Internet threat news

Initially when we covered the SolarWinds supply chain hack in mid-December fingers were already pointing at Russian nation-state threat actors as being the likely responsible party. Given the scale and sophistication of the attack, there would only be a few well-resourced groups across the globe that had the patience and skill to conduct such a cyberespionage attack. Given Russia’s recent past it was likely that expert opinion would likely look to Russia for an explanation likely to never come. Now, the US government has officially blamed Russia for what is quickly becoming one of the most severe hacks seen, with experts rather dramatically comparing it to Pearl Harbour.

Comparisons to historical events where the loss of life and further war do seem to be misplaced; however, the severity of the hack is slowly coming to light. In a joint statement issued by the FBI, CISA, ODNI, and the NSA the government agencies stated,

It is foreseeable that the SolarWinds hack will dominate headlines sometime. As more information emerges, headlines will follow. One trap that the public should not fall into is to assume other hackers take a break while the limelight is not on them. Ransomware gangs are a case in point, they will still operate even though they are not in the headlines, at least briefly. The gang behind Nefilim has managed to steal a headline or two by adding another large organization to their victim list. The victim this time is home appliance giant Whirlpool.

The manufacturer is one of the world's largest home application makers with appliances under its name and KitchenAid, Maytag, Brastemp, Consul, Hotpoint, Indesit, and Bauknecht. Whirlpool employs 77,000 people at 59 manufacturing and technology research centers worldwide and generated approximately 20 billion USD in revenue for 2019. Over the weekend the gang published data that had supposedly been stolen for Whirlpool on the gang's “leak site”.

In recent memory, a collaboration between Windows and several other security firms attempted to take out TrickBots infrastructure. Cooler heads warned that this was not the end of TrickBot, and those behind would be back. This was proved to be true but the attempt to take down TrickBot’s infrastructure did achieve one important goal, to prevent the botnet known for distributing ransomware from having any discernible impact on the recent US elections. TrickBot’s return mirrors recent attempts by the US Federal Bureau of Investigation and Interpol taking down Joker’s Stash servers.

Joker’s Stash has developed a reputation over the years for being the biggest marketplace for buying and selling stolen cards. According to ZDNet both the FBI and Interpol sent out a joint email stating that a small number of Joker’s Stash servers were seized disrupting the illegal platforms business operations at least temporarily. The operation was still described as ongoing and more servers have been targeted for seizure. Seizure banners appeared on four Joker's Stash sites, at jstash.bazar, jstash.lib, jstash.emc, and jstash.coin.

The recent SolarWinds supply chain attack has dominated InfoSec headlines. The sheer scale of the attack warrants the coverage with even major media outlets dedicating time and space to cover the story. While the publics' attention is diverted elsewhere, hackers don’t seem to take too many breaks. Even before the SolarWinds incident, several ransomware gangs were morphing tactics once more. Now gangs like DoppelPaymer, Conti, Ryuk are cold calling victims who managed to restore systems from backups. This is done to harass and place extra pressure on victims to pay the ransom.   

According to an article published by ZDNet dating back to December 5, 2020, security researchers saw this trend emerging as far back as August of this year. The cold calling of victims is believed to be done by an outsourced call center, possibly working for the gangs mentioned above and believed to work for the now-defunct Maze and Sekhmet ransomware gangs.

This week’s cybersecurity news has been dominated by one event, the SolarWinds supply chain attack. On Sunday, the Washington Post published an article detailing who is possibly behind the attack. The sentiment was echoed in a New York Times article published on the same day. While the finger-pointing has begun in earnest and will be covered in more detail below, how the attack was carried out will be of interest to many in the InfoSec community.

Details of the attack are still emerging, and will likely still emerge for some time, but a summary of the attack is needed before a dive into the how is done. On Monday, December 14, 2020, the US government ordered several emergency measures to be taken to recover from potentially the most sophisticated cyber incident to occur in years. The attack made use of using compromised software updates to gain access to potentially thousands of private and public enterprises. Based on initial reports and admissions, the attack was enabled when hackers managed to insert malicious code into software updates for SolarWinds’ Orion product. Orion is used by some 275,000 customers worldwide, including Fortune 500 companies and US government agencies. The compromised updates were released in March and June of this year meaning some victims may have been compromised for nine months.

