Internet threat news

Attacks on Industrial Control Systems (ICS) and other forms of Operational Technology (OT) are nothing new. It was assumed that the majority of these attacks need to be conducted by highly skilled attackers with a fair amount of experience. This assumption was based primarily on the reasoning that an attacker would need to have an extensive knowledge base of the OT targeted, including how specific manufacturers created their products and what process those products regulated and maintained. According to a new report published by FireEye, it appears that the bar has been lowered significantly allowing inexperienced hackers the ability to carry out attacks on OT infrastructure.

The Colonial Pipeline Incident rocked the InfoSec community and much of the eastern seaboard of the US. The ramifications of the event are likely to mold the US’s strategy in combating cybercrime and ransomware for the foreseeable future. While that incident was unfolding and still being covered by many publications the Irish Healthcare system also experienced a ransomware attack. Two attacks to be more exact.

The attacks resulted in the shutdown of the healthcare system last Thursday. The ransomware gang responsible was the group behind the Conti ransomware strain. The attack impacted both the Department of Health and the Health Service Executive. Health Service Executive Anne O'Connor confirmed that Conti was the offending party when speaking to The Journal. As a result of the attacks it was reported that dozens of outpatient services were canceled, a vaccine portal for Covid-19 was shut down and the country has spent days trying to bring its healthcare IT system back online. This led several prominent Irish politicians to issue statements including, Irish Foreign Minister Simon Coveney who referred to the attack as a “very serious attack.” Irish Minister of State Ossian Smyth said it was “possibly the most significant cybercrime attack on the Irish State.”

The ransomware gang behind the DarkSide who attacked the Colonial Pipeline has only been operational for approximately nine months. Due to the incident, they are best known for, they have reached a level of notoriety cybercriminals tend to want to avoid. This has prompted some to research how much money the gang has made. Recently, Elliptic has dug into the murky depths of cryptocurrency blockchains to figure out how much the gang has made in those nine months. In Bitcoin, the ransomware’s developers and affiliates have netted a total of over 90 million USD.

In a blog article published by Elliptic, researchers gave us another interesting insight into how the gang managed their ransom payments. Much of the work involved tracking down the wallets used by the gang to facilitate payments. More payments may be uncovered in the future given the level of anonymity afforded to Bitcoin transactions, but it is important to note that Bitcoin transactions are not 100% anonymous and can be traced to a certain degree. According to Elliptic’s research 99 organizations have suffered a DarkSide infection with approximately 47% of the victims paying the ransom.

The Colonial Pipeline incident has dominated cybersecurity, economic, and political headlines for a large portion of this week's news cycle. It may even be a watershed moment in the ransomware timeline, a step too far if you will. Impacting one company for a period may be frustrating to consumers and bad for that company. Impacting a fuel pipeline, forcing the company to shut it down, which impacts every industry and consumer reliant on refined petroleum is another matter entirely. Every person that had to queue for fuel or couldn’t even get fuel will likely view themselves as impacted by the incident or even classify themselves as victims of the attack.

In the wake of the incident governments around the world have taken note of the damage that ransomware can inflict on the general populace. The US and the UK have issued statements that highlight what their governments will be doing in the future, and currently, to protect and prevent the population that voted them into power. On May 12, 2021, US President Joe Biden signed an executive order designed to drastically beef up the use of preventative measures such as multi-factor authentication endpoint detection and response, and log keeping, as well as a Cybersecurity Safety Review Board.

Ransomware is again making headlines and for all the wrong reasons. Last week this publication covered how using pirated software can leave an organization vulnerable to a ransomware attack. The incident showed how ransomware operators look to exploit poor network and security controls and how the granting of admin privileges should be kept to a minimum. Now, a recent incident shows how damaging a ransomware incident can be, not just to an organization but to society as a whole.

The incident involved the forced shutdown of the largest refined petroleum pipeline in the US. The Colonial Pipeline transports petroleum from the Gulf of Mexico to markets throughout the southern and eastern United States. The company transports 2.5 million barrels per day through its 5,500 mile pipeline and provides 45% of all fuel consumed on the East Coast of the US. The shutdown is expected to negatively impact the price of petroleum for consumption in an already volatile market according to the Wall Street Journal. Reports are already emerging of gas stations typically serviced by the pipeline running dry again impacting consumers negatively.

Long have the dangers of pirated software be shouted from the mountaintops by security researchers. Despite being illegal, the user has no idea what they are downloading. In many cases what they believe is a software package, movie, or TV show is laden with malicious payloads. Some of those payloads contain ransomware. This publication has covered how this is a favored distribution technique for many malware families and how the Pysa ransomware has been seen distributed via fake software crack sites. Now a company in the BioTech sector just suffered a Ryuk attack via a student downloading pirated software.

In a recent article published by Sophos, an incident involving their Rapid Response Team was covered. The team was called in to neutralize a Ryuk infection that occurred at a European biomolecular research institute. The organization has close links with several universities and works with students from those universities through a variety of programs. Further, the organization is involved in COVID-19 research which has proven to pique the interest of ransomware operators meaning that they are prime targets for ransomware gangs like the one behind Ryuk.

It has been a busy couple of days for reports coming from security firm FireEye. Last week this publication covered the use of the FiveHands ransomware strain by a financially motivated group tracked as UNC2447. This week a new report published by the firm details an attack campaign carried out by yet another financially motivated group tracked as UNC2529. The attack campaign was discovered by researchers in December 2020 and is notable for several reasons but namely that three new malware strains were observed being used in the campaign.

