Internet threat news

In a report published by ESET, titled “A wild Kobalos appears: Tricksy Linux malware goes after HPCs” details of a new malware strain which has been seen to target high-performance computing (HPC) clusters. Typically, HPC are collections of servers, referred to as nodes, connected to each other via fast interconnect. Each node has a specific task to handle logins, data transfer, or advanced computational processes and is geared towards ensuring the high performance of the system when in use. HPCs are sometimes referred to as a “super computer” as they perform tasks that regular desktop computers can’t do or would take too long in performing.

The malware, called Kobalos, is a surprisingly small but complex piece of malware. It is perhaps for this reason that the malware has been named after a sprite from Greek mythology known for causing mischief among mortals. Those who play Dungeons and Dragons will be familiar with the Germanic associations of the mythological creature, called Kobolds. The malware has already been seen in the wild infecting HPCs based in Europe and has been seen targeting other Linux based servers on a global scale.

The year 2020 will be remembered for a lot of reasons, with the majority of those reasons been viewed with negative emotions. Another reason to be added to the “bad” pile was discovered by security firm Neustar, that being that Distributed Denial of Service (DDoS) attacks experienced somewhat of a boom in popularity. According to a report published by the firm DDoS attacks were the number one threat for respondents in their November 2020 survey. The survey was conducted by the Neustar International Security Council (NISC) and showed that the majority of those surveyed, 22%, believed the biggest threat they faced was a DDoS attack. Further, the number of respondents that acknowledged that they had suffered such an attack went up from 60% in 2019 to 74% in 2020.

Distributed Denial of Service, or DDoS, attacks can be seen as an attempt to maliciously disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. This can be done through the use of botnets, devices infected with specific malware that allows a hacker control over the device and can send HTTP requests via a device. Hackers will connect thousands of infected devices to send requests to the target server to the point where the server cannot handle the traffic.

In a new report by security firm Sophos, the gang behind the Nefilim ransomware, also called Nemty, are using stolen credentials belonging to deceased individuals to compromise networks. Nefilim is perhaps best known for their successful attack on appliance manufacturing giant Whirlpool towards the very end of 2020. The ransomware has also been spread by the Phorpiex botnet in the past.

According to Sophos, a company reached out to the security firm in response to suffering a ransomware attack that managed to successfully target more than 100 systems. Once researchers began analyzing the attack, they soon discovered that an account previously belonging to a deceased employee was used to compromise the company network. It was noted that,

Two separate warnings have been published warning that certain encryption protocols are obsolete and may place organizations at risk. Both the US National Security Agency (NSA) and the Dutch National Cyber Security Centre (NCSC) have warned that TLS 1.1 and, to some extent, TLS 1.2 may leave organizations open to attack. It is recommended that TLS 1.3 be used. While the NCSC believes TLS 1.2 can still be secure it is not as future-proofed against potential attacks as TLS 1.3. Both the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) protocols were developed to create secure levels of communication between client and server. The protocols are deemed secure as they rely upon cryptographic encryption and authentication to help ensure that communication between the client and server remain private. However, over the years several weaknesses have been discovered and improvements made. Sadly, the adoption of improved TLS protocols has not been universally adopted and successful attacks have been seen.

Researchers at CheckPoint have discovered a new botnet, called FreakOut, that exploits not one but three known software vulnerabilities to infect Linux systems. With TrickBot managing to create enough of a problem that big tech and law enforcement have moved to shut it down, with varying levels of success, a new contender may rise to fill a void. It is early days for FreakOut, and while the malware looks to spread to new devices and drop cryptomining malware if users don’t patch the impacted products more dangerous malware maybe soon to follow.

Researchers discovered an active campaign on January 8, 2021, when they noticed the malicious script being downloaded from hxxp://gxbrowser[.]net. Since then, the researchers observed hundreds of attempts to download the code. The purpose of the attack is to infect machines with vulnerable versions of the popular TerraMaster operating system, the Zend Framework (Laminas Project), or Liferay Portal. While later versions of the malware are being used to drop an XMRig miner, due to the level of control granted to the attackers' other malware strains can be dropped just as easily. As to the vulnerabilities exploited by the attackers, they all have large user bases, have been patched, and have proof-of-concept exploit code easily available online.