Recently, this publication reported on how APT28, the infamous Russian nation-state threat actor, changed tactics to target the Norwegian parliament and recent US elections. Rather than the favored method of using spear phishing to initially compromise victims and steal credentials, the group employed brute-force attacks to gain access to victims’ infrastructure. New research by security firm Intezer shows that the group has not completely abandoned its spear-phishing tactics. Why would they? It is still an incredibly effective method of credential-stealing when done right or dropping malware onto targeted machines.

In November, Intezer researchers discovered an APT28 campaign utilizing phishing lures designed to spread the Zebrocy malware. Several characteristics set this campaign apart from others seen in the past. Firstly, the malware was written in Go, or Golang, and not the more traditional version written in Delphi. Secondly, the malware was delivered via Virtual Hard Disk (VHD) files. Windows 10 allows users to run VHD files natively now and maybe partly behind the decision to weaponize the file format to spread Zebrocy. VHD files are popularly used to run multiple operating systems on a single machine, allowing developers to test applications on multiple platforms without having to partition hard drives which can be a hassle.

According to the Norwegian police secret service (PST), APT28 is also known as Fancy Bear was behind a recent cyberattack on the Norwegian Parliament. The attack happened in August 2020 with hackers gaining access to the Parliament's email system and accessed inboxes for Stortinget (Parliament) employees and government elected officials.

At the time of the initial announcement of the attack in September by government officials, no details of the hack were released to the public. In a follow-up announcement in October, Norwegian Foreign Minister Ine Eriksen Søreide stated that from initial investigations several clues suggested that the attack was carried out by Russian hackers.

The botnet called TrickBot and its operators has been a pain in the side of cybersecurity experts for years now. In October, Microsoft announced that the tech giant had partnered with several security firms and internet service providers that it had attempted to cripple TrickBot’s infrastructure. It was hoped that their actions would takedown the botnet often used to spread ransomware. These were high hopes, and the InfoSec community knew that TrickBot would return. Microsoft’s actions were not in vain, as one of the main aims of the partnership was to prevent TrickBot from having an impact on the recent US National Elections. In this, the mission succeeded, but more than a few probably hoped that TrickBot remained hobbled for longer.

Those behind TrickBot were not inclined to admit defeat after their infrastructure had been crippled, the opposite is probably true and several new features have been added recently that make TrickBot a more fearsome opponent than before. Towards the end of November 2020, Bitdefender discovered that the malware had been updated to include improved communications, a new command-and-control infrastructure, and several newly packaged modules.

It is not an underestimation by any means to say that ransomware dominates the InfoSec news feed. This has been the case for several years but 2020 is surely breaking all the past records. With ransomware dominating the headlines a few other malware trends for the year have crept by almost unnoticed. One of those trends is the increase in popularity of Docker malware. Docker has become a popular framework for web and app developers, since 2017 there has been an emergence of malware targeting Docker users you don’t properly secure their applications.

Initially, the malware discovered looked to infect developers who had misconfigured admin interfaces. This was done to drop cryptocurrency miners, like CoinMiner, and attackers simply trawled for vulnerable systems. Since the early days of Docker malware, threats have evolved significantly since then and new malware strains are being discovered on a regular basis. Despite the rise in this kind of malware developers are still not applying basic cybersecurity principles to projects. The most common mistake made by developers is leaving Docker remote administration API endpoints exposed online without authentication. Hackers will then look to install cryptocurrency miners or backdoor trojans via malicious operating system images (OS Images).

Since Egregor’s discovery in late September early October of 2020, the ransomware has wrecked a bloody toll in the short time it has been actively claiming victims. The first few of which included Barnes and Noble, Crytek, and Ubisoft. Since the apparent retirement of the Maze ransomware gang, Egregor has been quick to capitalize on the gap left in the market by Maze’s departure.

