Internet threat news

It seems like it would be easier to win a massive lottery payout than to go a week without ransomware dominating InfoSec headlines. Less than two weeks ago this platform posted about how ransom demands had increased 60% from the first quarter of 2020 to the second quarter. Several other ransomware incidents arose between them that vied for equal attention. Now three events compete for similar attention. Those being the discovery of a new ransomware family, another high profile victim, and a massive spike in ransomware related activity detected by cybersecurity researchers.

First, the new ransomware. Called ProLock it first emerged in late August 2020. While reports were emerging of the ransomware then, it seems that the group responsible for its development and distribution were using the ransomware from the beginning of this year. Further, it seems that ProLock is an evolution of PwndLocker and is likely operated by the same group. Since then both Group-IB and Sophos. Both reports have shone a light on the group’s activities and should help those defending networks to better prevent falling victim to the ransomware.

For those looking to prosecute cybercriminals and the organizations they belong to, it is not just the malware used that can help officials arrest and try alleged criminals. Being able to determine how illicit funds were laundered and used is an important part of proving those charged with crimes actually guilty of said crimes. We have covered a number of occasions where research is shined a light into how cybercriminals profit from the funds, stolen, extorted, or mined, whether funds, typically cryptocurrency, earned from sextortion or ransomware. In a white paper published by the Society for Worldwide Interbank Financial Telecommunications (SWIFT) in collaboration with BAE Systems has shone new light into this facet of the criminal underworld. Their findings may come as a surprise to those who see cryptocurrencies as the currency of cybercrime.

Much of the research conducted by SWIFT and BAE was focussed on money stolen during hacking campaigns that targeted banks and other financial institutions. Given how often cryptocurrencies like Bitcoin are mentioned in regards to cybercrime it would be assumed that proceeds from bank hacks would be turned into cryptocurrency as soon as possible and then laundered from there. However, the research paints a different picture with SWIFT noting,  “Identified cases of laundering through cryptocurrencies remain relatively small compared to the volumes of cash laundered through traditional methods,”, with traditional methods including money mules, front companies, cash businesses, and investments back into other forms of crime, such as drug trade or human trafficking. That being said, while the use of cryptocurrencies to further launder money stolen from banks is still a minor percentage when compared to the more traditional methods used to launder money they do expect this small percentage to rise in the future.

Researchers based at cybersecurity firm Cybereason, have uncovered a new malware been deployed by a well-known and seemingly well-resourced hacking operation codenamed Evilnum. The group has been deemed an advanced persistent threat and has been operating since 2018. Past research published by ESET revealed that one of the factors contributing to the group’s continued success is that they constantly change tactics while targeting FinTech companies in Europe and the UK, with some victims been as far-flung as the Americas and Australia. This constant variation in tactics has meant that the group has been seen using different components written in Javascript and C#. The latest attack campaign sees yet another new tool been added to the groups already varied toolbox, a remote access trojan (RAT) written in Python. The malware has been called PyVil by Cybereason researchers.

Typically, a RAT can be seen as trojans that create a backdoor onto a target machine with heightened privileges. The attacker can then access the machine remotely to perform a variety of functions like steal data or drop secondary payloads. In the case of PyVil, the malware is capable of allowing attackers to secretly steal corporate information through the use of keylogging and taking screenshots, as well as the ability to collect information about the infected system, including which version of Windows is running, what anti-virus products are installed and whether USB devices are connected. In the past, the group relied on spear-phishing campaigns to distribute the malware which was contained within a .zip archive.

Upon the release of macOS Mojave, Apple implemented another layer of security intended to protect its users. The tech giant introduced the concept of Notarization, which involves developers adhering to a number of steps to make sure their apps are malware-free. Upon the release of macOS Catalina, this process became mandatory for developers looking to release apps on the new release. In theory, the idea seems solid enough and will protect macOS users. In reality, things appear to be far more complicated. The malware developers behind the Shlayer malware seem to have subverted this process in order to authenticate the one thing the concept is meant to prevent, malware.

According to reports by both Bleeping Computer and MalwareBytes the malware’s developers successfully managed to get their malicious payloads through Apple's automated notarizing process. Before the details of how the malware developers managed to do, it is wise to look at how Apple set up the process to work in the first place. According to Apple the process became obligatory from the start of February 2020. The process itself goes hand in hand with the concept of code-signing which is a cryptographic process that enables a developer to provide authentication to their software. It both verifies who created the software and verifies the integrity of the software. By code signing an app, developers can prevent it from being modified maliciously, at least in theory that is. In practice, it makes such modifications easily detectable.

