Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Victim. Show all posts
Ransomware
AlphaV Cyber Security Cyber Victim Cyberattacks CyberCrime Cybersecurity CyberThreat LockBit Ransomware

Behind the LockBit Takedown: Strategies and Significance

 


It was widely hailed as a major victory for law enforcement to take down LockBit in the sprawling war against ransomware and was considered one of the most important victories for law enforcement. However, after law enforcement takes down ransomware groups, they usually reemerge, albeit with less power to continue their criminal activity. 

There was a back-and-forth tussle between law enforcement and the AlphV ransomware group in December when the group resurfaced on the dark web hours after being taken down by the police. As of today, AlphaV has been active for over ten years and lists new victims on its data leak site. 

Over the past decade, ransomware has become an increasingly prevalent problem worldwide, with modern ransomware gangs running complex businesses, and governments and private companies working together to stop these gangs have been working together for the past year. As a part of Operation Cronos, LockBit's infrastructure was used by the coordinating organizations involved with the operation to publish information about the gang's activities. 

There is no doubt that this activity against LockBit is an important victory, but ransomware continues to be a major threat, even from LockBit. To combat ransomware better, cybersecurity communities need to reflect on some lessons learned to improve the fight against ransomware. There have been instances where a victim has paid LockBit but has yet to receive the data that they promised was deleted from their servers, according to the UK's National Crime Agency (NCA). 

As a result of this, a victim trusts that the criminal will keep their end of the bargain after paying the ransom. This is one of the top risks associated with paying a ransom. The disclosure that LockBit failed to delete the data as promised severely tarnished its reputation. If a ransomware group appears trustworthy, its victims will not be willing to pay. 

Organizations need to be prepared for such eventualities and have plans in place in case of such an event. When a company's data is compromised, it needs to prioritize the creation of a thorough disaster recovery plan and procedure in case of data loss or damage, rather than relying on decryption for the sake of recovery. In response to a law enforcement takedown last week, which resulted in police seizing both LockBit's cyber extortion operations and its darknet site, as well as receiving significant intelligence, the criminals are attempting to relaunch their cyber extortion operation. 

The group's administrator, LockbitSupp, launched a new extortion site on Saturday that contains the names and contact information of five victim companies they are threatening to leak stolen documents. Even so, the site is no longer showing any of the old listings from before the law enforcement operation occurred.

Since its launch four years ago, this prolific ransomware-as-a-service outfit has hosted more than 2,000 documents that have been stolen from its victims. Last Monday, police posted a splash page to the dark web that said that they were in control, the most of any of the several extortion gangs operating on it. A week after LockBit's .onion website was hijacked by the U.K. National Crime Agency (NCA), the gang parodied LockBit's infrastructure in a series of posts about how the police had possessed “unprecedented technological access” to the company's infrastructure. 

To downplay the extent of the access, the ransomware service attempted to downplay it. The arrests of alleged affiliates as well as the shutting down of 14,000 accounts on third-party services have come as a result of the ransomware gang's failure to destroy the data of victims, even after it promised to. In an attempt to minimize the reputational damage caused by police action, a new LockBit post attempts to minimize the damage caused by the action. 

The criminals repeat what they claim in the beginning that police had compromised outdated PHP servers. To counter ransomware-as-a-service (RaaS), agencies will resort to a two-fold attack: first, to disrupt the administrative staff of the gang, and then to disrupt its affiliates. It is generally the task of the administrative staff to manage the data leak site, and the task of the affiliates to deploy the ransomware and encrypt networks is the task of the affiliates. 

There is a significant part of the administration staff that enables criminals, and without them being removed, there will be many more criminals assisting them. A disruption of the administration staff will result in the affiliates of the ransomware gangs working for other ransomware gangs. Infrastructure is used by affiliates themselves, either by purchasing it or by illegally accessing it. 

The tools, network connections, and behaviours of this infrastructure provide a considerable amount of information about this infrastructure. The ransom process exposes some details about the administrators: For the ransom process to proceed, the administrator must provide a method of communication and a method of payment for the ransom to be paid. 

The significance of these details may not seem useful to an organization immediately, but law enforcement and researchers will be able to leverage these details to uncover more about the individuals who committed these crimes. Using details from past incidents, law enforcement was able to disrupt LockBit's infrastructure as well as some affiliates of the group by using information from past incidents. 

Likely, Operation Cronos could not have been undertaken without that information, which was gathered with the assistance of attack victims and the allied agencies of the governmental organizations. The fact that an organization does not need to be a victim to help is an important thing to remember. Private organizations are eager to work with governments and are eager to collaborate with them. 

By partnering with CISA, the US government division that formed the Joint Cyber Defense Collaborative (JCDC) to create a global partnership platform to share critical and timely information to fight ransomware, organizations in the US can contribute to the effort to fight ransomware. Government agencies and public organizations can share information through the JCDC in a bidirectional manner. 

To stay on top of emerging trends as well as identify the infrastructure being used by attackers, CISA and organizations work together. There are several ways in which law enforcement can take advantage of collaboration and information sharing to gain a critical advantage against even the most powerful attacker groups, as the LockBit takedown demonstrated.
Read more »
Technology
Cyber Victim Cyberattacks Cybersecurity GitHub lazarus Malicious Threat NPM Package Technology

GitHub Issues Alert on Lazarus Group's Social Engineering Attack on Developers

 


According to a security alert issued by GitHub, this social engineering campaign is designed to compromise developers' accounts in the blockchain, cryptocurrency, online gambling, and cybersecurity industries. This is done through social engineering techniques. 