Not only has the group behind Egregor been quick to fill the gap left by the Maze gang, but they have also been quick to adopt the tactics that made Maze so successful. Namely the human-operated tactics involving targeting large organizations with complex networks increases the likelihood of demanding a bigger ransom once critical network assets are encrypted resulting in increased downtime.

Late last week KrebsOnSecurity reported that GoDaddy, the world’s largest domain register, had been involved in a cyber-attack using social engineering tactics to first trick GoDaddy employees the target several cryptocurrency trading platforms. This incident, involving GoDaddy staff comes a few months after a similar incident where attackers assumed control of several domain names. While in May 2020, the company disclosed that 28,000 web hosting accounts had been compromised.

Returning to the latest attack, it appears that on November 13, 2020, the cryptocurrency trading platform Liquid was locked out of its domain. In a statement by Mike Kayamori, CEO of Liquid, stated,

Those behind the Mount Locker ransomware are looking to ruin an already stressful time for some, the tax return season. The ransomware strain is actively looking to target file extensions used by TurboTax, a software package developed to help US users with their tax returns. Mount Locker is a relatively new ransomware strain, first spotted in July 2020. Like many of the newer ransomware strains, they have been quick to adopt human-operated ransomware tactics, that made Maze, Ryuk, and Sodinokibi so devastating. These tactics have come to include threatening, and in many cases, releasing data stolen by the attackers before encryption occurs.

Like those who have gone before Mount Locker, the ransomware’s operators have a dedicated leak site which they use to announce victims and release data if the ransom is not paid. The lasts version of the ransomware discovered by Vitali Kremez appears to target the following TurboTax file extensions, .tax, .tax2009, .tax2013, and .tax2014. Given that many are gearing up to submit tax returns due by April 2020, it is believed that by targeting these files the attackers can place increased pressure on victims to pay the ransom.

Since the start of 2020 researchers have seen an almost continuous run of ZLoader campaigns. Initially distributed via exploit kits, malicious programs that look to exploit several known flaws, typically found in Internet Explorer. In the most recent campaigns discovered by researchers based at Malwarebytes, the attackers have changed tactics to use social engineering tactics to target those visiting popular adult content websites. Details of this change in tactics have been published by Malwarebytes on their blog.

Social engineering to distribute malware is not new but is still highly effective. These tricks are currently being used to distribute ZLoader, classified as a banking trojan, which is a piece of malware designed specifically to steal banking credentials or information attackers may use to commit fraud. ZLoader was inactive for two years till the end of 2019 when it saw a resurgence in activity. Now, the once banking trojan can be better described as an info stealer. Rather than targeting banking information exclusively, the malware now harvests a wide range of data, not just that related to banks and other financial institutions. The latest campaign, codenamed Malsmoke by researchers, looks to target adult sites that have incredibly high traffic turnovers. Sites like XHamster and Bravo Porn Tube rake in hundreds of millions to millions of visitors a month, respectively.

In a recently published blog post, ESET has revealed a new point-of-sale (POS) malware being used to target the already under pressure hospitality sector given the current impact the COVID-19 pandemic has had on the sector. POS Malware can be seen as any malicious program which can be installed on devices used by businesses to authorize transactions, typically bank card transactions. The goal of the malware is to steal financial information including credit card details to use to commit fraud or to be sold to other third parties.

Called ModPipe, the new malware strain can best be described as a modular backdoor that grants the attacker access to sensitive financial information. Researchers discovered the malware targeting devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS. The device is primarily used within the hospitality sector as a management software suite used to process payments in bars, restaurants, hotels, and other hospitality establishments across the globe. What separates ModPipe from other POS Malware, such as the predicted to have been used in the Wawa card breach and the one used to steal data at gas stations across the US, is that it is capable of decrypting database passwords directly from the Windows registry. Most similar malware strains will use less stealthy methods to steal the data, like keyloggers.