At a glance.
- Sophisticated botnet targets CMS vulnerabilities.
- Bulletproof hosting provider launches phishing attacks on the side.
- Financially motivated inauthentic behavior.
- Cross-site scripting used in tech support scam.
- Disruption efforts against Trickbot continue.
- Ransomware trends.
Sophisticated botnet targets CMS vulnerabilities.
Researchers at Imperva describe KashmirBlack, a well-designed botnet that exploits known vulnerabilities in popular CMS platforms. Imperva believes the botnet has been active since November 2019, and it's used for at least five purposes: "crypto mining, spamming, defacement, spreading and, pending bot." The defacement element led the researchers to suspect that the botnet is controlled by a member of the Indonesian hacking group "PhantomGhost."
Imperva emphasizes that KashmirBlack's developers and operators appear to be more sophisticated than most botnet groups. In a second blog post, the researchers outline the technical aspects of the botnet's infrastructure that make it complex, resilient, and easily expandable.
Bulletproof hosting provider launches phishing attacks on the side.
PhishLabs says an Indonesia-based cybercriminal group dubbed "Planetary Reef" is acting as a bulletproof hosting provider using leased IP space from a large, legitimate reseller. The threat actor uses some of these domains to launch its own phishing attacks, and also sells access to other known criminal groups. Planetary Reef advertises its hosting services on social media sites, and many of the group's administrators appear to have publicly available Facebook profiles, which seem brazen, to say the least.
Financially motivated inauthentic behavior.
Facebook published a report on financially motivated inauthentic behavior (IB) on the platform, which the company distinguishes from politically motivated coordinated inauthentic behavior (CIB) designed to manipulate people's opinions. Financially motivated inauthenticity often takes the form of spam and clickbait designed to amplify content and drive people to ad-ridden websites. Political topics serve as effective clickbait lures, and Facebook notes, "These activities can be mistaken for politically-motivated influence operations at first glance, when in fact they are using political themes globally as another form of clickbait, similarly to celeb-bait or puppy memes."
Graphika offers a closer look at one of the larger inauthentic networks that was taken down. This operation was based in Myanmar and involved six-hundred-fifty-five Pages and twelve Groups. Graphika says sixty-four of these pages had more than a million followers, and four-hundred-thirty-eight had more than one-hundred-thousand followers. While a small portion of the content posted by these accounts centered on local politics (including pro-army and anti-Muslim posts), Facebook believes these were meant to be clickbait rather than intended to manipulate opinions. Graphika calls this "an illustration of the porous border between commercial spam and politically-oriented operations, blends of 'lifestyle' clickbait with political content have been observed historically both in commercial spam operations, and in influence operations that were attributed to the Myanmar military in 2018 and 2019."
Cross-site scripting used in tech support scam.
Malwarebytes warns that a tech support scam campaign is abusing a cross-site scripting vulnerability in a popular and legitimate Peruvian news website to redirect users to malicious sites. The attacker appears to be using Bit.ly shortened URLs distributed via apps and games on Facebook.
Disruption efforts against Trickbot continue.
CrowdStrike and others noted last week that the Trickbot botnet has proved resilient to government and industry efforts to disrupt it, but Microsoft issued an update last week asserting that it was seeing success in its ongoing efforts against the botnet. Microsoft noted that these are temporary measures designed to impede ransomware attacks ahead of the US election:
"As expected, the criminals operating Trickbot scrambled to replace the infrastructure we initially disabled. We tracked this activity closely and identified 59 new servers they attempted to add to their infrastructure. We’ve now disabled all but one of these new servers. In sum, from the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world. To be clear, these numbers will change regularly as we expect action we’ve already taken will continue to impact the remaining infrastructure and as we and others continue to take new action between now and the election."
Microsoft added that it obtained more court orders to disable Trickbot's new infrastructure, and that it will continue to do so until election day. The company also notes, "What we’re seeing suggests Trickbot’s main focus has become setting up new infrastructure, rather than initiating fresh attacks, and it has had to turn elsewhere for operational help." Microsoft concludes that "it will be important to focus on the collective impact to Trickbot’s capabilities between now and the election, rather than to focus on potentially misleading simplified snapshots from any single moment in time."
Ransomware trends.
Digital Shadows has released a report on ransomware trends in Q3 2020, finding that more ransomware groups are incorporating data theft and subsequent extortion into their attacks. Seven new data dump sites sprang up during the third quarter, and the researchers believe this tactic "may pave the way for new or less well-known groups that are looking to get into the ransomware business." NetWalker and Conti ransomware, both relative newcomers to the scene, were responsible for 29% of activity related to data dumping. Conti's leaking site was only established in August 2020, yet it accounted for 17% of leaking activity. Maze, one of the first to adopt this form of extortion in late 2019, still leads the pack with 32% of leaking activity. REvil's Happy Blog came in third, at 13%. More than 80% of leaking activity was attributed to just five groups: Maze, Conti, REvil/Sodinokibi, NetWalker, and DoppelPaymer.
Emsisoft has also published its observations on ransomware in the third quarter, noting that the "Maze ransomware group in particular was a constant threat to educational institutions" at the start of the school year. Emsisoft's findings related to data theft were consistent with Digital Shadows, with the researchers noting that the operators of Avaddon, Conti, DarkSide, SunCrypt, LockBit, and others have all set up new leak sites.