Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label EMBARGO. Show all posts
Ransomware
AI Cyber Crime Cyberattacks CyberCrime Cybersecurity Cyberthreats EMBARGO ESET MDeployer Ransomware

Embargo Ransomware Uses Custom Rust-Based Tools for Advanced Defense Evasion

 


Researchers at ESET claim that Embargo ransomware is using custom Rust-based tools to overcome cybersecurity defences built by vendors such as Microsoft and IBM. An instance of this new toolkit was observed during a ransomware incident targeting US companies in July 2024 and was composed of a loader and an EDR killer, namely MDeployer and MS4Killer, respectively, and was observed during a ransomware attack targeting US companies. 

Unlike other viruses, MS4Killer was customized for each victim's environment, excluding only selected security solutions. This makes it particularly dangerous to those who are unaware of its existence. It appears that the tools were created together and that some of the functionality in the tools overlaps. This report has revealed that the ransomware payloads of MDeployer, MS4Killer and Embargo were all made in Rust, which indicates that this language is the programming language that the group favours. 

During the summer of 2024, the first identification of the Embargo gang took place. This company appears to have a good amount of resources, being able to develop custom tools as well as set up its own infrastructure to help communicate with those affected. A double extortion method is used by the group - as well as encrypting the victims' data and extorting data from them, they threaten to publish those data on a leak site, demonstrating their intention to leak their data. 

Moreover, ESET considers Embargo to be a provider of ransomware-as-a-service (RaaS) that provides threats to users. The group is also able to adjust quickly during attacks. “The main purpose of the Embargo toolkit is to secure successful deployment of the ransomware payload by disabling the security solution in the victim’s infrastructure. Embargo puts a lot of effort into that, replicating the same functionality at different stages of the attack,” the researchers wrote. 

“We have also observed the attackers’ ability to adjust their tools on the fly, during an active intrusion, for a particular security solution,” they added. MDeployer is the main malicious loader Embargo attempts to deploy on victims’ machines in the compromised network. Its purpose is to facilitate ransomware execution and file encryption. It executes two payloads, MS4Killer and Embargo ransomware, and decrypts two encrypted files a.cache and b.cache that were dropped by an unknown previous stage. 

When the ransomware finishes encrypting the system, MDeployer terminates the MS4Killer process, deletes the decrypted payloads and a driver file dropped by MS4Killer, and finally reboots the system. Another feature of MDeployer is when it is executed with admin privileges as a DLL file, it attempts to reboot the victim’s system into Safe Mode to disable selected security solutions. As most cybersecurity defenses are not in effect in Safe Mode, it helps threat actors avoid detection. 

MS4Killer is a defense evasion tool that terminates security product processes using a technique known as bring your own vulnerable driver (BYOVD). MS4Killer terminates security products from the kernel by installing and abusing a vulnerable driver that is stored in a global variable. The process identifier of the process to terminate is passed to s4killer as a program argument. 

Embargo has extended the tool’s functionality with features such as running in an endless loop to constantly scan for running processes and hardcoding the list of process names to kill in the binary. After disabling the security tooling, Embargo affiliates can run the ransomware payload without worrying whether their payload gets detected. During attacks, the group can also adjust to the environment quickly, which is another advantage.

Basically, what Embargo toolkit does is that it offers a method of ensuring the successful deployment of the ransomware payload and prevents the security solution from being enabled in the victim's infrastructure on the day of deployment. This is something that Embargo invests a lot of time and effort into, replicating the same functionality at different stages of the attack process," wrote the researchers. They added that the attackers also showed a capability to modify their tools on the fly, during an active intrusion, by adjusting the settings on different security solutions on the fly. 

As part of Embargo's campaign against victims in the compromised network, MDeployer is one of the main malicious loaders that it attempts to deploy on victims' machines. With the use of this tool, ransomware can be executed and files can be encrypted easily. During the execution process, two payloads are executed, MS4Killer and Embargo ransomware, which decrypt two encrypted files a.cache and b.cache that have been left over from an unknown earlier stage onto the system.

