Connect with us

Cyber Security

‘White Rabbit’ Ransomware May Be FIN8 Tool



It’s a double-extortion play that uses the command-line password ‘KissMe’ to hide its nasty acts and adorns its ransom note with cutesy ASCII bunny art.

A new ransomware family, White Rabbit, chewed through a local U.S. bank last month — and it may be connected to the financially motivated advanced persistent threat (APT) group known as FIN8, researchers said.

In a Tuesday report, Trend Micro researchers said that this twicky wabbit knows how to burrow away where it can’t be spotted. In fact, it looks like the operators behind the White Rabbit ransomware have taken a page from the more established ransomware family known as Egregor when it comes to hiding their malicious activity, researchers said.

Egregor, which claimed responsibility for a well-publicized cyberattack on Barnes & Noble in October 2020, is a ransomware-as-a-service (RaaS) player that sparked an FBI warning after compromising more than 150 organizations in short order after its birth.

White Rabbit may be sneaky, but it leaves tracks. The ransomware was spotted by multiple security outfits, and was first detected on Dec. 14 by the Lodestone Forensic Investigations team, which said that it had seen some White Rabbit activity a few days earlier, on Dec. 11.

But the earliest stirrings date back to July 10, when a PowerShell script was executed – a script that held script blocks that matched those described in a July 27 Bitdefender article on FIN8.

The Dec. 14 White Rabbit attack was also publicly disclosed on Twitter that same day by security researcher Michael Gillespie (@demonslay355).

Gillespie included a link to the ransom note, which includes cutesy bunny ASCII art. The note warns victims that if they’re reading it, their network infrastructure has been compromised, their critical data has leaked and their files are encrypted. In other words, the newcomer is using the same double-extortion shtick used by a skyrocketing number of RaaS players, threatening targets that their stolen data isn’t just encrypted but will also be published or sold.

Ransom note. Source: Gillespie’s upload to PasteBin.

Command-Line Password ‘KissMe’ Used to Hide Bad Acts

It gets cutesy-wutesy-er: Trend Micro researchers said that one of the most notable aspects of the new ransomware’s attack is the use of a specific command-line password to decrypt its internal configuration and launch its ransomware routine. In the particular case that they came across, that password is “KissMe,” as shown in the SysTracer screen capture below. SysTracer is a system utility tool that sniffs out changed data in a system’s registry and files.

Command line, showing the password “KissMe,” used to execute the ransomware. Source: Trend Micro.

“This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis,” the Trend Micro researchers pointed out, adding that “other samples might use a different password” than KissMe.

The SysTracer image also shows the arguments accepted by the ransomware, which, researchers surmised, stand in for:

  • -p: password/passphrase
  • -f: file to be encrypted
  • -l: logfile
  • -t: malware’s start time

Cobalt Strike Link to FIN8

Trend Micro picked up on traces of Cobalt Strike commands – the PowerShell .exe, as shown below – that its researchers think “might have been used to reconnoiter, infiltrate and drop the malicious payload into the affected system,” according to the report.

Traces of Cobalt Strike commands. Source: Trend Micro.

Lodestone’s analysis of the ransomware group’s tactics, techniques, and procedures (TTPs) points to the White Rabbit group potentially being affiliated with FIN8.

FIN8 has typically used social engineering and spear-phishing to go after financial services and payment-card data from point-of-sale (PoS) systems – particularly those of retailers, restaurants and the hotel industry. More recently, it has added ransomware to its bag of trucks. It’s been active since at least January 2016 and periodically pops in and out of dormancy in order to fine-tune its TTPs so as to evade detection and ramp up its success rate.

One example was in August, when the latest refinement of the APT’s BadHatch backdoor proved able to leverage new malware on the fly without redeployment, making it potent and nimble.

Besides BadHatch, FIN8’s well-stocked arsenal has included malware variants such as ShellTea – a backdoor also known as PunchBuggy –and the memory-scraping malware PunchTrack.

In the December attack, White Rabbit dragged in a previously unseen version of BadHatch that, based on characteristics of the malware sample acquired, Lodestone named F5.

“The exact relationship between the White Rabbit group and FIN8 is currently unknown,” Lodestone stipulated. “However, Lodestone identified a number of TTPs suggesting that White Rabbit, if operating independently of FIN8, has a close relationship with the more established threat group or is mimicking them.”

White Rabbit’s Ransomware Path

As Trend Micro tells it, the White Rabbit ransomware creates a note for each file it encrypts. “Each note bears the name of the encrypted file and is appended with ‘.scrypt.txt,’” researchers described. “Prior to the ransomware routine, the malware also terminates several processes and services, particularly antivirus-related ones.”

