At a glance.
- CISA and FBI issue an update on Royal Ransomware.
- A pre-Black Friday look at card skimmers.
- Smash-and-grab ransomware attacks.
- Cloud vulnerabilities: current trends and risks.
- Fences, and their place in organized cybercrime.
- Application vulnerabilities show a decline.
- Botnet activity surges.
- DP World Australia restores port operations.
- LockBit may be drawing unwelcome attention to itself.
- ENISA and Ukraine formalize cybersecurity cooperation.
CISA and FBI issue an update on Royal Ransomware.
A classic double-extortion ransomware gang that both encrypts and doxes its victims, Royal is undergoing some changes. The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) yesterday updated their advisory accordingly:
"Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD. Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors. There are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal. A previous joint CSA for Royal ransomware was published on March 2, 2023. This joint CSA provides updated IOCs identified through FBI investigations."
CISA and the Bureau have updated their notes on the gang's tactics, techniques, and procedures, as well as their list of indicators of compromise (IOCs).
A pre-Black Friday look at card skimmers.
Malwarebytes is tracking an increase in card-skimming campaigns ahead of the holiday shopping season. The researchers describe a large credit card skimming operation called “Kritec” that surfaced in March 2023. The threat actors craft customized skimmers for each compromised website: “The experience was so smooth and seamless that it made it practically impossible for online shoppers to even realize that their credit card information had just been stolen.”
The researchers note, “In April this skimming campaign reached a peak and then slowed down during the summer. However, it came back, increasing to its highest volume in October. We measured this activity based on the number of newly registered domain names attributed to this threat actor.”
Smash-and-grab ransomware attacks.
Sophos has published its 2023 Active Adversary Report for Security Practitioners, noting a “precipitous decline in dwell time for all attacks.” The researchers state, “In particular, we noted a 44% year-on-year and 72% all-time drop in dwell time for ransomware attacks. These decreases were especially eye-catching with ransomware attacks, the dwell time of which decreased to a median of five days. One of our conclusions is that not only do ransomware attackers know that detection capabilities have improved, necessitating quicker attacks, but many are simply well-practiced.”
The researchers note that faster attacks tend to involve the same TTPs as slower ones: “Most attacks, whether ‘fast’ or ‘slow,’ don’t appear to have any significant markers, other than speed, that would inform a change in defense strategy.”