Internet threat news

Maze operations began only in May 2019, with just over a year of active campaigns under their belt they are looking into early retirement, according to an article published on Bleeping Computer. The ransomware rose to prominence incredibly quickly, based on a savvy change of tactics, media relations, and a list of high-profile victims. The list includes Canon, Xerox, and LG just to name a few. It appears that the gang has taken to heart the adage of getting out when you’re on top.

This is not the first time the community has seen a gang retire seemingly at the top of their game. In the middle of 2019, the operators behind the GandCrab announced their retirement on underground forums and subsequently released decryption keys so that those still locked out of their systems could remedy the situation and decrypt files. Whether the decision to retire was made on their own volition or not can be argued as the gang had come increased pressure from the No More Ransom collective who were actively working to create decryptors for the latest versions of the ransomware at the time. GandCrab for its part had a significant impact on ransomware operations going forward. They refined the Ransomware-as-a-Service (RaaS) model, a model adopted by today’s most successful ransomware gangs, and constantly updated their malware and tactics to make defending against an infection a harder prospect.

Two recent instances of data breaches have shown the dangers of what stolen data can do in the wrong hands. The first of which impacted a Finnish psychotherapy clinic. The clinic suffered a breach two years ago, with the results of the breach only making themselves known now. A threat actor is demanding a ransom for the stolen client database that contains a wealth of confidential information. It is estimated that thousands of patients may have had their information exposed and subsequently be at risk. Thanks to Bleeping Computer many have an article written in English which neatly summarises events.

Psychotherapy Center Vastaamo announced the incident a week before this article was written and according to local sources the threat actor is demanding 40 Bitcoin for the data. At the time of writing, this amounts to nearly 550,000 USD. The threat actor contacted employees of the clinic demanding that the ransom be paid with another local source reporting that at least 300 patient records were leaked via a Tor site to add veracity to the threat actor’s claims. Unfortunately, the reckless attempts to profit from confidential data did not end with demands to the clinic.

In a still-developing story, it was reported by Bleeping Computer that Barnes and Noble, the well-known US book retailer, appeared to have suffered a cyber incident of some kind. Barnes and Noble is the largest brick-and-mortar bookstore in the US with over 600 stories spread across the country. Further, the company also operates Nook, the popular eBook and eReader platform. It appeared that something was not right when customers of the company took to social media to complain about service blackouts.

Customers began taking to various social media platforms to enquire, and in some cases complain, as to why certain Nook services were inaccessible on October 10, 2020. Many of the problems reported by customers involved not being able to access their library of purchased eBooks and magazine subscriptions. Often attempts to do so online or on their Nook, customers experienced no joy as the library was coming up blank or they could not log into bn.com. In response to customer complaints, Barnes and Noble took to Nook’s Facebook page to announce that there had been a system failure and that the company was working to restore the services that were affected.

For security researcher’s ransomware has presented an ever-evolving threat readily capable of adapting and changing tactics. This rapid adoption of new tactics is seemingly driven by not only the rich rewards on offer but by competition with the rival ransomware gangs. According to recently published research, it would seem that two relatively new ransomware families are vying to be crowned king of the current ransomware threat. Further, it confirms that the number of ransomware attacks that threaten to release stolen data in the event of non-payment is growing.

The research conducted by Digital Shadows was published on their blog. The key takeaways from it are that a staggering 80% of known attacks were conducted by four ransomware families for the period of July to September. Those infamous four being Maze, Sodinokibi, NetWalker, and Conti. In the three months prior, DoppelPaymer was featured in the top three along with Maze and Sodinokibi. The sudden drop off in DoppelPaymer activity reflects the ever-changing ransomware threat landscape. This may also indicate how saturated the market has become and that to remain competitive tactics need to be continually refined and improved as well as a readiness to adopt new tactics. Maze is widely regarded as the first ransomware family to not only threaten the release of confidential data in the event the ransom is not paid in time but to release said data. Since then we have seen several other ransomware families adopt the tactic and start data release websites used to announce successful attacks and facilitate the release of stolen data.

According to new research published by KELA, the number of ads on popular underground hacker forums selling “network access” tripled in September 2020 when compared to the previous month. In the report, researchers documented 108 listings providing what has been termed “network access” to buyers. In total, the sellers were looking to make over 500,000 USD from the sale of access to compromised devices on networks. The average price asked for by the sellers came in at nearly 5,000 USD but the price was dependent on the type of access granted to a compromised network.

