Internet threat news

Ransomware is again making headlines and for all the wrong reasons. Last week this publication covered how using pirated software can leave an organization vulnerable to a ransomware attack. The incident showed how ransomware operators look to exploit poor network and security controls and how the granting of admin privileges should be kept to a minimum. Now, a recent incident shows how damaging a ransomware incident can be, not just to an organization but to society as a whole.

The incident involved the forced shutdown of the largest refined petroleum pipeline in the US. The Colonial Pipeline transports petroleum from the Gulf of Mexico to markets throughout the southern and eastern United States. The company transports 2.5 million barrels per day through its 5,500 mile pipeline and provides 45% of all fuel consumed on the East Coast of the US. The shutdown is expected to negatively impact the price of petroleum for consumption in an already volatile market according to the Wall Street Journal. Reports are already emerging of gas stations typically serviced by the pipeline running dry again impacting consumers negatively.

Long have the dangers of pirated software be shouted from the mountaintops by security researchers. Despite being illegal, the user has no idea what they are downloading. In many cases what they believe is a software package, movie, or TV show is laden with malicious payloads. Some of those payloads contain ransomware. This publication has covered how this is a favored distribution technique for many malware families and how the Pysa ransomware has been seen distributed via fake software crack sites. Now a company in the BioTech sector just suffered a Ryuk attack via a student downloading pirated software.

In a recent article published by Sophos, an incident involving their Rapid Response Team was covered. The team was called in to neutralize a Ryuk infection that occurred at a European biomolecular research institute. The organization has close links with several universities and works with students from those universities through a variety of programs. Further, the organization is involved in COVID-19 research which has proven to pique the interest of ransomware operators meaning that they are prime targets for ransomware gangs like the one behind Ryuk.

It has been a busy couple of days for reports coming from security firm FireEye. Last week this publication covered the use of the FiveHands ransomware strain by a financially motivated group tracked as UNC2447. This week a new report published by the firm details an attack campaign carried out by yet another financially motivated group tracked as UNC2529. The attack campaign was discovered by researchers in December 2020 and is notable for several reasons but namely that three new malware strains were observed being used in the campaign.

The attack campaign began with a concerted email phishing campaign. FireEye researchers saw that 28 organizations were sent phishing emails. It is safe to assume that more than 28 organizations were targeted, as the 28 seen to be targeted would only likely be organizations where FireEye has a presence on their infrastructure. Emails were sent from 26 unique addresses linked to a single domain, tigertigerbeads[.]com with the emails containing inline links to malicious URLs such as hxxp://totallyhealth-wealth[.]com/downld-id_mw<redacted>Gdczs, engineered to entice the victim to download a file containing a malicious payload. While the emails were sent from one domain the links were tracked to at least 24 different domains.

A financially motivated threat actor has been seen exploiting a zero-day bug in SonicWall SMA 100 Series VPN appliances. This is done to gain initial access to enterprise networks so that the threat actors can deploy a newly discovered ransomware strain, known as FiveHands. So far victims include organizations located in Europe and North America. The ransomware itself has several similarities to both the HelloKitty and the DeathRansom ransomware strains. Researchers believe that FiveHands is best described as a novel rewrite of DeathRansom. That being said it does have several differences, more on both the similarities and the differences to come below.

For those still clinging to the myth that Macs are inherently secure, 2021 is proving a difficult year to back up that argument. The advent of Silver Sparrow which raced to infect over 30,000 Macs and malware that targets Macs hiding in NPM packages are just two of several instances where Macs have been found to susceptible to attack. Now the threat operators behind the Shlayer malware have been seen exploiting a previously unknown zero-day. The good news is Apple has now released a patch for it, so it is strongly advised that Mac users download the latest patch if they have not done so already.

In summary, the malware’s creators found a way to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads. This is not the first time Shlayer has tricked Apple. Previously the malware was seen subverting the notarization process instituted with MacOS Catalina. This time, Shlayer subverts Gatekeeper to run malicious applications and harvest sensitive information.

Built to replace Secure Sockets Layer (SSL), Transport Layer Security (TLS) is a series of cryptographic protocols designed to secure communications across networks. The protocol is used in email, instant messaging, and voice-over IP applications. That being said the protocol's security layer in HTTPS remains one of the protocol's primary uses. It is this use as a security layer to keep communications hidden from the view of security researchers that threat actors have latched onto. According to a recent report published by Sophos Labs in 2020, 23% of malware detected was seen abusing the TLS protocol, by the first quarter of 2021 this had skyrocketed to 46%.

Researchers determined that the large growth in TLS abuse can be linked to threat actors increasingly turning to legitimate web and cloud services protected by TLS to further attack campaigns. Services like Discord, Pastebin, GitHub, and Google’s cloud services are increasingly being used as repositories for malware. Acting as a repository for malware or specific components is not the only use malware authors have found for the above-mentioned services. Researchers have seen services being used as storage for stolen data and to send commands to botnets and other malware. Further, the increase in TLS abuse has also partly been attributed to threat actors encapsulating communications behind Tor and TLS network proxies to hide them.

In a recent report published by Advanced Intel, a threat intelligence firm, those behind recent Ryuk attacks have changed tactics. The change in tactics is used to gain initial access to targeted networks and according to Advanced Intel’s researchers, the new tactic involves exploiting hosts with public Internet-facing RDP (remote desktop protocol) connections. Using targeted phishing emails to deliver malware continues to be the favored initial attack vector, but researchers noted that the start of 2021 saw an increase in instances where operators looked to compromise RDP connections to gain initial access.