Next, if the -f argument isn’t given, it tries to encrypt files in fixed, removable and network drives, as well as in resources. Trend Micro provided the list below of the paths and directories the ransomware tries to skip, “to avoid crashing the system and destroying its own notes.”

  • *.scrypt.txt
  • *.scrypt
  • c:windows*
  • *:sysvol*
  • *:netlogon*
  • c:filesource*
  • *.exe
  • *.dll
  • *desktop.ini
  • *:windows*
  • c:programdata*
  • *:programfiles*
  • *:program files (x86)*
  • *:program files (x64)*
  • *.lnk
  • *.iso
  • *.msi
  • *.sys
  • *.inf
  • %User Temp%*
  • *thumbs.db

FIN8 Connection Still a Bit Sketchy

FIN8 and White Rabbit may be related, or they might actually share the same creator: It’s not a solid call just yet, Trend Micro said.

It could be that this is just another indication of how the group is doing what it’s known for: expanding its arsenal, past the infiltration and reconnaissance tools for which it’s well-known, to add ransomware to the toolkit. “So far, White Rabbit’s targets have been few, which could mean that they are still testing the waters or warming up for a large-scale attack,” Trend Micro researchers noted.

It has an “uncomplicated” ransomware routine, which likely means that it’s still under development, they said. Despite being a simple piece of malware, it’s still dangerous: “Despite being in this early stage, however, it is important to highlight that it bears the troublesome characteristics of modern ransomware: It is, after all, highly targeted and uses double extortion methods,” according to Trend Micro’s writeup. “As such, it is worth monitoring.”

Blocking White Rabbit Attacks

Both Lodestone and Trend Micro included indicators of compromise in their White Rabbit writeups.

Trend Micro also had the following suggestions for setting up a multilayered defense to “help guard against modern ransomware and prevent the success of the evasion tactics they employ”:

  • Deploy cross-layered detection and response solutions. Find solutions that can anticipate and respond to ransomware activities, techniques, and movements before the threat culminates.
  • Create a playbook for attack prevention and recovery. Both an incident-response (IR) playbook and IR frameworks allow organizations to plan for different attacks, including ransomware.
  • Conduct attack simulations. Expose employees to a realistic cyberattack simulation that can help decision-makers, security personnel, and IR teams identify and prepare for potential security gaps and attacks.

Photo courtesy of PxHere. Licensing details.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Source link

Cyber Security

US Congress rolls back proposal to restrict use of Chinese chips



The US Congress is rolling back proposed legislation that would place restrictions on the use of Chinese-made chips by the government and its contractors, after  companies argued that the measures would raise costs.

While the draft legislation still provides for restrictions to be enacted, contractors now have five years to comply with them, rather than the two years stipulated in an earlier version of the proposal, and the language of the new draft leaves room for waivers to the restrictions under certain circumstances.

In September, Senator Chuck Schumer, a Democrat from New York, and Senator John Cornyn, a Republican from Texas, announced a provision in the National Defense Authorization Act (NDAA) for fiscal 2023 that would restrict federal agencies and contractors from using semiconductors and chips from China’s Semiconductor Manufacturing International Corporation (SMIC), Yangtze Memory Technologies Corp (YMTC), and ChangXin Memory 703 Technologies (CXMT).

The provision was modelled on the 2019 NDAA, which prohibited the US government and its contractors from using telecommunications or video surveillance equipment from China’s Huawei, ZTE, Dahua, Hytera or Hikvision.

The provision on Chinese semiconductor makers, however, was not included in the House of Representatives version of 2023 NDAA. In an explanatory statement issued on Tuesday, the US Senate Armed Services Committee noted that the Senate and House have now negotiated an agreement wherein NDAA restrictions on imports from the Chinese chip makers will not be enforced until 2028. After that time, waivers on those restrictions may still be issued by the US Secretary of Defense, the National Security Director and other top government officials if they deem that waivers are needed for national security interests.

“For the purposes of waivers that may be issued,” according to the statement, “critical national security interests of the United States may include protecting the Nation’s economic security and its technological competitiveness relative to strategic competitors.”

Compliance with restrictions on Chinese chip imports have been pushed back to five years.

US trade groups protest Chinese chip import restrictions

In November, a coalition of defense, tech and business trade groups had written a letter the Senate Armed Services Committee, arguing that the original Senate restrictions on Chinese chip imports were vague and would ultimately impose “tremendous compliance burdens” on government contractors without any proven benefits to US national security.

Meanwhile, however, the NDAA is not a done deal. The latest version, agreed on by the House and Senate negotiators, still needs to be voted on by all Congressional representatives, after which it goes to President Joe Biden for approval. The congressional vote is expect this week.