The InfoSec community sees time and time again that a successful scam does not need cutting edge malware to succeed. Relatively lo-fi scams with regards to technology still are a massive problem for anyone using the Internet or an Internet-connected device. Sextortion scams are a case in point. Group-IB has been tracking another relatively lo-fi scam since the summer of 2019, that originated in Russia and is now spreading to Europe. The scam has been called classiscam and involves luring potential victims to websites that closely resemble classified selling a variety of goods.

When compared to the recent SolarWinds, classiscam looks almost medieval, but readers should note that the scam has already netted scammers 6.5 million USD in 2020 alone. However, the scam does make use of technology to automate the scam so it can be offered as a service to other less morally inclined individuals.

In a recently published report by ESET, titled “Operation Spalax: Targeted malware attacks in Colombia” the details of a campaign targeting Columbian energy and metal firms were analyzed. The campaign began in 2020 and appears to still be ongoing. In summary, the attackers make use of relatively easy to obtain remote access trojans (RATs) to spy on victims. Given that RATs are best suited to spying on targets this would be the likely modus operandi of the attackers; however, they can be further weaponized or used to first compromise a machine and then drop more damaging malware onto the already compromised machine.

In the wild RATs are typically masqueraded as legitimate programs that are either mistakenly downloaded or installed from an attachment by the victim. Once installed they grant the attacker administrative control over the device, effectively granting control of the device over to the attacker to do with what they please. As they are either legitimate-looking or are bundled with legitimate files, they often evade detection. Over the years RATs have evolved not just to grant the attacker access to the computer but have added keylogging and information stealing capabilities. Some have been seen to be able to steal banking information and related credentials, exfiltrate the data to a server under the attacker’s control, and then be used to commit bank fraud.

The first week of 2021 is almost up and it has already seen its fair share of news. In the InfoSec community, we have already seen the fallout of the SolarWinds hack and credit card details being leaked online for free. 2020’s most prevalent and destructive threat, ransomware, surely would not the new year begin without some development. True to form, a new variant emerged looking to target enterprises so as to demand higher ransoms emerged.

Called Babuk Locker the ransomware can be summarized as learning the lessons from the other human-operated ransomware strains like Conti, Sodinokibi, and Ryuk but with less professionalism and polish. That being said the ransomware strain has already notched up several victims and must still be seen as dangerous. Base on research conducted by Bleeping Computer and security researcher Chuong Dong operations involving the spread of the ransomware began in 2021 and the ransomware operators are demanding anywhere between 60,000 USD and 85,000 USD in Bitcoin to decrypt data. The operators are also using the ransomware in a highly targeted manner typical of modern human-operated ransomware variants. Each executable that has been analyzed by researchers showed that the executable itself was customized for each victim and included a hardcoded extension, ransom note, and a Tor victim URL further customized to the specific victim.

Initially when we covered the SolarWinds supply chain hack in mid-December fingers were already pointing at Russian nation-state threat actors as being the likely responsible party. Given the scale and sophistication of the attack, there would only be a few well-resourced groups across the globe that had the patience and skill to conduct such a cyberespionage attack. Given Russia’s recent past it was likely that expert opinion would likely look to Russia for an explanation likely to never come. Now, the US government has officially blamed Russia for what is quickly becoming one of the most severe hacks seen, with experts rather dramatically comparing it to Pearl Harbour.

Comparisons to historical events where the loss of life and further war do seem to be misplaced; however, the severity of the hack is slowly coming to light. In a joint statement issued by the FBI, CISA, ODNI, and the NSA the government agencies stated,

It is foreseeable that the SolarWinds hack will dominate headlines sometime. As more information emerges, headlines will follow. One trap that the public should not fall into is to assume other hackers take a break while the limelight is not on them. Ransomware gangs are a case in point, they will still operate even though they are not in the headlines, at least briefly. The gang behind Nefilim has managed to steal a headline or two by adding another large organization to their victim list. The victim this time is home appliance giant Whirlpool.