After its encryption process, the MDeployer program systematically terminates the MS4Killer process, erases any decrypted payloads, and removes a driver previously introduced by MS4Killer. Upon completing these actions, the MDeployer initiates a system reboot. This process helps ensure that no remnants of the decryption or defence-evasion components persist on the system, potentially aiding threat actors in maintaining operational security. In scenarios where MDeployer is executed as a DLL file with administrative privileges, it has an additional capability: rebooting the compromised system into Safe Mode. 

This mode restricts numerous core functionalities, which is often leveraged by threat actors to minimize the effectiveness of cybersecurity defences and enhance stealth. Since most security tools do not operate in Safe Mode, this functionality enables attackers to evade detection more effectively and hinder any active defences, making detection and response significantly more challenging. The MS4Killer utility functions as a defense-evasion mechanism that specifically targets security product processes for termination. This is achieved using a technique referred to as "bring your own vulnerable driver" (BYOVD), wherein threat actors exploit a known vulnerable driver. 

By installing and leveraging this driver, which is maintained within a global variable, MS4Killer is able to terminate security processes from the kernel level, bypassing higher-level protections. The identifier for the targeted process is supplied as an argument to the MS4Killer program. To further enhance MS4Killer’s effectiveness, Embargo has incorporated additional capabilities, such as enabling the tool to run continuously in a loop. This looping function allows it to monitor for active processes that match a predefined list, which is hardcoded within the binary, and terminate them as they appear. 

By persistently disabling security tools, Embargo affiliates can then deploy ransomware payloads with minimal risk of detection or interference, creating an environment highly conducive to successful exploitation.
Read more »
Security Defenses
BlackCat Cyber Community CyberCrime Cybersecurity Cyberthreats EMBARGO ESET MDeployment MS4Killer Ransomware Rust Security Defenses

Security Defenses Crippled by Embargo Ransomware

 


There is a new gang known as Embargo ransomware that specializes in ransomware-as-a-service (RaaS). According to a study by ESET researchers published Wednesday, the Embargo ransomware group is a relatively young and undeveloped ransomware gang. It uses a custom Rust-based toolkit, with one variant utilizing the Windows Safe Mode feature to disable security processes.

ESET researchers say that the Embargo ransomware group is developing custom Rust-based tools to defeat the cybersecurity defenses put in place by companies and governments. There is a new toolkit that was discovered in July 2024 during an attack on US companies by ransomware and is made up of a loader and an EDR killer, MDeployer, and MS4Killer, respectively, which can also be accessed and downloaded online. There are several ways in which MS4Killer can be utilized. 

For instance, it can be compiled according to each victim's environment, targeting only specific security solutions. As it appears that both tools were developed together, there is some overlap in functionality between them. Several of the programs that were developed as part of the group, including MDeployer, MS4Killer, and Embargo's ransomware payload, are written in Rust, thus suggesting that the language is one that the developers use most often. It is claimed that the group has committed ten acts of cybercrime on its dark web leak site, including a non-bank lender from Australia, a police department from South Carolina, and a community hospital from Idaho. 

An interview conducted in June with a self-proclaimed representative of Embargo said that the group specializes in ransomware-as-a-service, with affiliates taking an extortion payment of up to 80%. It is believed that the toolkit discovered by Eset consists of two primary components: MDeployer, which is designed to deploy Embargo's ransomware and other malicious payloads, and MS4Killer, which is built to exploit vulnerable drivers to disable endpoint detection and response systems. 

In both MDeployment and MS4Killer, Rust is used as the programming language. Because of its memory protection features as well as its low-level capabilities, it can be used to create malware that is both effective and resilient. A study conducted by Eset reported that Embargo can target both Windows and Linux systems with Rust. It was in May 2024, one month after the first observation of Embargo in the ESET telemetry in June 2024 that Embargo was publicly observed for the first time. There are several reasons why the group has drawn attention besides the fact that it successfully breached high-profile targets as well as the language it used for its ransomware payload that piqued people's curiosity. 

As part of its development, Embargo chose Rust, which is a cross-platform programming language that provided the potential to develop ransomware that targets both Windows and Linux platforms. The Embargo group follows in the footsteps of BlackCat and Hive as yet another group developing ransomware payloads using Rust programming language. It is clear from Embargo's mode of operation that it is a well-resourced group considering its modus operandi. This system also allows victims to communicate with it via Tox, which results in the communication being managed by the system itself. It is a group that uses double extortion to force victims to pay him and then publishes the stolen information on its leaked website too. 