The sellers have been termed by researchers as “initial access brokers” with the term coming to mean a seller providing remote access to a machine in a compromised organization. This initial access market in the past seemed to be far more niche than it appears now as it provided other cybercriminals with a foot in the door or initial access to the network via several attack vectors including RDP compromise and SQL injection. By hacking the Remote Desktop Protocol (RDP) the attacker gains privileged access to the targeted machine, while SQL injection involves the attacker placing malicious code within queries to databases allowing the attacker to retrieve data they would not be typically allowed to see and assist with compromising the network.

Since 2016, TrickBot has steadily become one of the major menaces faced by all those tasked with defending corporate networks. Over the last couple of years, this publication has covered several instances where TrickBot was central to causing no small amount of pain, misery, and financial loss. TrickBot began life as a banking trojan designed to steal any and all banking related credentials. It was not long until the malware evolved into a multi-faceted malware capable of conducting operations far above those of normal banking trojans seen previously.

Tracking TrickBot activity reveals this evolution rather nicely. In 2019, TrickBot was seen targeting healthcare providers acting as the initial assault on a network where it was not only there to harvest credentials but to create a backdoor onto the network so that other malware variants could be dropped onto the infected network. This led to a partnership between TrickBot and Emotet, where once TrickBot had successfully compromised a network and created a backdoor Emotet would then be dropped. This effectively turned a humble banking trojan into a hybrid trojan, malware dropper, and info-stealer. The partnership between TrickBot and Emotet was to evolve again, as Emotet partnered with the ransomware gang behind Ryuk. Now TrickBot would drop Emotet which in turn would drop Ryuk. This pattern has been seen on multiple occasions and may have been the infection vector behind the EMCOR and more recently UHS ransomware incidents.

Researchers for BlackBerry’s Research and Intelligence Team have shed light on a staggeringly sophisticated hack-for-hire group. The group, named Bahamut, the Arabic equivalent of the Judeo-Christian Behemoth, uses several tactics to primarily target governments and businesses in the Middle East and South Asia. Tactics include using custom malware and zero-day exploits; however, it is the phishing and social engineering tactics employed that deserve special mention for the care targeted campaigns are crafted to snare their victims.

The report, titled BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps, shows that Bahamut’s operations seem to date back to at least 2016. The group's operations have been neatly summarised by Eric Milam, VP of research operations at BlackBerry, who noted,

On October 6, 2020, Microsoft's Threat Intelligence Center (MSTIC) tweeted that it had observed an Iranian state-sponsored group, codenamed as MERCURY by MSTIC, were seen actively trying to exploit the recently patched ZeroLogon vulnerability. Successful exploitation of the vulnerability would allow the attacker to hijack an enterprise’s domain controller (DC) servers. These servers often serve as the backbone of a network’s enterprise with any compromise potentially resulting in a complete takeover of the network. MSTIC noted that they have seen the group targeting this flaw for the last two weeks.

While Microsoft tracks the activity of the group under the codename MERCURY, they are better known by the InfoSec community as MuddyWater. It is believed that the group functions as a contractor under the orders of the Islamic Revolutionary Guard Corps. In Microsoft’s Digital Defence Report the group has primarily targeted NGOs, intergovernmental organizations, government humanitarian aid, and human rights organizations.

Phishing, the process of acquiring personal information and important credentials via deceptive emails, websites, or a combination of both, is still an effective tactic employed by hackers. Malware like Emotet is almost solely distributed spam emails which are socially engineered to get victims to click and approve all the wrong things so that its infection routine can begin, however often passwords and usernames are needed to deeper penetrate corporate networks. Other malware operators need your credentials to complete their tasks here emails will often redirect to what appears to be a legitimate website, the victim will enter their credentials and the site will subsequently harvest those credentials possibly leading to account compromise and a whole host of other problems.

This week, security researchers revealed two new tactics that have been added to phishing’s arsenal which further cement the threat level posed by the attack method. The first was discovered by security researcher and bug bounty hunter Craig Hays, who has subsequently published an article detailing the discovery which he described as the “greatest password theft” that he had ever seen. The event started when his security team received an alert from a user, which the team believed to be a run of the mill alert. Going through the relevant procedures the team locked the account and began their investigation. However, more alerts began to be received by the team from other users and it was discovered that the emails received by users made it past the same filtering rules as the initial alert.

Another Fortune 500 company is added to ransomware’s victim list. For many researchers, the scourge of ransomware is becoming the number one problem faced by large organizations, and when major organizations like Canon and Konica Minolta it is hard to argue with this sentiment. Now Universal Health Services (UHS), currently ranked 293 on the Fortune 500 listing of companies, can be added to the victim’s list.

