At a glance.
- New loader identified in wiper campaigns.
- Verizon's 2022 Data Breach Investigation Report shows a sharp rise in ransomware.
- Killnet crows large over Italian operations.
- Conti's dissolution doesn't mean its operators' disappearance.
- Origins of the Chaos ransomware operation.
- GuLoader campaign uses bogus purchase orders as phishbait.
- Security researchers targeted in malware campaign.
- Politically motivated DDoS attack on Port of London Authority website.
- Is REvil back and looking into new criminal techniques, or is a recent DDoS campaign the work of impostors?
- RansomHouse may be operated by frustrated bounty hunters.
- "Pantsdown" in QCT Baseboard Management Controllers.
- Warning on ChromeLoader.
- Ransomware at SpiceJet.
- BlackCat wants $5 million from Carinthia.
- Pro-Russian DDoS attacks.
New loader identified in wiper campaigns.
The GRU's Sandworm group, ESET reports, has deployed a new version of its ArguePatch loader. ArguePatch had seen previous use in both Industroyer and CaddyWiper attacks against Ukrainian targets. "The new variant of ArguePatch – named so by the Computer Emergency Response Team of Ukraine (CERT-UA) and detected by ESET products as Win32/Agent.AEGY – now includes a feature to execute the next stage of an attack at a specified time. This bypasses the need for setting up a scheduled task in Windows and is likely intended to help the attackers stay under the radar."
Verizon's 2022 Data Breach Investigation Report shows a sharp rise in ransomware.
Verizon has published its 2022 Data Breach Investigation Report, finding that ransomware rose by 13% last year (a greater increase than the previous five years combined). 82% of breaches involved the human element, which encompasses phishing, stolen credentials, misuse, or error. The researchers also found that supply chain breaches were behind 62% of intrusions last year. "There are four key paths leading to your estate," Verizon writes, and lists them: "Credentials, Phishing, Exploiting vulnerabilities, and Botnets. All four are pervasive in all areas of the DBIR, and no organization is safe without a plan to handle each of them." And while the rise in ransomware features prominently in the report, Verizon notes that "ransomware by itself is, at its core, simply a model of monetizing an organization's access."
Killnet crows large over Italian operations.
The Wall Street Journal reports that, even as Italian police sought to verify Killnet's claims of responsibility for attacks against various Italian websites, the Russian hacktivist group (at least a nominal, deniable, hacktivist group) claimed in its Telegram channels to have "killed Italy like a mosquito." Anonymous has taken official notice (in its decentralized, anarcho-syndicalist way). Infosecurity Magazine reports that Anonymous claims that it's "declared war" on Killnet. "The #Anonymous collective is officially in cyber war against the pro-Russian hacker group #Killnet," the group tweeted, adding "R.I.P. killnet [dot] ru."
Conti's dissolution doesn't mean its operators' disappearance.
The Conti ransomware gang may have splintered, perhaps acting on the old corporate raider or dissident shareholder premise that a business can "unlock value" by breaking itself up. OODA Loop suggests as much, with its headline "Is the Conti Ransomware Gang Stronger Apart Than Together?" But Conti data dumps have continued. The Record reports that the gang, or a part of it, or a reorganizing successor, has "published all of the data it stole during a January attack on the government servers of Linn County, Oregon."
AdvIntel late last week also described what they're observing with the Conti ransomware operation as the retirement of a brand, but not necessarily the dissolution of a gang, and almost certainly not the retirement of the gang's members. The admin panel of its "shame blog" (AdvIntel's phrase) Conti News, has shut down. The blog itself persists as a rump of its former self, but its posts are now merely poorly written anti-American screeds. There are no significant signs of Conti News's former role as a site that pressured victims to pay. AdvIntel sees the gang's dismantling itself into smaller affiliates as a business move. Conti's brand was under pressure from law enforcement, and its public adherence to the Russian cause in the war against Ukraine seems to have made it more difficult to receive ransom payments. Its high-profile attack against the Costa Rican government, then, seems to have been misdirection for spin-out and rebranding as opposed to a serious attempt to foment insurrection.
Breaking into smaller groups has both business and security advantages, as the Record observes. But AdvIntel sees the root cause of Conti's decision in the toxicity the brand had developed. "This situation presents the first, and foremost reason for Conti’s timely end—toxic branding. Indeed, the first two months of 2022 left a major mark on the Conti name. While there is no tangible evidence to suggest that the well-known Conti leaks had any impact on the group’s operations, the event which provoked the leak— Conti’s claim to support the Russian government, seems to have been the fatal blow for the group, despite being revoked almost immediately." Conti alumni will no doubt, however, continue to enjoy the toleration and enablement that the Russian government has long extended privateers operating from its territory. As long as they hit enemies of the regime and stay deniable, the gangs will be permitted to profit.
