Internet threat news

The LockBit ransomware gang has been operational since 2019. In June 2021, the gang deployed a newer version of the ransomware, dubbed LockBit 2.0 by its developers, was seen by researchers making a stir on underground forums. Now, a report published by Trend Micro details how the new version has been deployed in recent campaigns starting in July of this year.

The campaigns targeted organizations in Chile, Italy, Taiwan, and the U.K making use of the newer version.

Getting to peek behind the curtains of a ransomware operation is rare. Figuring out the inner workings of modern ransomware-as-a-service operations is an investigation that can take hours upon hours to glean the smallest bits of information. Sometimes discoveries are made that pull the curtain back a little further. Recent blog posts by Vitali Kremez’s Advanced Intelligence have helped expose large sections of the Conti gang’s operations and tactics.

One such blog post revealed how affiliates gain persistence on a victim’s network and avoid detection by security applications.

Microsoft’s ever-popular Office 365 has been a favored target for many hackers. This is partly due to the popular application enjoying widespread adoption in both the corporate and government spheres as employees use many of the bundled applications for daily work life and the ability to easily share documents. In the past, we have seen both ransomware campaigns and phishing actively target users of the product. Microsoft’s 365 Defender Threat Intelligence Team now warns of another phishing campaign using a novel, if somewhat dated, encryption method.

According to the article published by the security team, the attackers are leveraging morse code along with several other encryption techniques to obfuscate code and evade detection while the attackers harvest credentials.

Bloomberg reports that hackers have just successfully stolen roughly 600 million USD from a decentralized finance platform. The theft occurred on the Poly Network which allows users to swap tokens across several blockchains. Tens of thousands of users are believed to be impacted by the theft with a vulnerability within Poly Network being exploited by hackers.

The Poly Network team took to Twitter to address those responsible for the hack and open a line of communication in the hopes that funds can be retrieved. For those who are victims of the theft, there is a strong possibility that the funds cannot be recovered, and they will be significantly out of pocket even if some arrangement can be made with the Poly Network’s team.

While classified as a new strain of ransomware BlackMatter is strongly believed to be a rebranding of the DarkSide ransomware operation infamous for the Colonial Pipeline Incident that drew far too much attention to the gang. BlackMatter is more than a rebranding and does boast some unique features, including the capability of targeting Linux machines. This appears to be an ever-increasing trend amongst other ransomware gangs seeing the potential is not just targeting Windows machines.

According to a recently published report by Recorded Future, researchers have analyzed both Windows and Linux variants of the ransomware. The Windows variant appears to have been created by an experienced ransomware operator, the malware has several obfuscation and anti-analysis techniques within the code.

As info stealers go Racoon Stealer has to be one of the more prolific malware strains of its type in recent memory. This is due in part to the malware being offered as a service, similar to how ransomware-as-a-service or other malware-as-a-service business models have been adopted recently. This model relies on the malware’s developer constantly updating the malware to make it an attractive option to other hackers and so that it warrants the monthly subscription fee.

Racoon Stealer’s latest update enables the malware customers to steal crypto transactions through the use of a clipper. These malware strains operate by replacing the wallet addresses used in a transaction with a wallet address used by the attacker.

On July 9, 2021, the railway service used by Iranians for their daily transport needs suffered a cyber attack. New research published by Sentinel One reveals that the chaos caused during the attack was a result of a previously undiscovered form of wiper malware, called Meteor.

The attack resulted in both the Transport Ministry’s online services offered been shut down and to the frustration of passenger’s cancellations and delays of scheduled trains. Further, the electronic tracking system used to determine the locations of trains in service also failed. The government's response to the attack was at odds with what the Iranian media was saying.

According to a recently published report by the Sygnia Incident Response team, internet-facing Windows servers are being targeted by an advanced persistent threat group called Praying Mantis, or less glamorously TG1021. What makes their attack campaigns noteworthy is that they are almost exclusively conducted in memory.

These attacks, also referred to as Fileless attacks are pieces of malware that rather than been stored on a machine's storage are run from a machine's memory. This makes them harder to detect as no files are stored on the infected system or at least none that are easily detectable.

