Internet threat news

On July 9, 2021, the railway service used by Iranians for their daily transport needs suffered a cyber attack. New research published by Sentinel One reveals that the chaos caused during the attack was a result of a previously undiscovered form of wiper malware, called Meteor.

The attack resulted in both the Transport Ministry’s online services offered been shut down and to the frustration of passenger’s cancellations and delays of scheduled trains. Further, the electronic tracking system used to determine the locations of trains in service also failed. The government's response to the attack was at odds with what the Iranian media was saying.

According to a recently published report by the Sygnia Incident Response team, internet-facing Windows servers are being targeted by an advanced persistent threat group called Praying Mantis, or less glamorously TG1021. What makes their attack campaigns noteworthy is that they are almost exclusively conducted in memory.

These attacks, also referred to as Fileless attacks are pieces of malware that rather than been stored on a machine's storage are run from a machine's memory. This makes them harder to detect as no files are stored on the infected system or at least none that are easily detectable.

Researchers at Bitdefender have discovered a new password-stealing malware that targets Windows users. The malware is delivered via ads that appear in the user's search results. This is not the first time we have seen this distribution method being used this year. At the beginning of June security firm, Morphisec revealed that several info-stealing malware strains were actively being distributed via Google pay per click (PPC) ads.

The malware discovered by Bitdefender has been named MosaicLoader and is more than just an info stealer targeting users’ passwords. The malware can also mine cryptocurrency and act as a dropper for other strains of malware in particular trojans. Based on the distribution method the threat actors are not targeting specific organizations or individuals.

Much of the world's attention regarding cybersecurity matters has been firmly affixed to the NSO saga resulting from the Pegasus Project. While Spyware has been abused by governments dominated headlines, the US Government and its allies placed responsibility for the Exchange Server hacks that occurred in March squarely at the feet of the Chinese Government.

Given the number of incidents and revelations that have happened in 2021 already, what happened in March already feels like eons ago, so a quick recap of events is probably necessary. On March 2, 2021, Microsoft warned of a Chinese state-sponsored hacking group, codenamed Hafnium, was using several zero-day vulnerabilities discovered in Exchange Server, a popular enterprise product to better facilitate email communications, to distribute malware including ransomware.

Following the Washington Post’s expose regarding the spyware created by an Israeli firm, NSO, which had been used by the firm's clients in a questionable way, the political fallout is just beginning. Spyware can be defined as malware designed to track user activity on a device, not only can activity as in who the user communicates with or engages with the apps including browsers on the device but also location. Full-featured spyware can also log communications and grant the attacker privileged access to the user’s device and by extension the user’s life.

The spyware created by NSO, named Pegasus, has been active since 2016 and has made headlines in the past due to its questionable use by the firm's clients which include governments. The spyware is sold as a solution for tracking and monitoring terrorist activity but as the Washington Post, their media partners, and French investigative non-profit Forbidden Secrets show the spyware is used to track journalists, activists, and those deemed to pose a threat to authoritative regimes.

On the evening of Monday, July 13, 2021, various news outlets began reporting that websites and infrastructure were used by ransomware operators behind the Sodinokibi strain had been taken offline. This resulted in several theories being proposed as to why. Was it a result of legal action? Was it increased pressure by governments following both the JBS and Kaseya incidents?

The latter has been estimated to have resulted in an estimated 1,500 small to medium enterprises becoming victims. Or has the gang decided to call it quits, restructure its infrastructure, or has the gang split based on internal differences and squabbles?

Half of 2021 has already blown past and yet again ransomware has dominated infosec headlines. Petroleum distributor Colonial Pipeline, meat supplier JBS, and IT service provider Kaseya have all been in headlines not for stellar business performance but because they have been victims of crippling ransomware attacks. No longer is ransomware a one-man-band operation but given the profitability seen they have turned into a mutated software-as-a-service (SaaS) business model termed Ransomware-as-a-Service (RaaS).

In a recent report by security Kela titled “Ransomware Gangs are Starting to Look Like Ocean’s 11” written by Victoria Kivilevich the trends dominating this mutated business model are investigated. As ransomware moved away from one operator developing or buying, the ransomware’s source code, compromising a victim’s machine or network, then executing the malware over the years specialists have assumed those specific roles.

Just as some were, rather hopefully, predicting that ransomware had peaked given the increased response by the US and other governments to both the Colonial Pipeline and JBS incidents. Ransomware operators behind Sodinokibi, who have also been blamed for the JBS incident, seem not to have received that memo and carried possibly the largest ransomware incident to date.

