Internet threat news

The threat posed to critical infrastructure via cyber-attacks has long been a major concern for security researchers. Recent developments have seen ransomware gangs actively targeting critical infrastructure. The HelloKitty ransomware variant might be best known for its attack upon CD Projekt Red, but the ransomware’s operators have proved equally capable of going after power plants. The bad news for organizations within the critical infrastructure sector does not end with HelloKitty.

In a report published by Dragos, researchers uncovered the activities of four new and distinct hacking groups targeting critical infrastructure. The discovery of these four groups seemingly accounted for a 36% increase in known groups tracked by the security firm that specializes in targeting industrial control systems (ICS). Dragos previously released details of 11 other groups known for targeting the US power grid. Further, the security firm noted that issues making targeting critical infrastructure such fertile ground include, not having enough visibility with the Operation Technology (OT) network and the unsafe sharing of OT credentials across the network. What follows is a brief look at each of the four new groups identified by Dragos.

Details of a new malware designed to target Macs, called Silver Sparrow, has already infected close on 30,000 separate machines. The malware was discovered by researchers from Red Canary who subsequently analyzed the malware along with Malwarebytes and VMWare Carbon Black. In a subsequent report published by Red Canary, it was found that the malware can target Apple’s heralded M1 chips. This would make Silver Sparrow the second such capable malware to have been discovered recently. A lot of mystery still surrounds the malware as while capable of infecting a wide array of Mac devices it lacks one crucial element, a payload.

Malwarebytes was able to provide an accurate breakdown of the malware's impact. By February 17, 2021, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries. High volumes of detections had been found in the United States, the United Kingdom, Canada, France, and Germany. Despite the high number of infections how the malware is distributed is not known. Similarly, how the malware infects machines is also not known. Typically, malware that targets Macs are often distributed via malicious ads, fake app downloads, pirated software, or the infamous fake Flash update. However, as for Silver Sparrow, these details are currently unknown.

Over the past week or so investigations into the recent SolarWinds attack which made international headlines in December 2020 have or are close to concluding. The revelations of the investigations show a truly massive scale of operations employed by the attackers, with many, including the US government, believing Russian state-sponsored hacking groups were involved. Major tech industry players were impacted like Microsoft and FireEye, along with government agencies with varying responsibilities. Microsoft should be applauded for their candor throughout the incident as well as their investigations that have helped keep the public informed.

In a recent interview with CBS News’ 60 Minutes Microsoft president Brad Smith answered many questions as to the scale of the attack and Microsoft’s unprecedented response to the incident. As to the scale, Smith and many others believe that the attack may have been the largest and most sophisticated the world has seen. Other reports estimate that 18,000 organizations may have been impacted by the attack.

In terms of law enforcement striking back at cybercriminals, the last few weeks have brought more than a few good stories. From two ransomware gangs ceasing operations in part due to collaborative law enforcement operations spanning several countries and there want to make up for some of the harm, they have caused. The law enforcement operations resulted in Emotet’s infrastructure being seized and the arrest of a Netwalker ransomware affiliate being arrested. Now, in a combined effort between French and Ukrainian law enforcement agencies, several affiliates of the Egregor have been arrested.

The news was initially broken by France Inter, with journalist Emmanuel Leclère noting that law enforcement made the arrests after French authorities could trace ransom payments to individuals located in Ukraine. The individuals arrested are believed to be hackers working in partnership with the creators of the ransomware to hack into corporate networks and deploy the ransomware. The InfoSec community refers to these individuals as affiliates.

The Polish game developer, best known for the Witcher 3 and Cyberpunk 2077, has recently taken to Facebook and Twitter to confirm that they had suffered a ransomware attack. The game developer has recently been in the news a lot following the shambolic release of Cyberpunk 2077, and for none of the reasons the company would like to be in the news. Suffering a ransomware incident now would be the last thing company employees and executives would want to deal with. This is also not the first time the company has suffered such an incident.

