Response team strongly recommends capturing a local copy of business history logs as soon as possible and requesting a copy of user data for their account.”

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Trending

URGENT: CYBER SECURITY UPDATE