The manufacturer is one of the world's largest home application makers with appliances under its name and KitchenAid, Maytag, Brastemp, Consul, Hotpoint, Indesit, and Bauknecht. Whirlpool employs 77,000 people at 59 manufacturing and technology research centers worldwide and generated approximately 20 billion USD in revenue for 2019. Over the weekend the gang published data that had supposedly been stolen for Whirlpool on the gang's “leak site”.

In recent memory, a collaboration between Windows and several other security firms attempted to take out TrickBots infrastructure. Cooler heads warned that this was not the end of TrickBot, and those behind would be back. This was proved to be true but the attempt to take down TrickBot’s infrastructure did achieve one important goal, to prevent the botnet known for distributing ransomware from having any discernible impact on the recent US elections. TrickBot’s return mirrors recent attempts by the US Federal Bureau of Investigation and Interpol taking down Joker’s Stash servers.

Joker’s Stash has developed a reputation over the years for being the biggest marketplace for buying and selling stolen cards. According to ZDNet both the FBI and Interpol sent out a joint email stating that a small number of Joker’s Stash servers were seized disrupting the illegal platforms business operations at least temporarily. The operation was still described as ongoing and more servers have been targeted for seizure. Seizure banners appeared on four Joker's Stash sites, at jstash.bazar, jstash.lib, jstash.emc, and jstash.coin.

The recent SolarWinds supply chain attack has dominated InfoSec headlines. The sheer scale of the attack warrants the coverage with even major media outlets dedicating time and space to cover the story. While the publics' attention is diverted elsewhere, hackers don’t seem to take too many breaks. Even before the SolarWinds incident, several ransomware gangs were morphing tactics once more. Now gangs like DoppelPaymer, Conti, Ryuk are cold calling victims who managed to restore systems from backups. This is done to harass and place extra pressure on victims to pay the ransom.   

According to an article published by ZDNet dating back to December 5, 2020, security researchers saw this trend emerging as far back as August of this year. The cold calling of victims is believed to be done by an outsourced call center, possibly working for the gangs mentioned above and believed to work for the now-defunct Maze and Sekhmet ransomware gangs.

This week’s cybersecurity news has been dominated by one event, the SolarWinds supply chain attack. On Sunday, the Washington Post published an article detailing who is possibly behind the attack. The sentiment was echoed in a New York Times article published on the same day. While the finger-pointing has begun in earnest and will be covered in more detail below, how the attack was carried out will be of interest to many in the InfoSec community.

Details of the attack are still emerging, and will likely still emerge for some time, but a summary of the attack is needed before a dive into the how is done. On Monday, December 14, 2020, the US government ordered several emergency measures to be taken to recover from potentially the most sophisticated cyber incident to occur in years. The attack made use of using compromised software updates to gain access to potentially thousands of private and public enterprises. Based on initial reports and admissions, the attack was enabled when hackers managed to insert malicious code into software updates for SolarWinds’ Orion product. Orion is used by some 275,000 customers worldwide, including Fortune 500 companies and US government agencies. The compromised updates were released in March and June of this year meaning some victims may have been compromised for nine months.

Recently, this publication reported on how APT28, the infamous Russian nation-state threat actor, changed tactics to target the Norwegian parliament and recent US elections. Rather than the favored method of using spear phishing to initially compromise victims and steal credentials, the group employed brute-force attacks to gain access to victims’ infrastructure. New research by security firm Intezer shows that the group has not completely abandoned its spear-phishing tactics. Why would they? It is still an incredibly effective method of credential-stealing when done right or dropping malware onto targeted machines.

In November, Intezer researchers discovered an APT28 campaign utilizing phishing lures designed to spread the Zebrocy malware. Several characteristics set this campaign apart from others seen in the past. Firstly, the malware was written in Go, or Golang, and not the more traditional version written in Delphi. Secondly, the malware was delivered via Virtual Hard Disk (VHD) files. Windows 10 allows users to run VHD files natively now and maybe partly behind the decision to weaponize the file format to spread Zebrocy. VHD files are popularly used to run multiple operating systems on a single machine, allowing developers to test applications on multiple platforms without having to partition hard drives which can be a hassle.