Internet threat news

Half of 2021 has already blown past and yet again ransomware has dominated infosec headlines. Petroleum distributor Colonial Pipeline, meat supplier JBS, and IT service provider Kaseya have all been in headlines not for stellar business performance but because they have been victims of crippling ransomware attacks. No longer is ransomware a one-man-band operation but given the profitability seen they have turned into a mutated software-as-a-service (SaaS) business model termed Ransomware-as-a-Service (RaaS).

In a recent report by security Kela titled “Ransomware Gangs are Starting to Look Like Ocean’s 11” written by Victoria Kivilevich the trends dominating this mutated business model are investigated. As ransomware moved away from one operator developing or buying, the ransomware’s source code, compromising a victim’s machine or network, then executing the malware over the years specialists have assumed those specific roles.

Just as some were, rather hopefully, predicting that ransomware had peaked given the increased response by the US and other governments to both the Colonial Pipeline and JBS incidents. Ransomware operators behind Sodinokibi, who have also been blamed for the JBS incident, seem not to have received that memo and carried possibly the largest ransomware incident to date.

It is believed that an affiliate of the Sodinokibi ransomware gang carried out an attack that possibly impacted thousands of organizations according to the Associated Press. The affiliate is believed to have also been behind the recent JBS attack where 11 million USD was demanded as a ransom.

The most recent attack was believed to have been conducted by first compromising a firm that remotely manages the IT infrastructure for clients. Further, the attack has impacted organizations in at least 17 different countries.

The good work done by No More Ransom may be difficult to quantify but it is safe to say that their work releasing free decryptors to be used by victims of ransomware has possibly saved millions of dollars’ worth in damages and ransom payments funding criminal activity.

Now with the help of security firm Tesorion a decryptor for the Lorenz has been released to the public for free.

No More Ransom is a partnership between public, private, and law enforcement agencies, of which this publication is a partner to help educate the public and assist victims.

It is almost daily that ransomware makes headlines in some form or another. Many of the headlines and subsequent articles cover the latest large corporations to fall victim to a ransomware attack.

Recent high-profile attacks, including the Colonial Pipeline Incident and subsequent responses by governments across the globe, attest to this.

Given the threat posed by ransomware and other cyber incidents in general it is little wonder that cyber insurance offerings have been developed to try and mitigate the risk somewhat. This has led to experts asking if such insurance packages are enabling ransomware attacks to some extent?

Cyber insurance, or cyber-liability insurance, is a type of insurance policy designed specifically to help mitigate the threats posed by cyber-attacks. These policies are designed to protect organizations against the fallout of an attack and do not prevent an attack.

For any scholar of cybersecurity trends, ransomware provides a unique study. The threat has seen several key evolutions since it first emerged in 2010. The latest evolution seen and documented by two separate security firms involves how ransomware operators are using virtual machines (VMs) to hide activity.

VMs are often used for the emulation or virtualization of traditional hardware. A virtual machine can be defined as,

“A Virtual Machine (VM) is a compute resource that uses software instead of a physical computer to run programs and deploy apps. One or more virtual “guest” machines run on a physical “host” machine. Each virtual machine runs its own operating system and functions separately from the other VMs, even when they are all running on the same host. This means that, for example, a virtual MacOS virtual machine can run on a physical PC.”

Hackers are ever increasingly looking to abuse developers and their tools to conduct attack campaigns. Recently this trend has involved hackers uploading malicious packages to popular repositories. In April 2021, it was found that hackers had uploaded malicious code that installed the Mac Shlayer.

In the same month a new malware strain, named web-browserify, was distributed via the popular NPM repository. Both instances targeted Node.JS developers, now a malware strain has been seen targeting Python developers.

For the past several months' hackers have not been friendly to businesses in the gaming industry. CD Projekt Red, Ubisoft, and Crytek have all suffered ransomware incidents. Now it has emerged that EA has suffered a data breach, in which it is believed several games have had their source code stolen. The company is a giant of the industry boasting several high-earning franchises including Madden NFL, EA SPORTS FIFA, Battlefield, The Sims, and Need for Speed. Further, the company has over 450 million registered players worldwide and posted GAAP net revenue of $5.5 billion for the fiscal year 2020.

Several reports have emerged stating that Electronic Arts (EA) has had 750 GB worth of data stolen during a breach of their network. The data is believed to contain source code and debugging tools used by developers. Popular tech publication Motherboard reported that the Frostbite Engine, used in many of the publishing giants games including first-person shooters like the Battlefield, was also stolen. For fans of the FIFA franchise, it is also believed that the source code for FIFA 21 was stolen.

According to a new article published by security firm Morphisec, threat actors are using paid-for Google ads to help distribute several pieces of info stealing malware. This is done by the threat actors abusing the Pay Per Click (PPC) functionality of Google AdWords in such a way that the ads paid for by the threat actors often appeared at the top of search queries. This further highlights the need for individuals to adopt a zero-trust policy even when using trusted services.