The attack campaign began with a concerted email phishing campaign. FireEye researchers saw that 28 organizations were sent phishing emails. It is safe to assume that more than 28 organizations were targeted, as the 28 seen to be targeted would only likely be organizations where FireEye has a presence on their infrastructure. Emails were sent from 26 unique addresses linked to a single domain, tigertigerbeads[.]com with the emails containing inline links to malicious URLs such as hxxp://totallyhealth-wealth[.]com/downld-id_mw<redacted>Gdczs, engineered to entice the victim to download a file containing a malicious payload. While the emails were sent from one domain the links were tracked to at least 24 different domains.

A financially motivated threat actor has been seen exploiting a zero-day bug in SonicWall SMA 100 Series VPN appliances. This is done to gain initial access to enterprise networks so that the threat actors can deploy a newly discovered ransomware strain, known as FiveHands. So far victims include organizations located in Europe and North America. The ransomware itself has several similarities to both the HelloKitty and the DeathRansom ransomware strains. Researchers believe that FiveHands is best described as a novel rewrite of DeathRansom. That being said it does have several differences, more on both the similarities and the differences to come below.

For those still clinging to the myth that Macs are inherently secure, 2021 is proving a difficult year to back up that argument. The advent of Silver Sparrow which raced to infect over 30,000 Macs and malware that targets Macs hiding in NPM packages are just two of several instances where Macs have been found to susceptible to attack. Now the threat operators behind the Shlayer malware have been seen exploiting a previously unknown zero-day. The good news is Apple has now released a patch for it, so it is strongly advised that Mac users download the latest patch if they have not done so already.

In summary, the malware’s creators found a way to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads. This is not the first time Shlayer has tricked Apple. Previously the malware was seen subverting the notarization process instituted with MacOS Catalina. This time, Shlayer subverts Gatekeeper to run malicious applications and harvest sensitive information.

Built to replace Secure Sockets Layer (SSL), Transport Layer Security (TLS) is a series of cryptographic protocols designed to secure communications across networks. The protocol is used in email, instant messaging, and voice-over IP applications. That being said the protocol's security layer in HTTPS remains one of the protocol's primary uses. It is this use as a security layer to keep communications hidden from the view of security researchers that threat actors have latched onto. According to a recent report published by Sophos Labs in 2020, 23% of malware detected was seen abusing the TLS protocol, by the first quarter of 2021 this had skyrocketed to 46%.

Researchers determined that the large growth in TLS abuse can be linked to threat actors increasingly turning to legitimate web and cloud services protected by TLS to further attack campaigns. Services like Discord, Pastebin, GitHub, and Google’s cloud services are increasingly being used as repositories for malware. Acting as a repository for malware or specific components is not the only use malware authors have found for the above-mentioned services. Researchers have seen services being used as storage for stolen data and to send commands to botnets and other malware. Further, the increase in TLS abuse has also partly been attributed to threat actors encapsulating communications behind Tor and TLS network proxies to hide them.

In a recent report published by Advanced Intel, a threat intelligence firm, those behind recent Ryuk attacks have changed tactics. The change in tactics is used to gain initial access to targeted networks and according to Advanced Intel’s researchers, the new tactic involves exploiting hosts with public Internet-facing RDP (remote desktop protocol) connections. Using targeted phishing emails to deliver malware continues to be the favored initial attack vector, but researchers noted that the start of 2021 saw an increase in instances where operators looked to compromise RDP connections to gain initial access.

To be granted access to Internet-facing RDP connections threat actors will use brute-force attacks, using a weak password and username combinations or credentials that have been leaked. Once initial access is granted to a network, threat actors will begin the reconnaissance stage of the operation. Researchers have noticed distinct phases once this step of the operation is begun. The first stage is defined by the attackers looking for valuable resources on the now compromised network.

While headlines regarding Iran’s nuclear program and possible Israeli malware been used to cause failures at nuclear plants is this week's big cybersecurity news, other developments deserve attention. One such development is the discovery of a new piece of malware that targets Node.JS developers using Mac and Linux machines. The malware was found in a malicious package on the NPM registry, used by developers to supplement their code with existing tools to make their life easier.

The malware was found in a package labeled “web-browserify,” which is intended to imitate the popular Browserify package that has been downloaded over 160 million times. It can be assumed that the attacker by naming their malicious package “web-browserify” is hoping to trick developers into downloading the malicious package. The malware is built by combining hundreds of legitimate open-source components and performs extensive reconnaissance activities on an infected system. As of April 13, 2021, the malware was being detected by none of the malware engines tracked on Virus Total. Writing for Bleeping Computer, Ax Sharma, who works for Sonatype security, along with a team of researchers, discovered the malware.

The recent Exchange Server vulnerability and news that the flaws were being used to spread ransomware dominated many InfoSec headlines. However, Kaspersky’s recent discovery of the Cring ransomware strain using an old VPN vulnerability as the initial attack vector reminds us that ransomware operators can always dig into the old bag of tricks to pull off a successful attack.

On January 26, 2021, Swisscom CSIRT tweeted,

Since April 3, 2021, several reports emerged of a trove of data belonging to Facebook users that had been leaked online for free. The data included namely mobile phone numbers but also includes names, emails, gender information, occupations, as well as several location identifiers. The stolen data first emerged on the forum in July 2020, when one member began selling the information to other members of the underground hacking forum.

The sale of data on such forums is standard practice for those stealing sensitive data from other organizations. However, this instance was notable as a lot of the information could be scraped from the public-facing user-profiles and the mobile numbers associated with accounts were private. That means they should not have been accessible in the same manner information on the public profiles is. In total the sold data included 533,313,128 Facebook users. Researchers discovered that the large majority of the stolen data sets included a private mobile number as well as a Facebook ID, a name, and the member's gender.