Internet threat news

For any scholar of cybersecurity trends, ransomware provides a unique study. The threat has seen several key evolutions since it first emerged in 2010. The latest evolution seen and documented by two separate security firms involves how ransomware operators are using virtual machines (VMs) to hide activity.

VMs are often used for the emulation or virtualization of traditional hardware. A virtual machine can be defined as,

“A Virtual Machine (VM) is a compute resource that uses software instead of a physical computer to run programs and deploy apps. One or more virtual “guest” machines run on a physical “host” machine. Each virtual machine runs its own operating system and functions separately from the other VMs, even when they are all running on the same host. This means that, for example, a virtual MacOS virtual machine can run on a physical PC.”

Hackers are ever increasingly looking to abuse developers and their tools to conduct attack campaigns. Recently this trend has involved hackers uploading malicious packages to popular repositories. In April 2021, it was found that hackers had uploaded malicious code that installed the Mac Shlayer.

In the same month a new malware strain, named web-browserify, was distributed via the popular NPM repository. Both instances targeted Node.JS developers, now a malware strain has been seen targeting Python developers.

For the past several months' hackers have not been friendly to businesses in the gaming industry. CD Projekt Red, Ubisoft, and Crytek have all suffered ransomware incidents. Now it has emerged that EA has suffered a data breach, in which it is believed several games have had their source code stolen. The company is a giant of the industry boasting several high-earning franchises including Madden NFL, EA SPORTS FIFA, Battlefield, The Sims, and Need for Speed. Further, the company has over 450 million registered players worldwide and posted GAAP net revenue of $5.5 billion for the fiscal year 2020.

Several reports have emerged stating that Electronic Arts (EA) has had 750 GB worth of data stolen during a breach of their network. The data is believed to contain source code and debugging tools used by developers. Popular tech publication Motherboard reported that the Frostbite Engine, used in many of the publishing giants games including first-person shooters like the Battlefield, was also stolen. For fans of the FIFA franchise, it is also believed that the source code for FIFA 21 was stolen.

According to a new article published by security firm Morphisec, threat actors are using paid-for Google ads to help distribute several pieces of info stealing malware. This is done by the threat actors abusing the Pay Per Click (PPC) functionality of Google AdWords in such a way that the ads paid for by the threat actors often appeared at the top of search queries. This further highlights the need for individuals to adopt a zero-trust policy even when using trusted services.

Researchers discovered that the offending pieces of malware were being distributed via ISO images that would be downloaded when a user clicked the ad and was redirected to a website hosting the malicious payload. An ISO Image is an archive file that was developed to contain an identical copy, or image, of data typically found on an optical disc like a CD or DVD. The image can also be used to distribute large files that could then be burned onto a disk or for backing up data that would be stored on a disk. As the image is a sector-by-sector copy of the original no compression is used to reduce the size of the file. Operating systems can allow for images to mount as a virtual disk. This allows the machine to access the contents of the image as if an optical disk were inserted.

Shortly after this publication posted an article detailing the JBS Incident the FBI issued a statement officially attributing the attack to the now infamous Sodinokibi ransomware gang. Sodinokibi is also tracked by several security firms as REvil. Since the release of the statement at least two high-profile ransomware incidents have been disclosed to the public and the US President’s administration has now drawn a line in the sand regarding how it and the US Department of Justice will treat ransomware attacks moving forward.

The statement released by the FBI can only be described as short and sweet. Consisting of just one paragraph the statement said,

On May 30, 2021, JBS, which is based in Brazil and has meat processing plants in the US, notified the US Government that it had suffered a ransomware attack. JBS is the second-largest meat producer in the US with shutdowns likely to have a major impact on US meat supply, just in time for when the country enjoys grilling meat on an open flame in the summer months. In an article published by the Associated Press, it was estimated that if plants were forced to shut down for just a day the US would lose a quarter of its beef-processing capacity. This is the equivalent of 20,000 cows not being processed for delivery to the consumer market, which would cause prices to increase as demand would not be met.

Attacks on Industrial Control Systems (ICS) and other forms of Operational Technology (OT) are nothing new. It was assumed that the majority of these attacks need to be conducted by highly skilled attackers with a fair amount of experience. This assumption was based primarily on the reasoning that an attacker would need to have an extensive knowledge base of the OT targeted, including how specific manufacturers created their products and what process those products regulated and maintained. According to a new report published by FireEye, it appears that the bar has been lowered significantly allowing inexperienced hackers the ability to carry out attacks on OT infrastructure.

The Colonial Pipeline Incident rocked the InfoSec community and much of the eastern seaboard of the US. The ramifications of the event are likely to mold the US’s strategy in combating cybercrime and ransomware for the foreseeable future. While that incident was unfolding and still being covered by many publications the Irish Healthcare system also experienced a ransomware attack. Two attacks to be more exact.

The attacks resulted in the shutdown of the healthcare system last Thursday. The ransomware gang responsible was the group behind the Conti ransomware strain. The attack impacted both the Department of Health and the Health Service Executive. Health Service Executive Anne O'Connor confirmed that Conti was the offending party when speaking to The Journal. As a result of the attacks it was reported that dozens of outpatient services were canceled, a vaccine portal for Covid-19 was shut down and the country has spent days trying to bring its healthcare IT system back online. This led several prominent Irish politicians to issue statements including, Irish Foreign Minister Simon Coveney who referred to the attack as a “very serious attack.” Irish Minister of State Ossian Smyth said it was “possibly the most significant cybercrime attack on the Irish State.”