It is believed that an affiliate of the Sodinokibi ransomware gang carried out an attack that possibly impacted thousands of organizations according to the Associated Press. The affiliate is believed to have also been behind the recent JBS attack where 11 million USD was demanded as a ransom.

The most recent attack was believed to have been conducted by first compromising a firm that remotely manages the IT infrastructure for clients. Further, the attack has impacted organizations in at least 17 different countries.

The good work done by No More Ransom may be difficult to quantify but it is safe to say that their work releasing free decryptors to be used by victims of ransomware has possibly saved millions of dollars’ worth in damages and ransom payments funding criminal activity.

Now with the help of security firm Tesorion a decryptor for the Lorenz has been released to the public for free.

No More Ransom is a partnership between public, private, and law enforcement agencies, of which this publication is a partner to help educate the public and assist victims.

It is almost daily that ransomware makes headlines in some form or another. Many of the headlines and subsequent articles cover the latest large corporations to fall victim to a ransomware attack.

Recent high-profile attacks, including the Colonial Pipeline Incident and subsequent responses by governments across the globe, attest to this.

Given the threat posed by ransomware and other cyber incidents in general it is little wonder that cyber insurance offerings have been developed to try and mitigate the risk somewhat. This has led to experts asking if such insurance packages are enabling ransomware attacks to some extent?

Cyber insurance, or cyber-liability insurance, is a type of insurance policy designed specifically to help mitigate the threats posed by cyber-attacks. These policies are designed to protect organizations against the fallout of an attack and do not prevent an attack.

For any scholar of cybersecurity trends, ransomware provides a unique study. The threat has seen several key evolutions since it first emerged in 2010. The latest evolution seen and documented by two separate security firms involves how ransomware operators are using virtual machines (VMs) to hide activity.

VMs are often used for the emulation or virtualization of traditional hardware. A virtual machine can be defined as,

“A Virtual Machine (VM) is a compute resource that uses software instead of a physical computer to run programs and deploy apps. One or more virtual “guest” machines run on a physical “host” machine. Each virtual machine runs its own operating system and functions separately from the other VMs, even when they are all running on the same host. This means that, for example, a virtual MacOS virtual machine can run on a physical PC.”

Hackers are ever increasingly looking to abuse developers and their tools to conduct attack campaigns. Recently this trend has involved hackers uploading malicious packages to popular repositories. In April 2021, it was found that hackers had uploaded malicious code that installed the Mac Shlayer.

In the same month a new malware strain, named web-browserify, was distributed via the popular NPM repository. Both instances targeted Node.JS developers, now a malware strain has been seen targeting Python developers.

For the past several months' hackers have not been friendly to businesses in the gaming industry. CD Projekt Red, Ubisoft, and Crytek have all suffered ransomware incidents. Now it has emerged that EA has suffered a data breach, in which it is believed several games have had their source code stolen. The company is a giant of the industry boasting several high-earning franchises including Madden NFL, EA SPORTS FIFA, Battlefield, The Sims, and Need for Speed. Further, the company has over 450 million registered players worldwide and posted GAAP net revenue of $5.5 billion for the fiscal year 2020.

Several reports have emerged stating that Electronic Arts (EA) has had 750 GB worth of data stolen during a breach of their network. The data is believed to contain source code and debugging tools used by developers. Popular tech publication Motherboard reported that the Frostbite Engine, used in many of the publishing giants games including first-person shooters like the Battlefield, was also stolen. For fans of the FIFA franchise, it is also believed that the source code for FIFA 21 was stolen.

According to a new article published by security firm Morphisec, threat actors are using paid-for Google ads to help distribute several pieces of info stealing malware. This is done by the threat actors abusing the Pay Per Click (PPC) functionality of Google AdWords in such a way that the ads paid for by the threat actors often appeared at the top of search queries. This further highlights the need for individuals to adopt a zero-trust policy even when using trusted services.

Researchers discovered that the offending pieces of malware were being distributed via ISO images that would be downloaded when a user clicked the ad and was redirected to a website hosting the malicious payload. An ISO Image is an archive file that was developed to contain an identical copy, or image, of data typically found on an optical disc like a CD or DVD. The image can also be used to distribute large files that could then be burned onto a disk or for backing up data that would be stored on a disk. As the image is a sector-by-sector copy of the original no compression is used to reduce the size of the file. Operating systems can allow for images to mount as a virtual disk. This allows the machine to access the contents of the image as if an optical disk were inserted.