To be granted access to Internet-facing RDP connections threat actors will use brute-force attacks, using a weak password and username combinations or credentials that have been leaked. Once initial access is granted to a network, threat actors will begin the reconnaissance stage of the operation. Researchers have noticed distinct phases once this step of the operation is begun. The first stage is defined by the attackers looking for valuable resources on the now compromised network.

While headlines regarding Iran’s nuclear program and possible Israeli malware been used to cause failures at nuclear plants is this week's big cybersecurity news, other developments deserve attention. One such development is the discovery of a new piece of malware that targets Node.JS developers using Mac and Linux machines. The malware was found in a malicious package on the NPM registry, used by developers to supplement their code with existing tools to make their life easier.

The malware was found in a package labeled “web-browserify,” which is intended to imitate the popular Browserify package that has been downloaded over 160 million times. It can be assumed that the attacker by naming their malicious package “web-browserify” is hoping to trick developers into downloading the malicious package. The malware is built by combining hundreds of legitimate open-source components and performs extensive reconnaissance activities on an infected system. As of April 13, 2021, the malware was being detected by none of the malware engines tracked on Virus Total. Writing for Bleeping Computer, Ax Sharma, who works for Sonatype security, along with a team of researchers, discovered the malware.

The recent Exchange Server vulnerability and news that the flaws were being used to spread ransomware dominated many InfoSec headlines. However, Kaspersky’s recent discovery of the Cring ransomware strain using an old VPN vulnerability as the initial attack vector reminds us that ransomware operators can always dig into the old bag of tricks to pull off a successful attack.

On January 26, 2021, Swisscom CSIRT tweeted,

Since April 3, 2021, several reports emerged of a trove of data belonging to Facebook users that had been leaked online for free. The data included namely mobile phone numbers but also includes names, emails, gender information, occupations, as well as several location identifiers. The stolen data first emerged on the forum in July 2020, when one member began selling the information to other members of the underground hacking forum.

The sale of data on such forums is standard practice for those stealing sensitive data from other organizations. However, this instance was notable as a lot of the information could be scraped from the public-facing user-profiles and the mobile numbers associated with accounts were private. That means they should not have been accessible in the same manner information on the public profiles is. In total the sold data included 533,313,128 Facebook users. Researchers discovered that the large majority of the stolen data sets included a private mobile number as well as a Facebook ID, a name, and the member's gender.

2020 was seen by many as a bumper year for DDoS attacks. The survey was conducted by the Neustar International Security Council (NISC) and showed that the majority of those surveyed, 22%, believed the biggest threat they faced was a DDoS attack. Further, the number of respondents that acknowledged that they had suffered such an attack went up from 60% in 2019 to 74% in 2020. 2021 promises to be no different and highly likely worse with the advent of Ransom Distributed Denial of Services attacks exceeding 800 Gbps.

Distributed Denial of Service, or DDoS, attacks are attempts to maliciously disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. This is done by using botnets, devices infected with specific malware that allows a hacker control over the device and can send HTTP requests via a device. Hackers will connect thousands of infected devices to send requests to the target server to the point where the server cannot handle the traffic.

Schools and Universities continue to be a favored target of ransomware operators. Previously, this publication covered how the US Federal Bureau of Investigation issued an alert warning the education sector that the operators of the Pysa ransomware, a variant of the Mespinoza, was actively being used in campaigns against schools and universities. Over the past weekend, another schooling organization was hit by a ransomware attack. This time across the Atlantic.

Reports began emerging that the Harris Federation, which runs some 50 schools in London and Essex in the United Kingdom, had to temporarily disable their email system, leaving nearly 40,000 students without the service during a time when many students are remotely attending certain classes given the current pandemic.

Initially discovered in 2018, Purple Fox, a trojan spread by phishing emails and RIG exploits has been seen in several active campaigns since its discovery. Now the malware has added another distribution method to its tool kit. The malware is now capable of being spread via what researchers call a worm-like capability, better described as “indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes.”

The new distribution method was discovered by researchers at Guardicore Labs, who announced the discovery recently via a report. The report is technical in nature but makes for interesting reading for those following Purple Fox’s development since its discovery. The discovery was made when Guardicore Global Sensors Network (GGSN) telemetry began picking up increased Purple Fox activity in mid-2020. Activity trailed off in November that same year till January 2021, followed by another surge in inactivity. Researchers determined activity has increased 600% with the total number of attacks being estimated at 90,000.

Security researchers have discovered a new piece of malware capable of compromising systems running macOS. In particular, the malware targets developers who make use of the Xcode projects integrated developer environment (IDE). Typically, developers developing apps for macOS or iOS make use of Xcode to better make use of features unique to those two platforms both developed and maintained by Apple. The malware was discovered by researchers working at Sentinel Labs, with details of the malware being published by the security firm recently.

The malware, named XcodeSpy, abuses the RunScript functionality found within Xcode. The malware is currently being distributed via an open-source Xcode project available on Github. The attackers are looking to take advantage of a community of developers who share tools and applications to better assist other developers. The malicious developer tool discovered by researchers is a ripped and modified version of TabBarInjection, which is a legitimate project that assists developers in creating interactive tab and navigation bars. It is important to note that the legitimate TabBarInjection has not been compromised.