The issue of chip manufacturing has been a focal point for the US government in recent months, as geopolitical tensions with China have risen at a time when the US is only producing 12% of the world’s supply of chips, down from more than 30% 20 years ago.

In August, President Joe Biden signed into law the CHIPS and Science Act of 2022, providing $52.7 billion for manufacturing incentives in an attempt to increase the percentage of microprocessors produced in the US by closing the cost differential with other countries such as Taiwan, South Korea, and China. In those nations, the governments are already subsidizing semiconductor manufacturers.

Chip manufacturers can begin seeking to use tax breaks and funds to offset construction and other costs beginning next year.

Speaking in October, Gaurav Gupta, Gartner’s vice president for Emerging Technologies and Trends, said that although the money, tax breaks, and other incentives in the CHIPS Act is pocket change for leading manufacturers, the incentives do demonstrate that the US government is serious about supporting the industry.

However, Gupta warned that more is needed, saying “this has to be a more consistent policy from the US government through the next decade and beyond if they’re really serious about bringing back more chip manufacturing here in the US.”

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

Athletic shoe maker Brooks runs down cyberattacks with zero-trust segmentation



Ransomware was again the top attack type in 2021, with manufacturing replacing financial services as the top industry in a

jon hocut director of information security for brooks Brooks

Jon Hocut, director of information security for Brooks

ssailants’ crosshairs—representing 23.2% of the global attacks remediated last year by IBM Security’s X-Force, according to the company’s Threat Intelligence Index 2022 report.

With news like this, it is not surprising that “ransomware is the threat that keeps me up the most at night,” says Jon Hocut, director of information security for Brooks, the renowned running shoe manufacturer. It doesn’t help that Brooks’ IT infrastructure “grew over time for quite a while before security became a primary issue,” he says. Therefore, the company sought a cyber security solution to address cyberattacks fast, without first requiring a complete network rebuild.

pj kirner illumio cto and cofounder Illumio

PJ Kirner, CTO and co-founder of Illumio

Brooks believes it has found this solution in Illumio Core, a zero-trust segmentation (ZTS) platform from Illumio that can be implemented in stages across a corporate network, protecting the most vulnerable areas first — like installing locks on a bank vault and safety deposit box room while leaving the customer records’ room for another time.

“Illumio’s mission at the highest level is to prevent breaches from becoming cyber disasters,” says PJ Kirner, Illumio’s CTO and co-founder. “Our zero-trust segmentation platform helps people limit the impact of those that do occur, while providing visibility and control of the entire network.”

Illumio Core: a pragmatic approach to zero trust

The “trust no one” logic of zero trust requires users to authenticate their identities whenever they request access to data or applications across the network. But “zero-trust segmentation goes further than just isolating different parts of the network,” says David Holmes, senior analyst at Forrester Research. “Zero-trust segmentation solutions isolate each participating computer, only allowing the specific connections and access explicitly declared first. This is why companies like Brooks are doing the right thing by investing both capital and technical resources into zero-trust segmentation, as it solves not just ransomware but generally any other network-oriented breach.”

Illumio’s pragmatic approach to zero-trust segmentation applies it to the most vulnerable areas first—the ones hackers are most likely to attack—and worries about the rest later. It’s an approach that works, according to a study conducted for Illumio by the offensive security firm Bishop Fox, who staged cyberattacks against an Illumio Core-protected network. Based on the results of those unsuccessful attacks, “zero-trust segmentation can be applied to effectively isolate compromised hosts during an active attack,” the Bishop Fox report concludes. “ZTS can (also) be used proactively to ring-fence entire environments and applications, drastically reducing the pathways available for exploitation through lateral movement.”

How Brooks is applying ZTS

In line with “doing what matters most first,” Brooks has applied Illumio Core to block unauthorized access to hundreds of its Windows servers and cloud resources. Most staff are not supposed to access them as part of their jobs, so proactively blocking requests for access until they can be reviewed by IT security staff is a simple, yet effective, cybersecurity solution.

“We’ve separated our users from our servers and our resources, with the goal of only allowing the minimal amount of traffic that’s necessary back and forth,” Hocut says. “Now these servers may need to talk to each other in a lot of ways on a lot of different ports. But the users from their laptops don’t need to talk across those ports, and so we stop them from doing so without explicit permission.”

It is these laptops, operated by non-IT employees with network access, that are most likely to be the targets of hackers through phishing and other such attacks. So, when it comes to making Brooks’ IT infrastructure more secure using ZTS, “the first thing to do is take those laptops that are most likely to be compromised and segment them off from everything,” says Hocut. “So that isn’t zero trust across the enterprise, there’s just less trust. You’re still saying, ‘well, we’ll trust the servers to talk to each other.’ But we will keep the most likely compromised machines away from the most valuable machines and control that traffic as much as possible.”