Why did Conti choose Costa Rica for its last hurrah? The country was a target of opportunity, TechCrunch explains. Its online services were wreckable, and there was money to be made from wrecking them, and so Conti...wrecked them.
Origins of the Chaos ransomware operation.
Researchers at BlackBerry have published a report outlining the genealogy of the Chaos ransomware family, detailing six versions of the malware that have been released since it first surfaced in June 2021. BlackBerry found that Chaos has ties to the Onyx and Yashma ransomware strains, although Chaos initially (and unsuccessfully) claimed to be an offshoot of Ryuk. It wasn't. The false claim was evidently a reach for C2C credibility. Fortinet had earlier tracked Chaos's rise to prominence as its operators declared their adherence to the Russian cause in Moscow's war against Ukraine. BlackBerry notes that Chaos has advanced beyond its beginnings as a relatively basic operation and has now evolved into a flexible, widely available, and difficult-to-track malware operation.
GuLoader campaign uses bogus purchase orders as phishbait.
Fortinet reports that they have found a phishing email that drops GuLoader targeting a Ukrainian coffee company. GuLoader, which is also known as CloudEye and vbdropper, is used to drop other malware variants. The phishing email presented itself as a purchase order from an oil company in Saudi Arabia, with a PDF file containing an executable for GuLoader. This attack is distinctive in that it uses the less common NSIS (Nullsoft Scriptable Install System), a script-driven installer authoring tool for Windows, to deploy itself. FortiGuard Labs calls it a medium severity threat for Windows users.
Security researchers targeted in malware campaign.
BleepingComputer reports that security researchers were the target of a threat actor using fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor. Cobalt Strike is an often abused, but legitimate pentesting tool. The threat actor took advantage of recently patched Windows remote code execution vulnerabilities CVE-2022-24500 and CVE-2022-26809, presenting themself as a security researcher who used the fix to inspire two proof-of-concept exploits for the flaw on GitHub. The exploits were quickly found to be fake, finding that the “exploits” installed Cobalt Strike beacons on the victim’s devices.
This sort of incident can serve as battlespace preparation for subsequent campaigns, KnowBe4’s James McQuiggan said. “Cybercriminals will target anyone to gain access to systems for data and exploitation. In this particular case, security researchers are another prime target as they can potentially have sensitive information, additional exploits and other sensitive material. This information can further add to the cybercriminals' arsenal to target additional organizations and use the exploited information as bait to catch a larger fish.”
“This is an important reminder to cybersecurity professionals to not blindly trust code simply because it is published on a well-known platform like GitHub. A cybersecurity practitioner can have access to sensitive data that an attacker could leverage to launch secondary attacks,” Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said. “An attacker leveraging that data effectively outsources the hard work or penetration testing and risk of reconnaissance detection to the good guys for free.”
Politically motivated DDoS attack on Port of London Authority website.
An Iranian group has claimed responsibility for a distributed denial-of-service (DDoS) attack that interfered with the Port of London Authority's website. The Authority acknowledged the incident but said that operational systems were unaffected. The group that said it was behind the attack, the ALtahrea Team, is a nominally hacktivist group, HackRead says, that operates under the direction of the Iranian government.
Is REvil back and looking into new criminal techniques, or is a recent DDoS campaign the work of impostors?
Akamai reports that one of its clients has fallen victim to a distributed denial-of-service (DDoS) attack at the hands of a threat actor claiming to be REvil. The attack contains a wave of HTTP/2 GET requests with demands for payment embedded in them, as well as a Bitcoin wallet. The attached Bitcoin wallet, however, has no history and no connection to REvil. Researchers noted that this attack seems smaller in scale than most REvil attacks, and seems to have a political purpose, which is something not seen before with the group. It’s also a DDoS attack, which is outside the old REvil playbook: REvil had been known for its ransomware-as-a-service offerings in the C2C market. Akamai thinks there are a number of possibilities here. Either the operation is an imposture, trading on REvil’s remaining reputational equity to spook its victims, or it’s REvil redivivus, back and looking into new approaches to crime. Or perhaps it’s a splinter group of REvil alumni, getting part of the band back together. In any case the recent attacks and the techniques they display are worth watching.
RansomHouse may be operated by frustrated bounty hunters.
RansomHouse, a new extortion gang, skips the data encryption customary with conventional ransomware operators and extorts victims by data theft and the threat of doxing. Researchers at Cyberint who've been tracking the group note that it claims an elevated purpose. RansomHouse objects to the way organizations don't devote enough resources to security, and hopes to shove them in the direction of better practices. RansomHouse also objects to what it views as a cheapskate tendency with respect to bug bounties, and this suggests to Cyberint that the members of the gang may be frustrated bounty hunters, white hats gone bad.
