At a glance.
- Shutterfly's encounter with Conti.
- Scam hits Calendly users.
- BlackGuard malware sold in C2C souks.
- (Chocolate) Easter egg phishing.
- A look at Conti and Lapsus$.
- Subpoena phishing.
A picture is worth 7GB.
Photography and custom products platform Shutterfly suffered a ransomware attack in December that temporarily shut down the company’s manufacturing and corporate systems, and now the company has disclosed that employee data were compromised in the attack. According to a notification submitted to the California Attorney General’s Office, SecurityWeek reports, the intruders accessed personal info including names and other employment-related data, and that the hackers had infiltrated the network for approximately ten days before being detected. Though Shutterfly has not named the hackers behind the attack, the Conti ransomware group took credit for the breach, publishing roughly 7GB of data they claimed to have stolen.
Calendly app users hit with scheduling scam.
Hackers are attracted to free websites as a venue for phishing schemes as they provide easy access for both scammer and scam-ee. In this recent operation, cybercriminals attempted to lure targets to a credential-harvesting payload through the free calendar app Calendly. INKY explains that the scammers used the platform’s Add Custom Link feature to insert malicious links in calendly.com event invitations sent from hijacked accounts. The link directs victims to a fraudulent website where they’re asked for their login credentials, which are then sent directly to the hackers. At least sixty-four individuals have received the scam messages, and Calendly users are urged to be on the alert for any suspicious activity.
It's tough for any communications platform (and Calendly is just that) to control this sort of scam. A Calendly spokesperson emailed us to say:
“Security is a top priority at Calendly. Similar to other major technology providers, we have an extensive network of tools and systems in place, such as a next-generation web application firewall, fraudulent IP tracking, and anomalous traffic pattern alerts. We also recommend customers add an additional layer of protection with a password manager and two-factor authentication. In this instance, a malicious link was inserted into a customized booking page. Phishing attacks violate our Terms of Service and accounts are immediately terminated when found or reported. We have a dedicated team that constantly enhances our security techniques, and we will continue to refine and stay vigilant to protect our users and combat such attacks.”
BlackGuard malware on sale in Russian underground marketplaces.
Zscaler offers an in-depth examination of infostealer BlackGuard, a new malware-as-a-service being offered on a Russian hacking forum. The sophisticated malware, which is being offered at a lifetime price of $700 ($200 monthly), can steal data related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients. Upon execution, BlackGuard scans for and shuts down antivirus and sandbox processes, and it’s hard-coded with ASCII string obfuscation that allows it to bypass antivirus and string-based detection. It also avoids infecting Russian systems by checking the country of the device and automatically exiting if it’s found to be located in the Commonwealth of Independent States. Though BlackGuard doesn’t have as large an application base as other info stealers, it’s growing in popularity in underground hacker forums.
Phishers pose as Easter Bunny.
Just in time for April Fools’ Day, the Irish Mirror warns of an online scam taking advantage of another upcoming holiday. Cybercriminals are using popular sweets seller Cadbury as a front for an operation that tricks targets into thinking they’re entering to win a free Easter basket. A message circulating in Ireland on social media platforms like Facebook and WhatsApp lures users into signing up for the chance to score a "Cadbury FREE Easter Chocolate Basket" (complete with a mouthwatering image of a giant candy egg), but the included link directs hopefuls to a credential-harvesting website. One victim posted on Facebook, "I've had 3 messages in last 5 minutes on Whatsapp promising a free choc hamper. Its a scam please dont fall for it. They wajt u to fill it all in to steal identity. If something normally sounds too good to be true it usually is!" Buying discounted candy the day after Easter is a safer way to get chocolate for a steal.
Ransom, compromise, and extortion: Conti and Lapsus$.
Conti is always after personal information (and other data), while Lapsus$ has specialized in stealing company proprietary information, like source code. But both gangs' activities illustrate the ways in which criminals prospect both institutions and individuals.