The latest incident was confirmed on February 8, 2021, via a statement. Included in the statement was a copy of the ransom note dropped by the attacker. In turn, hackers responsible for the attack claim, based on claims made in the ransom note, that source code for games like Cyberpunk 2077, Gwent, and The Witcher 3, along with an unreleased version of The Witcher 3 game, had been successfully stolen. Such tactics are in line with double extortion tactics which now dominate the ransomware threat landscape.

Recently, not one but two ransomware gangs have called it a day. For those who are victims of both the Ziggy and Fonix, ransomware strains will be pleased to know that both gangs have released decryption keys to help assist victims to recover their encrypted data. While the act may be viewed as a generous gesture to right wrongs committed in the past, not all may be as altruistic as it seems at first glance.

According to Bleeping Computer, security researcher M. Shahpasandi told the publication that the Ziggy Ransomware operators announced on Telegram that they were shutting down their operation and would be releasing all of the decryption keys. This was later confirmed by the publication when they reached out to the operators. Further, those behind the ransomware’s creation did so as they reside in a third-world country and needed to “generate money”. The reasons to stop operations boiled down to them feeling guilty about their actions and recent developments regarding law enforcement targeting cybercriminals. More on that to follow.

In the past, the research conducted by Chainalysis has provided levels of insight into ransomware operations that were sorely lacking in the past. By following the “money”, largely in the form of the trail left by ransomware gangs who utilize cryptocurrencies as their main vehicle for conducting their shady extortion business, Chainalysis provides a view of the criminal underworld few would typically see. The last time this publication covered research conducted by the blockchain analysis firm, their research revealed that two hacker groups were responsible for 60% of crypto hacks behind cryptocurrency theft from exchanges.

The latest report by Chainalysis, “The Chainalysis 2021 Crypto Crime Report” will be released later in February. In the meantime the firm has published a supplementary article detailing the connections between four of last years most prominent ransom gangs, Maze, Egregor, SunCrypt, and Doppelpaymer. Previously it was theorized that that Ransomware as a Service (RaaS) affiliates will often switch between ransomware strains to generate more profit. This would imply that the number of active ransomware threat actors is smaller than the ransomware activity currently seen and that there is a level of interconnectedness that has only been speculated upon.

In a report published by ESET, titled “A wild Kobalos appears: Tricksy Linux malware goes after HPCs” details of a new malware strain which has been seen to target high-performance computing (HPC) clusters. Typically, HPC are collections of servers, referred to as nodes, connected to each other via fast interconnect. Each node has a specific task to handle logins, data transfer, or advanced computational processes and is geared towards ensuring the high performance of the system when in use. HPCs are sometimes referred to as a “super computer” as they perform tasks that regular desktop computers can’t do or would take too long in performing.

The malware, called Kobalos, is a surprisingly small but complex piece of malware. It is perhaps for this reason that the malware has been named after a sprite from Greek mythology known for causing mischief among mortals. Those who play Dungeons and Dragons will be familiar with the Germanic associations of the mythological creature, called Kobolds. The malware has already been seen in the wild infecting HPCs based in Europe and has been seen targeting other Linux based servers on a global scale.

The year 2020 will be remembered for a lot of reasons, with the majority of those reasons been viewed with negative emotions. Another reason to be added to the “bad” pile was discovered by security firm Neustar, that being that Distributed Denial of Service (DDoS) attacks experienced somewhat of a boom in popularity. According to a report published by the firm DDoS attacks were the number one threat for respondents in their November 2020 survey. The survey was conducted by the Neustar International Security Council (NISC) and showed that the majority of those surveyed, 22%, believed the biggest threat they faced was a DDoS attack. Further, the number of respondents that acknowledged that they had suffered such an attack went up from 60% in 2019 to 74% in 2020.

Distributed Denial of Service, or DDoS, attacks can be seen as an attempt to maliciously disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. This can be done through the use of botnets, devices infected with specific malware that allows a hacker control over the device and can send HTTP requests via a device. Hackers will connect thousands of infected devices to send requests to the target server to the point where the server cannot handle the traffic.