Researchers at Bitdefender have discovered a new password-stealing malware that targets Windows users. The malware is delivered via ads that appear in the user's search results. This is not the first time we have seen this distribution method being used this year. At the beginning of June security firm, Morphisec revealed that several info-stealing malware strains were actively being distributed via Google pay per click (PPC) ads.

The malware discovered by Bitdefender has been named MosaicLoader and is more than just an info stealer targeting users’ passwords. The malware can also mine cryptocurrency and act as a dropper for other strains of malware in particular trojans. Based on the distribution method the threat actors are not targeting specific organizations or individuals.

Much of the world's attention regarding cybersecurity matters has been firmly affixed to the NSO saga resulting from the Pegasus Project. While Spyware has been abused by governments dominated headlines, the US Government and its allies placed responsibility for the Exchange Server hacks that occurred in March squarely at the feet of the Chinese Government.

Given the number of incidents and revelations that have happened in 2021 already, what happened in March already feels like eons ago, so a quick recap of events is probably necessary. On March 2, 2021, Microsoft warned of a Chinese state-sponsored hacking group, codenamed Hafnium, was using several zero-day vulnerabilities discovered in Exchange Server, a popular enterprise product to better facilitate email communications, to distribute malware including ransomware.

Following the Washington Post’s expose regarding the spyware created by an Israeli firm, NSO, which had been used by the firm's clients in a questionable way, the political fallout is just beginning. Spyware can be defined as malware designed to track user activity on a device, not only can activity as in who the user communicates with or engages with the apps including browsers on the device but also location. Full-featured spyware can also log communications and grant the attacker privileged access to the user’s device and by extension the user’s life.

The spyware created by NSO, named Pegasus, has been active since 2016 and has made headlines in the past due to its questionable use by the firm's clients which include governments. The spyware is sold as a solution for tracking and monitoring terrorist activity but as the Washington Post, their media partners, and French investigative non-profit Forbidden Secrets show the spyware is used to track journalists, activists, and those deemed to pose a threat to authoritative regimes.

On the evening of Monday, July 13, 2021, various news outlets began reporting that websites and infrastructure were used by ransomware operators behind the Sodinokibi strain had been taken offline. This resulted in several theories being proposed as to why. Was it a result of legal action? Was it increased pressure by governments following both the JBS and Kaseya incidents?

The latter has been estimated to have resulted in an estimated 1,500 small to medium enterprises becoming victims. Or has the gang decided to call it quits, restructure its infrastructure, or has the gang split based on internal differences and squabbles?

Half of 2021 has already blown past and yet again ransomware has dominated infosec headlines. Petroleum distributor Colonial Pipeline, meat supplier JBS, and IT service provider Kaseya have all been in headlines not for stellar business performance but because they have been victims of crippling ransomware attacks. No longer is ransomware a one-man-band operation but given the profitability seen they have turned into a mutated software-as-a-service (SaaS) business model termed Ransomware-as-a-Service (RaaS).

In a recent report by security Kela titled “Ransomware Gangs are Starting to Look Like Ocean’s 11” written by Victoria Kivilevich the trends dominating this mutated business model are investigated. As ransomware moved away from one operator developing or buying, the ransomware’s source code, compromising a victim’s machine or network, then executing the malware over the years specialists have assumed those specific roles.

Just as some were, rather hopefully, predicting that ransomware had peaked given the increased response by the US and other governments to both the Colonial Pipeline and JBS incidents. Ransomware operators behind Sodinokibi, who have also been blamed for the JBS incident, seem not to have received that memo and carried possibly the largest ransomware incident to date.

It is believed that an affiliate of the Sodinokibi ransomware gang carried out an attack that possibly impacted thousands of organizations according to the Associated Press. The affiliate is believed to have also been behind the recent JBS attack where 11 million USD was demanded as a ransom.

The most recent attack was believed to have been conducted by first compromising a firm that remotely manages the IT infrastructure for clients. Further, the attack has impacted organizations in at least 17 different countries.