The campaign was reportedly linked to the Lazarus hacking group sponsored by the North Korean state. It was also linked to the groups Jade Sleet and TraderTraitor (both tools of Microsoft Threat Intelligence). There was a report released by the United States government in 2022 which detailed threat actors' tactics. 

Hacking group targets cryptocurrency companies and cybersecurity researchers to eavesdrop on them and steal their coins. The Lazarus Group is a cybercrime organization that targets cryptocurrency companies and cyber researchers using various names, such as Jade Sleet and TraderTraitor. Cyberespionage and cryptocurrency theft are two of the group's activities. According to GitHub, no GitHub accounts were compromised in this campaign, nor were any npm systems accounts.  

Lazarus Group reportedly uses legitimate GitHub or social media accounts that have been compromised or fake personas to pose as developers or recruiters on the platforms where they operate. This includes GitHub or social media. There is a wide range of personas designed to engage individuals in targeted industries. Ultimately, these personas will lead individuals to another platform, such as WhatsApp, through conversation. 

It is normally threat actors who initiate collaboration on a project. They invite targets to clone a GitHub repository related to media players and cryptocurrency trading tools after establishing trust between them. There are, however, malicious NPM dependencies on these projects that can download additional malware onto the devices of their targets. 

In June 2022, Phylum published a report on NPM packages that have been based on malicious code, with details about how they behave despite GitHub not providing details about the malware's specific behavior. Phylum reports that these packages function as malware downloaders that connect to remote websites via a browser. The download of additional payloads onto the infected machine. Several limitations in the payload reception process meant that researchers were unable to analyze the final malware delivered. 

As a consequence of this campaign, all NPM accounts and GitHub accounts associated with it have been suspended by GitHub. Additionally, they have published a list of indicators that can be used to identify whether a campaign is successful, including domains, GitHub accounts, and NPM packages. GitHub says the campaign was not intended to damage their systems. 

Lazarus has run previous social engineering campaigns similar to this one in the past. A few of these attacks included the targeting of security researchers in January 2021, a fake company website that was created in March 2021, and a fake email campaign in July 2021. As a result of these attacks, threat actors were effective at creating elaborate personas and distributing malware disguised as exploits for vulnerabilities. 

Lazarus is a group that targets cryptocurrency companies and developers to fund initiatives for the North Korean government. Several million dollars worth of cryptocurrency was stolen from them due to their involvement in the crime. It is worth noting that the theft of over 617 million dollars worth of Ethereum and USDC tokens was reported in an attack recently on Axie Infinity. 

Aside from fund theft and phishing scams, Lazarus has allegedly employed other tactics as well, including sending malicious PDF files disguised as job offers to targets that could compromise their bank accounts. In this case, the group has successfully delivered malware using false employment opportunities as a method of delivering their malware. 

Those in the target industries and developers should remain vigilant against the various types of social engineering attacks that are out there. Generally, individuals can protect themselves and their devices from malicious software and potentially compromised devices if they are aware of the tactics used by threat actors and adopt good cybersecurity practices, such as verifying the authenticity of requests and avoiding links and downloads that appear suspicious or unknown. 

Attack Process by the Lazarus Group


To begin with, the threat actor claims to be a developer or recruiter. He poses as them on GitHub and other social media websites related to the developer or recruiter niche. For contacting victims, they use their accounts as well as compromised accounts by Jade Sleet exploited by the group. 

There may be instances when the actor initiates contact on one platform and switches to another platform after a few minutes. When a threat actor connects with a victim he or she invites the victim to collaborate on a GitHub repository and uses the target as a means of cloning and executing the contents of the repository. The attacker may send the malicious software directly through a messaging service or file-sharing service, without inviting people to the repository and cloning it, in some cases. 

A malicious npm dependency has been included in the GitHub repository for the software. In addition to media players, the threat actor uses tools for selling cryptocurrencies in some of the software he builds. In addition to the malicious npm packages, these malicious npm packages also download secondary malware onto the victim's machine. A malicious package will normally not be published until a fake repository invitation is sent to you by an unknown threat actor.  

IOC details have been shared on the GitHub blog along with the suspension of npm and GitHub accounts associated with the campaign. As a practice, the most effective method of avoiding this campaign is to be cautious of social media solicitations for collaboration on or the installation of software that relies on NPM packages or dependencies. 

Lazarus Attacks in The Past 


Cryptocurrency companies and developers have been the target of North Korean hackers for a long time to steal assets needed to fund their country's initiatives. To steal cryptocurrency wallets and funds, Lazarus spreads Trojanized cryptocurrency wallets and exchange apps to target cryptocurrency users. 

It has been revealed that the U.S. Secret Service and the FBI have linked the Lazarus group to the theft of USDC and Ethereum tokens worth over $617 million from the blockchain-based game Axie Infinity by members of the Lazarus group. A malicious laced PDF file was later revealed to have been sent to one of the blockchain engineers by the threat actors, claiming to be a lucrative job offer disguised as a malicious PDF file. In this case, the attack was a result of this. 

Additionally, in 2020, a campaign called "Operation Dream Job" was used to deliver malware to employees at prominent aerospace and defense companies in the US through fake employment opportunities used to spread malware to them.
Read more »
Subscribe to: Posts (Atom)