Internet threat news

In November 2021 this publication covered the return of Emotet after law enforcement agencies around the globe worked to cease the malware’s operations by seizing critical infrastructure. Since the return of the botnet, it has been incredibly active being distributed in several campaigns. Now researchers have seen the Botnet dropping the infamous penetration testing tool Cobalt Strike in an attempt to fast forward ransomware attacks.

According to a new report published by Threat Fabric, several malware distribution campaigns have infected almost 300,000 Android users. Infections were carried out by users downloading malicious apps from the Google Play Store containing malware droppers which would then drop banking trojans specifically designed for harvesting and stealing banking credentials.

The theft of credentials is primarily done via a fake banking login page that overlays a legitimate one. Threat actors then exfiltrate the credentials and either sell them on underground marketplaces or use the credentials to commit various kinds of banking fraud. While this phenomenon is certainly not new the tactics used, namely the evolution of past tactics is what has piqued the researcher’s interest in the campaigns.

To say that the cryptocurrency market, now valued at 2.5 trillion USD, has seen its fair share of scams would be an understatement. The latest to affect the cryptocurrency and Non-Fungible Token (NFT) community involves a threat actor targeting enthusiasts on the popular messaging platform Discord.

According to an article published by security firm Morphisec, Discord is being used to distribute crypter malware. Crypter malware can be seen as a specific type of malware that can encrypt, obfuscate, and manipulate malware, to make it harder to detect by security programs. They are typically used by threat actors to pass off malware as legitimate and non-harmful software applications. Crypters broadly come in two forms, static or polymorphic.

The UK’s National Cyber Security Centre (NCSC) was issued a warning noting that a total of 4,151 retailers had been compromised by hackers attempting to exploit vulnerabilities on checkout pages to divert payments and steal details. The retailers impacted have been informed about the vulnerabilities customers are falling victim to over the past 18 months.

According to the warning the majority of victims were impacted by hackers exploiting known vulnerabilities in the e-commerce platform Magento. The vulnerabilities when properly exploited allow the attacker to steal credit card information entered by the customer as well as possibly redirect payments to attacker-controlled bank accounts.

Once referred to as the “world’s most dangerous malware,” after almost a year hiatus Emotet is back. This is not the first time the infamous botnet has resurfaced after a long hiatus.

This time the reemergence of the botnet has happened after significant law enforcement efforts bring down the botnet’s infrastructure.

Europol recently published their Internet Organised Crime Threat Assessment report for 2021 which highlights several trends relating to cyber threats, with ransomware yet again featuring prominently in their research. The report notes, among several other trends, that ransomware reports have increased over the 12 month reporting period looked into by the law enforcement organization and that Distributed Denial of Service (DDoS) attacks, or the threat thereof, are being used to place further pressure on victims.

Three separate reports suggest that international law enforcement agencies are continuing to apply pressure to ransomware gangs, whether it’s the gang leaders, infrastructure, or affiliates. Last week we covered how the BlackMatter ransomware gang was experiencing a legal clampdown. Now despite ceasing operations after reports suggested that US Cyber Command successfully targeted servers used by ransomware gang, is still being targeted by law enforcement. Now it appears that there is an international effort to go after affiliates and leaders of the Sodinokibi gang.

On November 3, 2021, a Twitter post by vx-underground displayed an announcement by BlackMatter leadership that they were shutting down ransomware operations. The announcement read,

“Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) -- project is closed...After 48 hours the entire infrastructure will be turned off, allowing: Issue mail to companies for further communication [and] Get decryptor. For this write 'give a decryptor' inside the company chat, where necessary. We wish you all success, we were glad to work.”

When a company is involved in a merger, acquisition, or listing on an internationally respected stock exchange it is a significant financial event in that organization’s history. The Federal Bureau of Investigation (FBI) is now warning that such events are now being targeted by ransomware gangs in a variety of ways in order to place more pressure on victims to pay the ransom lest the financial event is derailed by ransomware revelations.

According to the threat actors behind the Grief ransomware strain, they have successfully compromised the National Rifle Association (NRA) network, stolen data, and encrypted their data. Bleeping Computer reports that the ransomware group posted the announcement to their leak site along with data stolen from the NRA. The site now boasts images of Excel spreadsheets containing tax and investment information allegedly belonging to the NRA. Further, the group leaked a zip file, “National Grants.zip”, which is reported to contain information relating to grant applications done by the NRA.

In a recent article published by Emisoft, it was revealed how researchers discovered a bug in the BlackMatter ransomware’s code.  This bug was exploited by researchers to create decryption keys that were secretly handed out to victims of the ransomware gang, potentially losing the gang millions of dollars worth of ransom payments.

DarkSide, the threat group strongly believed to be behind BlackMatter and previously behind the DarkSide ransomware, was initially best known for committing other financially motivated cybercrimes, seeing the profit margins ransomware, and the ransomware-as-a-service business model could unlock they quickly pivoted.

The infamous financially motivated threat group FIN7 has been discovered to be posing as a legitimate company to hire penetration testers and other cybersecurity professionals to do the heavy lifting of the preliminary steps a typical ransomware attack would follow. FIN7 also tracked as Carbanak, is perhaps best known for attacks on Saks Fith Avenue and Lord & Taylor stores. Those attacks resulted in the subsequent sale of over 5 million payment cards on the dark web.

In what is writing itself into its own Netflix Original movie at this point, it appears Sodinokibi, also tracked as REvil, infrastructure has been taken offline for the second time this year. The news comes following statements made on the popular hacking forum XSS. The forum posts have been shared to Twitter by Dmitry Smilyanets, a security researcher for Recorded Future. Another post was also shared by Smilyanets which further explained the decision to take the infamous ransomware’s infrastructure offline.

With ransomware attacks now becoming an almost daily phenomenon governments are actively looking at new ways to combat the scourge and protect both individuals, organizations, and national interests. The Australian Minister for Home Affairs, Karen Andrews, has recently published a plan titled the “Ransomware Action Plan.”