"Pantsdown" in QCT Baseboard Management Controllers.
Eclypsium Thursday published research into the susceptibility of Quanta Cloud Technology (QCT) servers to exploitation via the "Pantsdown" Baseboard Management Controller (BMC) flaw. "This vulnerability can provide an attacker with full control over the server including the ability to propagate ransomware, stealthily steal data, or disable the BMC or the server itself. Additionally, by gaining code execution in the BMC, attackers could steal the BMC credentials, which could allow the attack to spread to other servers in the same IPMI group," Eclypsium wrote in their report. Patches are expected soon, and Eclypsium notes that the most recent versions of affected QCT products have a secure boot capability that should serve to mitigate risk in the meantime.
Eclypsium's executive summary offers some useful reflections on the business implications of moving to the cloud, and of the security issues one needs to remain aware of in doing so. Cloud services are still susceptible to firmware issues that arise in their hardware.
Warning on ChromeLoader.
Red Canary researchers describe ChromeLoader, a browser hijacker that modifies browser settings and redirects victims to advertisement websites. The malware is hidden inside what appears as a cracked video game or pirated movie or TV show. The malware uses PowerShell to inject itself into the browser and add a malicious extension to it, which can be seen in PowerShell, and this is how, Red Canary explains, ChromeLoader was discovered. The PowerShell script allows for other malware to come in undetected and gain a hold on personal browser information.
Ransomware at SpiceJet.
The BBC reports that the Indian airline reports that it's been able to restore its affected IT systems, and that flights, whose delays had continued into Wednesday, were now operating normally. The Loadstar reports, however, that passenger complaints continue, and that disruption to operations also affected the airline's freight unit. Disgruntled passengers suggest that corporate communications should play an important role in incident response. CNBC discusses lessons others might learn from the incident, and notes that even a partially successful ransomware attempt can have a very bad effect on a business.
BlackCat wants $5 million from Carinthia.
The Austrian state of Carinthia, under ransomware attack by the BlackCat gang (also known as "ALPHV," and which is a rebranding of DarkSide/BlackMatter) since Tuesday, has, according to BleepingComputer, received a ransom demand. BlackCat wants $5 million to restore access to systems its attack disrupted. Carinthian authorities say that its public-facing websites are down, and that passport administration, collection of fines, and processing of COVID tests are among the services that have been affected. They've found no evidence that BlackCat succeeded in stealing data, and indeed none of the usual teasers have been posted to the gang's dumpsite. Carinthia does not intend to pay the ransom, and its services began restoration Friday.
On Tuesday, the US Cybersecurity and Infrastructure Security Agency (CISA) issued four industrial control system security advisories. They cover Rockwell Automation Logix Controllers, Matrikon OPC Server, Mitsubishi Electric FA Engineering Software Products (Update D), and Mitsubishi Electric Factory Automation Engineering Products (Update F) and on Friday, released two industrial control system (ICS) advisories for Horner Automation Cscape Csfont and Keysight N6854A Geolocation server and N6841A RF Sensor software.
And, for immediate action by US Federal civilian executive agencies, CISA Wednesday added twenty issues to its Known Exploited Vulnerabilities Catalog, and Thursday added thirty-four more vulnerabilities to its Known Exploited Vulnerabilities Catalog, bringing the total of new entries for this week to seventy five. The agencies CISA oversees are expected to scan for and fix the vulnerabilities, and to report completion by, respectively, June 14th and June 15th.
Crime and punishment.
CyberScoop reports that Interpol has arrested the alleged ringleader of a massive Nigerian cybercrime operation that used phishing campaigns and business email compromise schemes to scam companies and victims. The crime ring, dubbed “SilverTerrier” by Palo Alto Networks, is believed to have targeted over 50,000 people since 2014. The notorious ring has seen more than a dozen arrests following a major global sting last year.
Courts and torts.
The Wall Street Journal reports that Twitter has reached a settlement with the Federal Trade Commission, agreeing to oversight and a civil penalty of $150 million for data abuse. Federal prosecutors allege that Twitter collected phone numbers and email addresses for multifactor authentication and fed that information into its advertising tools, which the social media giant failed to disclose.
Policies, procurements, and agency equities.
Reuters reports that last Friday President Putin complained to his security council that cyberattacks against Russia had increased. Mr. Putin also reprehended the way in which sanctions had affected the country's IT capabilities. "Restrictions on foreign IT, software and products have become one of the tools of sanctions pressure on Russia. A number of Western suppliers have unilaterally stopped technical support of their equipment in Russia." Russia needs, President Putin says, to shore up its cyber defenses, but he put a bold face on the situation, as Mashable quotes him: "Already today we can say that cyber aggression against us, as well as in general the sanctions attack on Russia, have failed.”