Sam Curry, Cybereason's Chief Security Officer, hopes that the incidents will prompt more effective public-private cooperation against ransomware:
"Anytime Conti Group is making headlines for the wrong reasons it is interesting because they are the most profitable ransomware gang in history. In fact, the FBI and CISA have discovered hundreds of attacks on hospitals, critical infrastructure operators, law enforcement agencies and other public and private sector organizations in the past year.
"This breach is especially concerning because Shutterfly reported the theft included employees' personal information, including names, salary and compensation information, and FMLA leave or workers’ compensation claims. Shutterfly’s disclosure will hopefully help other organizations raise their awareness of the ransomware risks.
"If we have learned anything from the deluge of Conti ransomware attacks, the public and private sector need to invest now to ratchet up prevention and detection and improve resilience. Sure, the threat actors might get in, but so what? Organizations can make that mean nothing. We can slow them down. We can limit what they see. We can ensure fast detection and ejection. We can—in short—make material breaches a thing of the past. So, what if they get a toe hold on the ramparts. We can keep them out of the castle by planning and being smart ahead of time and setting up the right defenses."
Erfan Shadabi, cybersecurity expert at comforte AG, notes the continuing lure sensitive data of almost any kind presents to cybercriminals:
“This attack is just the latest example of the growing threat of ransomware and threat actors’ intense focus of getting their hands on any sensitive data from which they can profit. Any business should expect that a ransomware attack could be imminent. This is not alarmism but realism. Proper preparatory actions should include tightening the internal culture of data privacy and security, such as all employees knowing how to treat suspicious emails and inquiries for sensitive information. But more importantly, companies can help to mitigate future attacks by applying data protections directly to sensitive information. For example, by tokenizing data that should not be disclosed, the company can ensure that even if threat actors get their hands on the tokenized data, they cannot leverage or profit from it due to the meaning being obfuscated.”
Ken Westin, Director, Security Strategy, at Cybereason commented on the Globant incident. He finds the resilience of Lapsus$ unsurprising:
"Globant appears caught in their crosshairs of cyber extortion group Lapsus$ based on recent stolen postings. It’s not surprising Lapsus$ resurfaced so quickly after going on a short hiatus. While London police arrested seven members of Lapsus$ last week, all were released as their investigation into reported hacks against Okta, Samsung, Microsoft, Nvidia, amongst others were making headlines.
"Cybercrime groups, like hacktivist groups, often work in a decentralized fashion, with many members not even knowing each other’s true identities. The fact this group is made up of members in many different countries presents challenges for law enforcement as they will need to collaborate with different countries with varying levels of capabilities to go after the perpetrators.
"The Globant breach seems a bit different on the surface as the resources compromised were around Globant's DevOps processes, raising the question as to where the initial compromise was and what did Lapsus$ do with the access. What is also concerning regarding this compromise is that potential source code for some of their customers appears to have been exposed and Lapsus$ is going after organizations via Globant’s technology and now services partners."
Aaron Sandeen, CEO and co-founder, Cyber Security Works, commented on the Globant breach that Lapsus$ claimed (and Globant confirmed):
“Data breaches continue to devastate enterprises and as global cybersecurity challenges worsen, leaders must expand their cybersecurity visibility of known and unknown assets, increase the frequency with which they validate, and seek early warning capabilities to truly protect their business from potential cyberattacks. Hacking groups like Lapsus$ capitalize on vulnerabilities to steal data from big companies.
"Actions that enterprises can take to avoid catastrophe must include patching the vulnerabilities that threat groups and attackers exploit. Knowing how vulnerable you are to ransomware attacks and evaluating your security posture through constant vulnerability management and proactive penetration testing is critical to building stronger protection as new hacking groups continue to emerge.“
Neil Jones, director of cybersecurity evangelism at Egnyte, looks forward to the Bureau collaring Lapsus$:
"The recent cyberattack on software incubator Globant X provides several stark reminders about cybersecurity protection: 1) If your organization outsources processes or data storage to third-party organizations, your data protection is only as good as the business partner(s) you choose. 2) Companies need to protect their clients' highly-sensitive content–such as source code–with the same level of protection as their own. 3) Data exfiltration incidents appear to be surpassing ransomware attacks as the primary cyberattack vector in 2022. Although it's reassuring that Lapsus$ has been added the FBI's Most Wanted List, utilization of Multi-Factor Authentication (MFA) technology and implementation of technology that detects suspicious log-ins from unanticipated geographical regions can significantly reduce the risk of such attacks."