The Illumio Core platform documents all access requests, allowing the Brooks IT team to analyze this historical record to detect possible breach attempts, access request trends, and other potential signs of past hacker attacks. All of this data is being used to tweak the company’s cybersecurity policies and procedures and shape its approach to ZTS management and expansion throughout the network going forward.

Implementing ZTS has been relatively painless

It took only four months during the second half of 2022 for Brooks to implement Illumio Core ZTS on its network. “Today, we’re just monitoring alerts and following up on them,” says Ryan Fried, Brooks’ senior security engineer. “It’s easy to just let the alerts go by and block traffic for something like RDP, but we do our best to reach out to the user, understand why they were doing it, and then talk to them about the alternative processes that are in place.”

A case in point: In the past, a Brooks employee “might make SQL connections from their laptop to a database, which is terrifying to me,” Fried says. Now, after such an access attempt has been detected and blocked by Illumio Core, “we direct them to a safe server for us, and then we initiate the RDP or SQL connection from there.”

Ironically, the biggest challenge in implementing Illumio Core at Brooks wasn’t digital but analog. Hocut and his security team had to calm the fears of Brooks’ business executives who were uneasy about their network access being moved to ZTS before they could take action.

“Tell someone on the enterprise resource team that you’re going to mess with the firewalls around the ERP system,” says Hocut. “They’re not going to take you out for beers. They’re going to be concerned about how this is going to affect operations.” Even his boss, Brooks’ VP of Information Technology, wanted to know how the move to ZTS could be done without causing downtime, and maintained without causing issues. “I had to build trust with everyone by explaining that Ryan would set up a proposed ZTS rule set and run it non-operationally for a while to make sure it worked, before taking Illumio Core live,” he says.

Testing before deployment is essential

Doing such testing before deploying any ZTS system is a must, says Holmes. “Zero-trust segmentation is very effective but requires work up front to define the correct segmentation policy,” he explains. “Incorrect policy results in local network outages and manual tuning, adding a layer of complexity to the management of the network. Modern ZTS solutions work hard to divine the correct policy for you, but even the models that use AI aren’t 100% accurate and tuning is required.” Having done this work, Brooks’ ZTS system is working as promised, providing the company with proactive protection from ransomware and other cyber threats.

Looking ahead, Hocut plans to extend Illumio Core into other parts of Brooks’ IT infrastructure. “We’re looking to tighten the granularity of our network controls with different groups of servers so that we’re not treating all servers the same,” he says. “We’re going to be watching outbound traffic from the servers as well. Servers have very specific functions and should only be talking to the outside world in very specific ways. And we can use Illumio to learn what all those current ways are, making the assumption that those are probably all good — and block absolutely everything else.”

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

Ransomware attack knocks Rackspace’s Exchange servers offline



Cloud services and hosting provider Rackspace Technology acknowledged Tuesday that a recent incident that took most of its Hosted Exchange email server business offline was the product of a ransomware attack. The company shut the service down last Friday.

It was not, initially, clear what had caused the outage, but Rackspace quickly moved to shift Exchange customers over to Microsoft 365, as this part of the company’s infrastructure was apparently unaffected.

Rackpsace offers migration to Microsoft 365

Rackspace said today that there is “no timeline” for a restoration of Exchange service, but it is offering Exchange users technical assistance and free access to Microsoft 365 as a substitute, though it acknowledged that migration is unlikely to be a simple process for every user. Rackspace said that, while the migration is in progress, customers can forward email sent to their Hosted Exchange inboxes to an external server, as a temporary workaround.

The company said that the incident was isolated to its Hosted Exchange business, and that the rest of its lineup of products and services are fully functional. It’s unclear how Rackspace was able to limit the access of the ransomware attackers to one corner of its operations, and the company did not respond to a request for comment on this point.

The investigation is “still in its early stages,” according to Rackspace’s official updates on the matter. The company added that it is, as yet, unable to ascertain whether any consumer data was affected by the attack, but pledged to notify customers if that proves to be the case. Some email archives remain accessible, according to the updates, and Rackspace said that it is working to provide those to customers “where available,” as a precursor to migrating over to Microsoft 365.

Rackspace has also hired “a leading cyber defense firm” to assist in the investigation, though it declined to name the company publicly.

“Out of an abundance of caution, we have put additional security measures in place and will continue to actively monitor for any suspicious activity,” Rackspace said in its latest advisory.

In a public statement, the company said that, despite the ongoing nature of its investigation, it can say that the cyberattack has affected its bottom line. The Hosted Exchange business generates roughly $30 million a year, and a prolonged outage, with its associated costs, is likely to dent that figure.

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading