Internet threat news

The botnet called TrickBot and its operators has been a pain in the side of cybersecurity experts for years now. In October, Microsoft announced that the tech giant had partnered with several security firms and internet service providers that it had attempted to cripple TrickBot’s infrastructure. It was hoped that their actions would takedown the botnet often used to spread ransomware. These were high hopes, and the InfoSec community knew that TrickBot would return. Microsoft’s actions were not in vain, as one of the main aims of the partnership was to prevent TrickBot from having an impact on the recent US National Elections. In this, the mission succeeded, but more than a few probably hoped that TrickBot remained hobbled for longer.

Those behind TrickBot were not inclined to admit defeat after their infrastructure had been crippled, the opposite is probably true and several new features have been added recently that make TrickBot a more fearsome opponent than before. Towards the end of November 2020, Bitdefender discovered that the malware had been updated to include improved communications, a new command-and-control infrastructure, and several newly packaged modules.

It is not an underestimation by any means to say that ransomware dominates the InfoSec news feed. This has been the case for several years but 2020 is surely breaking all the past records. With ransomware dominating the headlines a few other malware trends for the year have crept by almost unnoticed. One of those trends is the increase in popularity of Docker malware. Docker has become a popular framework for web and app developers, since 2017 there has been an emergence of malware targeting Docker users you don’t properly secure their applications.

Initially, the malware discovered looked to infect developers who had misconfigured admin interfaces. This was done to drop cryptocurrency miners, like CoinMiner, and attackers simply trawled for vulnerable systems. Since the early days of Docker malware, threats have evolved significantly since then and new malware strains are being discovered on a regular basis. Despite the rise in this kind of malware developers are still not applying basic cybersecurity principles to projects. The most common mistake made by developers is leaving Docker remote administration API endpoints exposed online without authentication. Hackers will then look to install cryptocurrency miners or backdoor trojans via malicious operating system images (OS Images).

Since Egregor’s discovery in late September early October of 2020, the ransomware has wrecked a bloody toll in the short time it has been actively claiming victims. The first few of which included Barnes and Noble, Crytek, and Ubisoft. Since the apparent retirement of the Maze ransomware gang, Egregor has been quick to capitalize on the gap left in the market by Maze’s departure.

Not only has the group behind Egregor been quick to fill the gap left by the Maze gang, but they have also been quick to adopt the tactics that made Maze so successful. Namely the human-operated tactics involving targeting large organizations with complex networks increases the likelihood of demanding a bigger ransom once critical network assets are encrypted resulting in increased downtime.

Late last week KrebsOnSecurity reported that GoDaddy, the world’s largest domain register, had been involved in a cyber-attack using social engineering tactics to first trick GoDaddy employees the target several cryptocurrency trading platforms. This incident, involving GoDaddy staff comes a few months after a similar incident where attackers assumed control of several domain names. While in May 2020, the company disclosed that 28,000 web hosting accounts had been compromised.

Returning to the latest attack, it appears that on November 13, 2020, the cryptocurrency trading platform Liquid was locked out of its domain. In a statement by Mike Kayamori, CEO of Liquid, stated,

Those behind the Mount Locker ransomware are looking to ruin an already stressful time for some, the tax return season. The ransomware strain is actively looking to target file extensions used by TurboTax, a software package developed to help US users with their tax returns. Mount Locker is a relatively new ransomware strain, first spotted in July 2020. Like many of the newer ransomware strains, they have been quick to adopt human-operated ransomware tactics, that made Maze, Ryuk, and Sodinokibi so devastating. These tactics have come to include threatening, and in many cases, releasing data stolen by the attackers before encryption occurs.

Like those who have gone before Mount Locker, the ransomware’s operators have a dedicated leak site which they use to announce victims and release data if the ransom is not paid. The lasts version of the ransomware discovered by Vitali Kremez appears to target the following TurboTax file extensions, .tax, .tax2009, .tax2013, and .tax2014. Given that many are gearing up to submit tax returns due by April 2020, it is believed that by targeting these files the attackers can place increased pressure on victims to pay the ransom.

Since the start of 2020 researchers have seen an almost continuous run of ZLoader campaigns. Initially distributed via exploit kits, malicious programs that look to exploit several known flaws, typically found in Internet Explorer. In the most recent campaigns discovered by researchers based at Malwarebytes, the attackers have changed tactics to use social engineering tactics to target those visiting popular adult content websites. Details of this change in tactics have been published by Malwarebytes on their blog.