One of the last times business email compromise (BEC) scams were covered in this publication was when the Federal Bureau of Investigation (FBI) revealed that businesses and individuals had lost an estimated 12 billion USD over just under five years. Since then ransomware, and in particular the work of human-operated ransomware gangs, has dominated cybersecurity news feeds. While massive global organizations were becoming victims of these ransomware gangs, BEC scams never disappeared but their approach and demands became more brazen. Scammers are now looking to steal 80,000 USD on average from targeted companies per attack a new report reveals. The previous report noted that demands were on average 54,000 USD, signaling a significant jump from the first quarter of 2020 to the second. Before we take a look at the contents of the report it is wise to see exactly what amounts to a BEC scam.

A BEC scam is a type of phishing attack where a cybercriminal impersonates an executive, often a CEO, and attempts to get an employee, customer, or vendor to transfer funds or sensitive information to the phisher. Unlike traditional phishing attacks, which target a large number of individuals across a company, BEC attacks are highly targeted and focussed. Cybercriminals will scrape compromised email inboxes, study recent company news, and research employees on social media sites to make these email attacks look as convincing as possible. This high level of targeting helps these email scams to slip through spam filters and evade email whitelisting campaigns. This makes it far harder for employees to decide whether the email is legitimate or not.

The previous article published on this platform dealt with how the US elections are at threat of being disrupted via the use of ransomware. A core element of Recorded Future’s research into the matter centered on the increased use of Remote Desktop Protocol (RDP) and Citrix tools used by staff forced to work from home during the COVID-19 pandemic. This has resulted in an increased attack vector for ransomware gangs to exploit. Recent research published by Coveware paints another picture. Rather than the potential threat, Coveware’s research is based firmly in reality and deals with the current ransomware marketplace. The research was conducted over the second quarter of 2020 and revealed several worrying states for enterprises no matter their size, primary of which is that demands have increased 60% over the previous quarter.

Coveware releases these reports quarterly and they provide helpful insight into the realities dealt with those tasked to defend networks. One of the interesting insights provided concerns the market share across various ransomware operators. In the first quarter, this metric was dominated by the big game ransomware operators like Sodinokibi and Ryuk. In Q1 nearly 60% of confirmed attacks were carried out by the three biggest names in ransomware at the time. In Q2 this number dropped to 30% due to smaller and often less skilled operators increasing activity. The second quarter showed a greater market share was carved out by smaller, more opportunistic, ransomware operators.

The US Presidential Election draws the attention of the entire globe for a variety of reasons. Politics, economics, and the climate are affected by the nation’s choice of who will next sit in the White House. As November 2020 draws closer coverage of the election will dominate the news and debates around the dinner table. Currently, most of the coverage is political there is another aspect of the election that is gaining increased attention. That being how secure these elections will be to cyber threats, and in particular ransomware. Various ransomware gangs are notching up major corporations as victims and in the past, a number of state institutions and government departments have suffered ransomware infections, who is to say that the next elections will be free from such an incident.

A recent report by Recorded Future takes a deep dive into the threat posed by ransomware in the upcoming US election. It is not only security firms that have noted the existence of a threat. US state officials noted the existence of the threat posed by ransomware as well as the private sector. The threat posed is also not without real-world incidents. In 2016, the Palm Beach County Supervisor of Elections Office was hit with a ransomware attack which in turn was not reported to the relevant authorities at the time and only came to light recently. While the threat to election centers exists, the question remains can ransomware, even a highly co-ordinated campaign, disrupt the 2020 elections?

With Garmin, Canon, and Xerox all becoming victims to human-operated ransomware gangs, the InfoSec community did not have to wait long to see which major corporation was next. Customers of Konica Minolta, the massive business technology firm, took to Reddit to try and find out why services could not be accessed for several days. Later Bleeping Computer learned that the company that employs approximately 44,000 people and earned 9 billion USD in 2019, had become the latest high profile, ransomware victim.

At the time of writing, the business technology giant was yet to make a statement regarding the incident. That being said a number of cybersecurity researchers seem to confirm what Bleeping Computer believes. Initially, customers began reporting as far back as July 30, 2020, that the product services and support site were down. The site remained down for almost a week with little information being provided as to why the site was down. Many customers were presented with the following message when attempting to access the support services,

In a joint report issued by the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) information regarding a new previously unreported malware called Drovorub has been released to the public. The malware has been attributed by the two agencies to APT28, a group with a variety of codenames but tracked as Fancy Bear, by this publication. The report contains a wealth of technical information for anyone needing to harden their Linux system to prevent falling victim to a Drovorub infection.