In a new report by security firm Sophos, the gang behind the Nefilim ransomware, also called Nemty, are using stolen credentials belonging to deceased individuals to compromise networks. Nefilim is perhaps best known for their successful attack on appliance manufacturing giant Whirlpool towards the very end of 2020. The ransomware has also been spread by the Phorpiex botnet in the past.

According to Sophos, a company reached out to the security firm in response to suffering a ransomware attack that managed to successfully target more than 100 systems. Once researchers began analyzing the attack, they soon discovered that an account previously belonging to a deceased employee was used to compromise the company network. It was noted that,

Two separate warnings have been published warning that certain encryption protocols are obsolete and may place organizations at risk. Both the US National Security Agency (NSA) and the Dutch National Cyber Security Centre (NCSC) have warned that TLS 1.1 and, to some extent, TLS 1.2 may leave organizations open to attack. It is recommended that TLS 1.3 be used. While the NCSC believes TLS 1.2 can still be secure it is not as future-proofed against potential attacks as TLS 1.3. Both the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) protocols were developed to create secure levels of communication between client and server. The protocols are deemed secure as they rely upon cryptographic encryption and authentication to help ensure that communication between the client and server remain private. However, over the years several weaknesses have been discovered and improvements made. Sadly, the adoption of improved TLS protocols has not been universally adopted and successful attacks have been seen.

Researchers at CheckPoint have discovered a new botnet, called FreakOut, that exploits not one but three known software vulnerabilities to infect Linux systems. With TrickBot managing to create enough of a problem that big tech and law enforcement have moved to shut it down, with varying levels of success, a new contender may rise to fill a void. It is early days for FreakOut, and while the malware looks to spread to new devices and drop cryptomining malware if users don’t patch the impacted products more dangerous malware maybe soon to follow.

Researchers discovered an active campaign on January 8, 2021, when they noticed the malicious script being downloaded from hxxp://gxbrowser[.]net. Since then, the researchers observed hundreds of attempts to download the code. The purpose of the attack is to infect machines with vulnerable versions of the popular TerraMaster operating system, the Zend Framework (Laminas Project), or Liferay Portal. While later versions of the malware are being used to drop an XMRig miner, due to the level of control granted to the attackers' other malware strains can be dropped just as easily. As to the vulnerabilities exploited by the attackers, they all have large user bases, have been patched, and have proof-of-concept exploit code easily available online.

The InfoSec community sees time and time again that a successful scam does not need cutting edge malware to succeed. Relatively lo-fi scams with regards to technology still are a massive problem for anyone using the Internet or an Internet-connected device. Sextortion scams are a case in point. Group-IB has been tracking another relatively lo-fi scam since the summer of 2019, that originated in Russia and is now spreading to Europe. The scam has been called classiscam and involves luring potential victims to websites that closely resemble classified selling a variety of goods.

When compared to the recent SolarWinds, classiscam looks almost medieval, but readers should note that the scam has already netted scammers 6.5 million USD in 2020 alone. However, the scam does make use of technology to automate the scam so it can be offered as a service to other less morally inclined individuals.

In a recently published report by ESET, titled “Operation Spalax: Targeted malware attacks in Colombia” the details of a campaign targeting Columbian energy and metal firms were analyzed. The campaign began in 2020 and appears to still be ongoing. In summary, the attackers make use of relatively easy to obtain remote access trojans (RATs) to spy on victims. Given that RATs are best suited to spying on targets this would be the likely modus operandi of the attackers; however, they can be further weaponized or used to first compromise a machine and then drop more damaging malware onto the already compromised machine.

In the wild RATs are typically masqueraded as legitimate programs that are either mistakenly downloaded or installed from an attachment by the victim. Once installed they grant the attacker administrative control over the device, effectively granting control of the device over to the attacker to do with what they please. As they are either legitimate-looking or are bundled with legitimate files, they often evade detection. Over the years RATs have evolved not just to grant the attacker access to the computer but have added keylogging and information stealing capabilities. Some have been seen to be able to steal banking information and related credentials, exfiltrate the data to a server under the attacker’s control, and then be used to commit bank fraud.