Researchers discovered that the offending pieces of malware were being distributed via ISO images that would be downloaded when a user clicked the ad and was redirected to a website hosting the malicious payload. An ISO Image is an archive file that was developed to contain an identical copy, or image, of data typically found on an optical disc like a CD or DVD. The image can also be used to distribute large files that could then be burned onto a disk or for backing up data that would be stored on a disk. As the image is a sector-by-sector copy of the original no compression is used to reduce the size of the file. Operating systems can allow for images to mount as a virtual disk. This allows the machine to access the contents of the image as if an optical disk were inserted.

Shortly after this publication posted an article detailing the JBS Incident the FBI issued a statement officially attributing the attack to the now infamous Sodinokibi ransomware gang. Sodinokibi is also tracked by several security firms as REvil. Since the release of the statement at least two high-profile ransomware incidents have been disclosed to the public and the US President’s administration has now drawn a line in the sand regarding how it and the US Department of Justice will treat ransomware attacks moving forward.

The statement released by the FBI can only be described as short and sweet. Consisting of just one paragraph the statement said,

On May 30, 2021, JBS, which is based in Brazil and has meat processing plants in the US, notified the US Government that it had suffered a ransomware attack. JBS is the second-largest meat producer in the US with shutdowns likely to have a major impact on US meat supply, just in time for when the country enjoys grilling meat on an open flame in the summer months. In an article published by the Associated Press, it was estimated that if plants were forced to shut down for just a day the US would lose a quarter of its beef-processing capacity. This is the equivalent of 20,000 cows not being processed for delivery to the consumer market, which would cause prices to increase as demand would not be met.

Attacks on Industrial Control Systems (ICS) and other forms of Operational Technology (OT) are nothing new. It was assumed that the majority of these attacks need to be conducted by highly skilled attackers with a fair amount of experience. This assumption was based primarily on the reasoning that an attacker would need to have an extensive knowledge base of the OT targeted, including how specific manufacturers created their products and what process those products regulated and maintained. According to a new report published by FireEye, it appears that the bar has been lowered significantly allowing inexperienced hackers the ability to carry out attacks on OT infrastructure.

The Colonial Pipeline Incident rocked the InfoSec community and much of the eastern seaboard of the US. The ramifications of the event are likely to mold the US’s strategy in combating cybercrime and ransomware for the foreseeable future. While that incident was unfolding and still being covered by many publications the Irish Healthcare system also experienced a ransomware attack. Two attacks to be more exact.

The attacks resulted in the shutdown of the healthcare system last Thursday. The ransomware gang responsible was the group behind the Conti ransomware strain. The attack impacted both the Department of Health and the Health Service Executive. Health Service Executive Anne O'Connor confirmed that Conti was the offending party when speaking to The Journal. As a result of the attacks it was reported that dozens of outpatient services were canceled, a vaccine portal for Covid-19 was shut down and the country has spent days trying to bring its healthcare IT system back online. This led several prominent Irish politicians to issue statements including, Irish Foreign Minister Simon Coveney who referred to the attack as a “very serious attack.” Irish Minister of State Ossian Smyth said it was “possibly the most significant cybercrime attack on the Irish State.”

The ransomware gang behind the DarkSide who attacked the Colonial Pipeline has only been operational for approximately nine months. Due to the incident, they are best known for, they have reached a level of notoriety cybercriminals tend to want to avoid. This has prompted some to research how much money the gang has made. Recently, Elliptic has dug into the murky depths of cryptocurrency blockchains to figure out how much the gang has made in those nine months. In Bitcoin, the ransomware’s developers and affiliates have netted a total of over 90 million USD.

In a blog article published by Elliptic, researchers gave us another interesting insight into how the gang managed their ransom payments. Much of the work involved tracking down the wallets used by the gang to facilitate payments. More payments may be uncovered in the future given the level of anonymity afforded to Bitcoin transactions, but it is important to note that Bitcoin transactions are not 100% anonymous and can be traced to a certain degree. According to Elliptic’s research 99 organizations have suffered a DarkSide infection with approximately 47% of the victims paying the ransom.

The Colonial Pipeline incident has dominated cybersecurity, economic, and political headlines for a large portion of this week's news cycle. It may even be a watershed moment in the ransomware timeline, a step too far if you will. Impacting one company for a period may be frustrating to consumers and bad for that company. Impacting a fuel pipeline, forcing the company to shut it down, which impacts every industry and consumer reliant on refined petroleum is another matter entirely. Every person that had to queue for fuel or couldn’t even get fuel will likely view themselves as impacted by the incident or even classify themselves as victims of the attack.

In the wake of the incident governments around the world have taken note of the damage that ransomware can inflict on the general populace. The US and the UK have issued statements that highlight what their governments will be doing in the future, and currently, to protect and prevent the population that voted them into power. On May 12, 2021, US President Joe Biden signed an executive order designed to drastically beef up the use of preventative measures such as multi-factor authentication endpoint detection and response, and log keeping, as well as a Cybersecurity Safety Review Board.