Social engineering to distribute malware is not new but is still highly effective. These tricks are currently being used to distribute ZLoader, classified as a banking trojan, which is a piece of malware designed specifically to steal banking credentials or information attackers may use to commit fraud. ZLoader was inactive for two years till the end of 2019 when it saw a resurgence in activity. Now, the once banking trojan can be better described as an info stealer. Rather than targeting banking information exclusively, the malware now harvests a wide range of data, not just that related to banks and other financial institutions. The latest campaign, codenamed Malsmoke by researchers, looks to target adult sites that have incredibly high traffic turnovers. Sites like XHamster and Bravo Porn Tube rake in hundreds of millions to millions of visitors a month, respectively.

In a recently published blog post, ESET has revealed a new point-of-sale (POS) malware being used to target the already under pressure hospitality sector given the current impact the COVID-19 pandemic has had on the sector. POS Malware can be seen as any malicious program which can be installed on devices used by businesses to authorize transactions, typically bank card transactions. The goal of the malware is to steal financial information including credit card details to use to commit fraud or to be sold to other third parties.

Called ModPipe, the new malware strain can best be described as a modular backdoor that grants the attacker access to sensitive financial information. Researchers discovered the malware targeting devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS. The device is primarily used within the hospitality sector as a management software suite used to process payments in bars, restaurants, hotels, and other hospitality establishments across the globe. What separates ModPipe from other POS Malware, such as the predicted to have been used in the Wawa card breach and the one used to steal data at gas stations across the US, is that it is capable of decrypting database passwords directly from the Windows registry. Most similar malware strains will use less stealthy methods to steal the data, like keyloggers.

In a new report published by Mandiant, the research wing of security firm FireEye, details of a hacking group utilizing a zero-day flaw found in Oracle’s Solaris operating system have been released to the public. The threat actor codenamed UNC1945, who made use of the flaw has been seen targeting telecommunications, financial, and consultancy companies. According to Mandiant, the group has been active since 2018, however, the use of the zero-day drew the attention of researchers.

The zero-day vulnerability has been tracked as CVE-2020-14871 and is described as a flaw affecting the pluggable authentication module and is seen as easily exploitable. The flaw allows an unauthenticated attacker with network access to compromise Oracle Solaris and successfully allow account takeover. Receiving a score of 10 from NVD, the flaw is deemed to be serious enough to receive a critical classification. Oracle has patched the flaw, and admins are advised to update the software so as to patch the flaw as a matter of urgency. The hacker group in this instance used the flaw to bypass authentication procedures and install a backdoor into the victim’s network. The backdoor was then used as a method to carry out reconnaissance on the targeted network as well as spread laterally to other vulnerable machines.

Maze operations began only in May 2019, with just over a year of active campaigns under their belt they are looking into early retirement, according to an article published on Bleeping Computer. The ransomware rose to prominence incredibly quickly, based on a savvy change of tactics, media relations, and a list of high-profile victims. The list includes Canon, Xerox, and LG just to name a few. It appears that the gang has taken to heart the adage of getting out when you’re on top.

This is not the first time the community has seen a gang retire seemingly at the top of their game. In the middle of 2019, the operators behind the GandCrab announced their retirement on underground forums and subsequently released decryption keys so that those still locked out of their systems could remedy the situation and decrypt files. Whether the decision to retire was made on their own volition or not can be argued as the gang had come increased pressure from the No More Ransom collective who were actively working to create decryptors for the latest versions of the ransomware at the time. GandCrab for its part had a significant impact on ransomware operations going forward. They refined the Ransomware-as-a-Service (RaaS) model, a model adopted by today’s most successful ransomware gangs, and constantly updated their malware and tactics to make defending against an infection a harder prospect.

Two recent instances of data breaches have shown the dangers of what stolen data can do in the wrong hands. The first of which impacted a Finnish psychotherapy clinic. The clinic suffered a breach two years ago, with the results of the breach only making themselves known now. A threat actor is demanding a ransom for the stolen client database that contains a wealth of confidential information. It is estimated that thousands of patients may have had their information exposed and subsequently be at risk. Thanks to Bleeping Computer many have an article written in English which neatly summarises events.

Psychotherapy Center Vastaamo announced the incident a week before this article was written and according to local sources the threat actor is demanding 40 Bitcoin for the data. At the time of writing, this amounts to nearly 550,000 USD. The threat actor contacted employees of the clinic demanding that the ransom be paid with another local source reporting that at least 300 patient records were leaked via a Tor site to add veracity to the threat actor’s claims. Unfortunately, the reckless attempts to profit from confidential data did not end with demands to the clinic.

