Internet threat news

Three separate reports suggest that international law enforcement agencies are continuing to apply pressure to ransomware gangs, whether it’s the gang leaders, infrastructure, or affiliates. Last week we covered how the BlackMatter ransomware gang was experiencing a legal clampdown. Now despite ceasing operations after reports suggested that US Cyber Command successfully targeted servers used by ransomware gang, is still being targeted by law enforcement. Now it appears that there is an international effort to go after affiliates and leaders of the Sodinokibi gang.

On November 3, 2021, a Twitter post by vx-underground displayed an announcement by BlackMatter leadership that they were shutting down ransomware operations. The announcement read,

“Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) -- project is closed...After 48 hours the entire infrastructure will be turned off, allowing: Issue mail to companies for further communication [and] Get decryptor. For this write 'give a decryptor' inside the company chat, where necessary. We wish you all success, we were glad to work.”

When a company is involved in a merger, acquisition, or listing on an internationally respected stock exchange it is a significant financial event in that organization’s history. The Federal Bureau of Investigation (FBI) is now warning that such events are now being targeted by ransomware gangs in a variety of ways in order to place more pressure on victims to pay the ransom lest the financial event is derailed by ransomware revelations.

According to the threat actors behind the Grief ransomware strain, they have successfully compromised the National Rifle Association (NRA) network, stolen data, and encrypted their data. Bleeping Computer reports that the ransomware group posted the announcement to their leak site along with data stolen from the NRA. The site now boasts images of Excel spreadsheets containing tax and investment information allegedly belonging to the NRA. Further, the group leaked a zip file, “National Grants.zip”, which is reported to contain information relating to grant applications done by the NRA.

In a recent article published by Emisoft, it was revealed how researchers discovered a bug in the BlackMatter ransomware’s code.  This bug was exploited by researchers to create decryption keys that were secretly handed out to victims of the ransomware gang, potentially losing the gang millions of dollars worth of ransom payments.

DarkSide, the threat group strongly believed to be behind BlackMatter and previously behind the DarkSide ransomware, was initially best known for committing other financially motivated cybercrimes, seeing the profit margins ransomware, and the ransomware-as-a-service business model could unlock they quickly pivoted.

The infamous financially motivated threat group FIN7 has been discovered to be posing as a legitimate company to hire penetration testers and other cybersecurity professionals to do the heavy lifting of the preliminary steps a typical ransomware attack would follow. FIN7 also tracked as Carbanak, is perhaps best known for attacks on Saks Fith Avenue and Lord & Taylor stores. Those attacks resulted in the subsequent sale of over 5 million payment cards on the dark web.

In what is writing itself into its own Netflix Original movie at this point, it appears Sodinokibi, also tracked as REvil, infrastructure has been taken offline for the second time this year. The news comes following statements made on the popular hacking forum XSS. The forum posts have been shared to Twitter by Dmitry Smilyanets, a security researcher for Recorded Future. Another post was also shared by Smilyanets which further explained the decision to take the infamous ransomware’s infrastructure offline.

With ransomware attacks now becoming an almost daily phenomenon governments are actively looking at new ways to combat the scourge and protect both individuals, organizations, and national interests. The Australian Minister for Home Affairs, Karen Andrews, has recently published a plan titled the “Ransomware Action Plan.”

The Japanese tech giant, Olympus, announced that its IT systems in the US, Canada, and Latin America had suffered a cybersecurity incident. Details of the attack are thin on the ground, but the attack follows another incident that occurred in September 2021. The first attack was announced on September 11, which according to the company affected the IT systems for Europe, the MIddle-East, and Africa. Again details of the attack were sparse but according to Bleeping Computer, the attack involved the now-infamous BlackMatter ransomware.

According to a recently published blog by Cybereason Nocturnus, researchers for the security firm have discovered a cyber espionage campaign making use of previously undiscovered malware. Researchers have, further, attributed the new espionage campaign to an also previously undisclosed threat group they have codenamed MalKamak. The group is currently targeting organizations in the aerospace and telecoms sectors.

Kaspersky Labs just recently published a report detailing a link between the Tomiris backdoor and the threat actors behind the SolarWinds attack that occurred towards the end of 2020. In summary, the backdoor closely resembles another piece of malware deployed by DarkHalo, SunShuttle, as well as similar tactics used in finding targets and deploying malware.

This week has seen the announcement of two separate campaigns infecting Android users with some form trojan malware. The first incident involves the discovery of a new trojan, called GriftHorse, while the second trojan distribution campaign involves an offshoot of the infamous Cerberus banking trojan. This latest Cerberus-based trojan has been called ERMAC by researchers.

Security firm eSentire published an article detailing an odd ransomware incident. In summary, the incident is odd as it used advanced techniques to gain initial access and compromise the target’s network. However, the ransomware dropped, Hello, is regarded as fairly unsophisticated. This provided researchers with a few head-scratching moments.

The victim in the instance observed was a testing company that evaluates hundreds of products from around the globe. This implies that during testing the company has access to a ton of intellectual property, making the company a high-profile target for attackers. The attack was also determined by researchers to be a hands-on-keyboard attack.

The Cybersecurity and Infrastructure Security Agency (CISA) recently published an advisory regarding the Conti ransomware. The advisory provides a comprehensive analysis of techniques used by the ransomware gang in the past and present. The advisory also noted that the Federal Bureau of Investigation (FBI) has observed more than 400 incidents involving ransomware internationally and in the US. The advisory also includes mitigation strategies to protect against falling victim to a Conti attack, measures that CISA, the FBI, and the NSA have adopted to secure their infrastructure.