According to both Bleeping Computer and Digital Guardian facilities across the US had to shut down services on Sunday, September 27, 2020, in response to a cyberattack. The company has over 400 healthcare facilities in the US and the UK has more than 90,000 employees and provides healthcare services to approximately 3.5 million patients each year. The company generated over 11 billion USD in income for 2019 making it a tasty target for well-organized ransomware gangs.

A new Android malware going by the name Alien has been discovered and analyzed by security researchers. Discovered by ThreatFabric, who have subsequently released a report detailing their discovery, one of the standout features of the trojan is its ability to steal the credentials from 226 different apps. According to the report, the malware has been active since the start of this year and has been offered as a Malware-as-a-Service (MaaS) on underground hacking forums. This has led to comparisons to Cerberus and Alien been the former’s replacement for the king of the Android hill. There is more to mere comparisons with Cerberus, however, more on that later.

This year alone ThreatFabric has discovered several new Android trojans, all seemingly created with financial motives in mind. Fortunately, not all those discovered turned out to be successful and some have dropped off the map entirely. Whether Alien will join the unsuccessful pile is unknown but given the malware’s rich feature set it would not be wise to bet against it. When it was initially discovered by an analyst it was initially mistaken for another version Cerberus, however, a discovery of a post on an underground hacker forum announcing the development of a new Android malware was an indication of a new malware. Analyzing the samples received, Alien appeared to form part of a new breed of trojans targeting Android devices.

In a campaign that started at the beginning of September, those operating the Emotet botnet have hampered the campaign's effectiveness through blunders they made. Emotet is typically in the news for when its creators decide to bring it back to life for yet another campaign, then it is placed in the cyber equivalent of hibernation. In 2019, Emotet activity dropped off sharply in May of that year only to surge in September for yet another campaign. Then again in 2020, the malware was placed into hibernation for roughly five months only to be brought back from near death in July. Rather than the successful awakening the malware is in the news once more but for more embarrassing reasons.

The latest campaign makes use of a change in tactics involving the malware’s operators distributing password-protected archives via spam emails in an attempt to bypass anti-spam filters and other security measures placed on email gateways. The latest campaign began on Friday it appears with security researcher Cryptolaemus noting a massive spike in Emotet activity. Once the spam emails are used to distribute Emotet bypass security measures is when the mistake made by the operators is made apparent. Like with previous campaigns the spam emails contain malicious Microsoft Office documents that attempt to trick the user into enabling macros. Once this is done a script can be run that fetches the main malware payload and the infection of the machine can begin in earnest. A lot rides on this ability to trick the recipient into enabling macros. This is where the massive mistake occurs.

The Maze gang was last in the news when they managed to pull off a successful attack on Canon. This is but one of the gang’s many exploits and once more the group is in the news, not for a high profile victim but for tactics adopted that will likely add to the growing list of Maze’s victims. The gang is no stranger to adopting new tactics successfully. The gang was in all likelihood the first to start releasing data stolen from victims who do not pay promptly. Now the group has adopted a tactic seen used by Ragnar Locker to remain undetected until it is too late.

According to Sophos Labs, the Maze gang has now been seen using Ragnar Locker’s virtual machine technique to remain undetected by endpoint security applications. Sophos Labs’ published an article detailing the discovery and how it is carried out recently, however, the discovery was made when tracking a Maze campaign dating back to July 2020. Simply put the attack is carried out by placing the various components of the ransomware within a virtual machine once access to a file server has been achieved. Based on the evidence provided by researchers it would appear that this deployment of components to a virtual machine occurs late in the attack chain as the ransomware’s operators had already compromised the victim’s defenses and lurked on the network for some time.

While ransomware continues to dominate international headlines the recent hack involving nearly 2,000 Magento stores reminds all involved that magecart styled attacks are indeed still a thing. In a magecart style attack, the attacker compromises an online shopping cart, generally, with only a few lines of code, that is able to swipe the card details entered by a customer. These are then sent to a command-and-control server owned by the attacker and then sold on the Dark Web or used to purchase items fraudulently by mules working for criminal organizations. Further, as is the case in this instance, payments can also be sent to accounts under the control of the hacker.

According to Sansec, a security firm specializing in magecart attacks, the 2,000 stores were hacked over the weekend by an automated attack. In a report detailing the incident, it was found that the attack targeted stores still using the no longer supported Magento version 1, which was announced by Adobe, the owners and distributors of the platform, last year June. Sansec discovered that 1,904 stores were infected with a unique keylogger which was stealing card data via the checkout pages used by the online stores. The security firm discovered 10 infected stores on Friday, this number skyrocketed to 1,058 on Saturday. Sunday and Monday saw a decline in infections, with 603 and 233 respectively.