The ransomware gang behind the DarkSide who attacked the Colonial Pipeline has only been operational for approximately nine months. Due to the incident, they are best known for, they have reached a level of notoriety cybercriminals tend to want to avoid. This has prompted some to research how much money the gang has made. Recently, Elliptic has dug into the murky depths of cryptocurrency blockchains to figure out how much the gang has made in those nine months. In Bitcoin, the ransomware’s developers and affiliates have netted a total of over 90 million USD.

In a blog article published by Elliptic, researchers gave us another interesting insight into how the gang managed their ransom payments. Much of the work involved tracking down the wallets used by the gang to facilitate payments. More payments may be uncovered in the future given the level of anonymity afforded to Bitcoin transactions, but it is important to note that Bitcoin transactions are not 100% anonymous and can be traced to a certain degree. According to Elliptic’s research 99 organizations have suffered a DarkSide infection with approximately 47% of the victims paying the ransom.

The Colonial Pipeline incident has dominated cybersecurity, economic, and political headlines for a large portion of this week's news cycle. It may even be a watershed moment in the ransomware timeline, a step too far if you will. Impacting one company for a period may be frustrating to consumers and bad for that company. Impacting a fuel pipeline, forcing the company to shut it down, which impacts every industry and consumer reliant on refined petroleum is another matter entirely. Every person that had to queue for fuel or couldn’t even get fuel will likely view themselves as impacted by the incident or even classify themselves as victims of the attack.

In the wake of the incident governments around the world have taken note of the damage that ransomware can inflict on the general populace. The US and the UK have issued statements that highlight what their governments will be doing in the future, and currently, to protect and prevent the population that voted them into power. On May 12, 2021, US President Joe Biden signed an executive order designed to drastically beef up the use of preventative measures such as multi-factor authentication endpoint detection and response, and log keeping, as well as a Cybersecurity Safety Review Board.

Ransomware is again making headlines and for all the wrong reasons. Last week this publication covered how using pirated software can leave an organization vulnerable to a ransomware attack. The incident showed how ransomware operators look to exploit poor network and security controls and how the granting of admin privileges should be kept to a minimum. Now, a recent incident shows how damaging a ransomware incident can be, not just to an organization but to society as a whole.

The incident involved the forced shutdown of the largest refined petroleum pipeline in the US. The Colonial Pipeline transports petroleum from the Gulf of Mexico to markets throughout the southern and eastern United States. The company transports 2.5 million barrels per day through its 5,500 mile pipeline and provides 45% of all fuel consumed on the East Coast of the US. The shutdown is expected to negatively impact the price of petroleum for consumption in an already volatile market according to the Wall Street Journal. Reports are already emerging of gas stations typically serviced by the pipeline running dry again impacting consumers negatively.

Long have the dangers of pirated software be shouted from the mountaintops by security researchers. Despite being illegal, the user has no idea what they are downloading. In many cases what they believe is a software package, movie, or TV show is laden with malicious payloads. Some of those payloads contain ransomware. This publication has covered how this is a favored distribution technique for many malware families and how the Pysa ransomware has been seen distributed via fake software crack sites. Now a company in the BioTech sector just suffered a Ryuk attack via a student downloading pirated software.

In a recent article published by Sophos, an incident involving their Rapid Response Team was covered. The team was called in to neutralize a Ryuk infection that occurred at a European biomolecular research institute. The organization has close links with several universities and works with students from those universities through a variety of programs. Further, the organization is involved in COVID-19 research which has proven to pique the interest of ransomware operators meaning that they are prime targets for ransomware gangs like the one behind Ryuk.

It has been a busy couple of days for reports coming from security firm FireEye. Last week this publication covered the use of the FiveHands ransomware strain by a financially motivated group tracked as UNC2447. This week a new report published by the firm details an attack campaign carried out by yet another financially motivated group tracked as UNC2529. The attack campaign was discovered by researchers in December 2020 and is notable for several reasons but namely that three new malware strains were observed being used in the campaign.

The attack campaign began with a concerted email phishing campaign. FireEye researchers saw that 28 organizations were sent phishing emails. It is safe to assume that more than 28 organizations were targeted, as the 28 seen to be targeted would only likely be organizations where FireEye has a presence on their infrastructure. Emails were sent from 26 unique addresses linked to a single domain, tigertigerbeads[.]com with the emails containing inline links to malicious URLs such as hxxp://totallyhealth-wealth[.]com/downld-id_mw<redacted>Gdczs, engineered to entice the victim to download a file containing a malicious payload. While the emails were sent from one domain the links were tracked to at least 24 different domains.

A financially motivated threat actor has been seen exploiting a zero-day bug in SonicWall SMA 100 Series VPN appliances. This is done to gain initial access to enterprise networks so that the threat actors can deploy a newly discovered ransomware strain, known as FiveHands. So far victims include organizations located in Europe and North America. The ransomware itself has several similarities to both the HelloKitty and the DeathRansom ransomware strains. Researchers believe that FiveHands is best described as a novel rewrite of DeathRansom. That being said it does have several differences, more on both the similarities and the differences to come below.