Tyler Farrar, CISO at Exabeam, marvels at the ability Lapsus$ has shown (script kiddies or not) to penetrate defenses:
“Lapsus$ is currently on a tear against security and IT vendors. It has been reported that the attackers are utilizing a combination of compromised credentials and escalated privileges, surpassing endpoint protection tools. They are then exfiltrating data, such as source code, and extorting their victims.
"Because Lapsus$ is clearly capable of breaking through perimeter security measures, companies must focus on detection and response to minimize the damage of the infiltration. It’s important to invest in solutions that establish a baseline of user and entity behavior and are capable of flagging potentially malicious or suspicious activity as soon as it occurs.
"Far too many organizations are being hit with credential theft but don’t have a fingerprint of the normal activity for those credentials. They don't know which users normally log into any given machine in their environment. These are the types of patterns that need to be established to stop these groups. In addition, SOC teams must study the threat data from recent Lapsus$ incidents so they can monitor for the right TTPs. As attacks escalate, now is the time to act.”
Comment on subpoena phishing.
Revelations that Apple and Meta responded to fake emergency data requests have led Senator Ron Wyden (Democrat of Oregon) to begin an investigation of the emergency data request system as such. Law enforcement surely needs quick ways of getting data in an emergency, but there should be, the Senator suggests, some checks and balances that will enable companies to distinguish real requests from subpoena fraud.
PJ Norris, principal systems engineer at cybersecurity company Tripwire, wrote to point out the ingenuity on display in the phishing expedition:
“Hackers are becoming smarter about how they obtain information from large organizations. It’s easy to see how information can be disclosed in this manner. As hackers become smarter, organizations need to step up and ensure there are water tight processes in place and to be one step ahead.
"The weakest link in this particular process was the ‘emergency’ request not needing the appropriate signatures. There is little point having a search warrant and signatory if there is a process in place to circumvent that.”
Erfan Shadabi, cybersecurity expert with comforte AG, makes a similar point in a different way:
“When we hear of big organizations such as Apple & Meta succumbing to fake emergency requests, leading to a data breach of highly sensitive information, we have to wonder how the message about rigorous data security gets missed or overlooked by those who gather, process, and store our data. But any organization, big or small, and no matter the industry they operate in, can become the next victim of a cyber attack. The harsh truth is this: threat actors will find a way to your organization’s data given enough time and incentive, no matter how fortified your digital environment is.
"Last-generation data security methods such as protecting borders and perimeters around sensitive data no longer guarantee complete safety. Every business and governmental organization needs to be in the process of actively updating their data security posture to include data-centric strategies, which protect the data itself as opposed to perimeters around it. Protection methods such as tokenization and format-preserving encryption allow organizations to work with highly mobile data without de-protecting it. So, even if that data falls into the wrong hands, threat actors cannot compromise the sensitive information within. That’s an investment well worth exploring.”
Brian Higgins, security specialist at Comparitech, points out that systems like the emergency data request are practically inevitable. It's a matter of using them securely, and in a well-controlled way:
“Emergency data requests from law enforcement are often vital in live ‘crime in action’ and vulnerable missing person cases among others. They come from dedicated units and registered investigators and by their very nature can frequently relate to vulnerable individuals, companies or groups. To describe the success of this methodology as a ‘slip-up’ is fairly accurate as the implementation of some very basic cyber hygiene (in this case a mandatory verification call-back for all emergency requests) on the part of Apple, Meta, or any law enforcement liaison team for that matter, would see attackers looking for other less simple ways to commit their crimes and offer an added layer of much needed protection.”