The malware itself has been described as a “Swiss Army knife” as it is a multi-component malware. The malware consists of an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server. This enables the malware to perform a variety of functions including, stealing data and controlling the infected system remotely. The malware achieves a high level of stealth and is very difficult to detect, which is granted to the malware via the use of an advanced rootkit. A rootkit is typically defined as pieces of malicious code that achieve root access to the infected system by gaining privileged access to the system. From there they can be used to perform a variety of tasks including keylogging, file theft, disable antivirus products, and a host of other operations favored by state-sponsored groups. In the case of Drovorub the rootkit allows the malware to loaded upon boot up which further adds persistence in the infected network as, unlike many other malware families, the malware will survive a system restart. Further, the use of such an advanced rootkit allows Fancy Bear to infect a wide variety of targets as well as conducting attacks at any time.

The US Federal Bureau of Investigation warned US companies via a Private Industry Notification that Iranian state-sponsored hackers are actively targeting the US private and government sectors, according to an article recently published by ZDNet. The latest alert warning of Iranian state-sponsored activity follows an alert published in February which again warned private industry partners of campaigns distributing the Kwampirs malware. The latest alert does not mention names but given the examples of previous attacks listed in the alert, researchers have determined that those responsible for the latest attack campaign form part of the advanced persistent threat (APT) group Fox Kitten.

Fox Kitten or Parisite is seen by the InfoSec community as the “spear tip” of Iranian cyber operations, often creating a beachhead for other groups to exploit. The group primarily operates by attacking high-end and expensive network equipment using exploits for recently disclosed vulnerabilities, before companies had enough time to patch devices. The devices targeted by the group tend to be used by large corporations and government departments, with previous campaigns actively targeting companies in the IT, Telecommunication, Oil, and Gas, Aviation, Government, and Security sectors of multiple states around the world. Typically once the targeted network is compromised the group will install a web shell or backdoor onto the vulnerable device. This grants the group future access to the compromised network which can be used by them or other Iranian groups.

It seems that the world cannot go a week without yet another large company falling victim to one of the human-operated ransomware gangs. Last week Evil Corp, the gang behind WastedLocker successfully attacked Garmin resulting in the company having to shut down many of its services, including its call centers and customer chat lines. Further, fitness trackers and aviation products were severely affected by the attack. Now, the gang behind the Maze has claimed an impressive scalp in Canon, the world-famous camera and all things image-related company.

The news surfaced via a Bleeping Computer article when the writer, Lawrence Abrams, discovered that several of Canon’s services were offline. The outage impacted Canon's email, Microsoft Teams, USA website, and other internal applications. It was also noted that image.canon, the company’s cloud service for storing images, also suffered an outage, potentially putting at risk users’ data and images stored on the platform. It was later shown that the cloud service was not impacted by the ransomware attack that the image.canon outage was not related to the ransomware attack, but the same cannot be said for several other services. Further, Canon announced that no user data or images were leaked during the announcement.

Based on research published by security firm McAfee has confirmed that the gang behind the NetWalker ransomware have established themselves as one of the most dangerous ransomware operators on the threat landscape. The research conducted by the firm reveals that the gang has potentially netted 25 million USD in ransomware payments since March 2020, proving the profitability of well organized and skilled ransomware gangs can generate as well as the danger posed by such gangs. While the 25 million USD figure is an estimate as it is not like these gangs have to report earnings to auditors or revenue services, it does mean that the gang ranks amongst some of the most successful gangs today including Dharma, Sodinokibi, and Ryuk. It is also noted by some that the figure of 25 million may be conservative due to the security firm’s limited view of the entire ransomware operation.

When Kaspersky Labs provided evidence the North Korean state-sponsored hacker collective named Lazarus was behind the WannaCry ransomware debacle that propelled ransomware into the limelight of malware, some scoffed. Those that believed it not to be the case seemingly also ignored evidence provided by several Western intelligence agencies. State-sponsored groups did not participate in for-profit, or financially motivated, hacking campaigns was the wisdom of the time. That time being 2017, now a better understanding of the group has led to wisdom on such matters. State-sponsored groups can indeed be financially motivated and perform cyber espionage. There was not a rule chiseled in stone, and there was most certainly no hacking rulebook being published in North Korea, raids on banks and cryptocurrency exchanges can attest to the mindset exhibited by Lazarus.

For Garmin’s vast user base the news that something is wrong with the services offered, is perhaps painfully old by now. In summary, reports began emerging as soon as July 23 that large swathes of the company’s services were offline. The company remained quiet as to why services were offline except for a tweet and an announcement via their website. In time several employees would speak out and say that the company had experienced a ransomware attack, what’s more, the offending piece of malware was WastedLocker. In even another staggering twist, reports emerged that 10 million USD was being demanded as a ransom by the cybercriminals behind the attack.