In a still-developing story, it was reported by Bleeping Computer that Barnes and Noble, the well-known US book retailer, appeared to have suffered a cyber incident of some kind. Barnes and Noble is the largest brick-and-mortar bookstore in the US with over 600 stories spread across the country. Further, the company also operates Nook, the popular eBook and eReader platform. It appeared that something was not right when customers of the company took to social media to complain about service blackouts.

Customers began taking to various social media platforms to enquire, and in some cases complain, as to why certain Nook services were inaccessible on October 10, 2020. Many of the problems reported by customers involved not being able to access their library of purchased eBooks and magazine subscriptions. Often attempts to do so online or on their Nook, customers experienced no joy as the library was coming up blank or they could not log into bn.com. In response to customer complaints, Barnes and Noble took to Nook’s Facebook page to announce that there had been a system failure and that the company was working to restore the services that were affected.

For security researcher’s ransomware has presented an ever-evolving threat readily capable of adapting and changing tactics. This rapid adoption of new tactics is seemingly driven by not only the rich rewards on offer but by competition with the rival ransomware gangs. According to recently published research, it would seem that two relatively new ransomware families are vying to be crowned king of the current ransomware threat. Further, it confirms that the number of ransomware attacks that threaten to release stolen data in the event of non-payment is growing.

The research conducted by Digital Shadows was published on their blog. The key takeaways from it are that a staggering 80% of known attacks were conducted by four ransomware families for the period of July to September. Those infamous four being Maze, Sodinokibi, NetWalker, and Conti. In the three months prior, DoppelPaymer was featured in the top three along with Maze and Sodinokibi. The sudden drop off in DoppelPaymer activity reflects the ever-changing ransomware threat landscape. This may also indicate how saturated the market has become and that to remain competitive tactics need to be continually refined and improved as well as a readiness to adopt new tactics. Maze is widely regarded as the first ransomware family to not only threaten the release of confidential data in the event the ransom is not paid in time but to release said data. Since then we have seen several other ransomware families adopt the tactic and start data release websites used to announce successful attacks and facilitate the release of stolen data.

According to new research published by KELA, the number of ads on popular underground hacker forums selling “network access” tripled in September 2020 when compared to the previous month. In the report, researchers documented 108 listings providing what has been termed “network access” to buyers. In total, the sellers were looking to make over 500,000 USD from the sale of access to compromised devices on networks. The average price asked for by the sellers came in at nearly 5,000 USD but the price was dependent on the type of access granted to a compromised network.

The sellers have been termed by researchers as “initial access brokers” with the term coming to mean a seller providing remote access to a machine in a compromised organization. This initial access market in the past seemed to be far more niche than it appears now as it provided other cybercriminals with a foot in the door or initial access to the network via several attack vectors including RDP compromise and SQL injection. By hacking the Remote Desktop Protocol (RDP) the attacker gains privileged access to the targeted machine, while SQL injection involves the attacker placing malicious code within queries to databases allowing the attacker to retrieve data they would not be typically allowed to see and assist with compromising the network.

Since 2016, TrickBot has steadily become one of the major menaces faced by all those tasked with defending corporate networks. Over the last couple of years, this publication has covered several instances where TrickBot was central to causing no small amount of pain, misery, and financial loss. TrickBot began life as a banking trojan designed to steal any and all banking related credentials. It was not long until the malware evolved into a multi-faceted malware capable of conducting operations far above those of normal banking trojans seen previously.

Tracking TrickBot activity reveals this evolution rather nicely. In 2019, TrickBot was seen targeting healthcare providers acting as the initial assault on a network where it was not only there to harvest credentials but to create a backdoor onto the network so that other malware variants could be dropped onto the infected network. This led to a partnership between TrickBot and Emotet, where once TrickBot had successfully compromised a network and created a backdoor Emotet would then be dropped. This effectively turned a humble banking trojan into a hybrid trojan, malware dropper, and info-stealer. The partnership between TrickBot and Emotet was to evolve again, as Emotet partnered with the ransomware gang behind Ryuk. Now TrickBot would drop Emotet which in turn would drop Ryuk. This pattern has been seen on multiple occasions and may have been the infection vector behind the EMCOR and more recently UHS ransomware incidents.