It is the MDeployer that Embargo uses mainly to install malicious loads on victims' computers within the compromised network to destroy them. An application for this purpose is designed to make it easier to execute ransomware and encrypt files. Two payloads are executed, MS4Killer and Embargo ransomware. Additionally, two encrypted files, a.cache, and b.cache, which were dropped by an unknown stage in the previous step, are decrypted and delivered to the victim. 

If the ransomware finishes encrypting the system, the MDeployer terminates the MS4Killer process, deletes all the decrypted payload files and the driver file dropped by MS4Killer, and finally restarts the computer. Besides the fact that MDeployer can run as a DLL file with administrative privileges, it has also the ability to reboot the victim's system into a Safe Mode if it is executed with administrator access. This is because major cybersecurity defenses aren't switched on in Safe Mode, which allows threat actors to continue operating undetected. The initial intrusion vector is unknown, however, once MDeployer has installed itself on the victim machine, it decrypts MS4Killer from the encrypted file "b.cache" and drops the file "praxisbackup.exe" into the system. 

In every single case observed by ESET, the MDeployer used the same hardcoded RC4 key to decrypt both files from "a.cache" and dropped and executed them as "pay.exe." MDeployer decrypted both files using the same hardcoded RC4 key. It has been reported that MS4Killer allegedly builds upon the S4Killer proof-of-concept tool available on GitHub and drops the vulnerable mini-filter drive problem.sys version 3.0.0.4 as part of what is known as the "Bring Your Own Vulnerable Driver" idea (BYOVD), which is a technique developed to deal with driver vulnerabilities in general. The researchers wrote in their paper that MS4Killer exploits this vulnerability to obtain kernel-level code execution and interacts with security software to carry out its malicious purposes. 

The Embargo's version of MS4Killer differs from the original MS4Killer in that Embargo has hardcoded a list of the processes to be killed into its binary. It has also encrypted the embedded driver blob which is an RC4 hash. Using cloud-based techniques, ESET researchers describe how MS4Killer runs in an endless loop and constantly seeks out processes that need to be terminated.   

MDeployer, a component of the Embargo ransomware attack chain, meticulously logs any errors encountered during its operations in a file named “fail.txt.” Upon completion of the attack — whether by successful ransomware deployment or an error in loader execution halting the attack — the MDeployer initiates a cleanup routine. This process includes terminating the MS4Killer loop and deleting specific files such as praxisbackup.exe, pay.exe, and a vulnerable driver. 

Additionally, it generates a control file named “stop.exe,” which certain MDeployer versions reference to prevent re-execution and, consequently, double encryption. Embargo, developed in Rust, appends each encrypted file with a unique, randomly generated six-character extension combining letters and numbers, such as “.b58eeb.” It also drops a ransom note titled “HOW_TO_RECOVER_FILES.txt” in each affected directory. The group has established its secure infrastructure for covert communication with victims but provides the option to negotiate through Tox chat as well. 

Although still developing, Embargo shows signs of ambition, borrowing techniques from established ransomware-as-a-service (RaaS) groups. These include implementing the "bring your vulnerable driver" (BYOVD) strategy, exploiting Safe Mode, and leveraging the adaptable Rust programming language. ESET's analysis highlights Embargo’s indicators of compromise (IoCs) and its tactics, techniques, and procedures (TTPs), offering guidance to help organizations defend against this emerging threat.
Read more »
Vulnerable Organization
Artificial Intelligence Clout Plateforms CyberCrime Cybersecurity CyberThreat EMBARGO RaaS Ransomware Storm-0501 Vulnerable Organization

Embargo Ransomware Shifts Focus to Cloud Platforms

 


In a recent security advisory, Microsoft advised that the ransomware threat actor Storm-0501 has recently switched tactics, targeting hybrid cloud environments now to compromise the entire system of victimization. It is becoming increasingly apparent that cybercriminals are finding out how difficult it is to secure hybrid cloud environments. 

In the latest case, an extremely cruel group called Storm-0501 has stepped forward in an attempt to steal from the most vulnerable organizations in the US, including schools, hospitals, and law enforcement. The group is known for its cash-grab operations. As an affiliate of different strains of ransomware as a service (RaaS), Storm-0501 has been around since 2021, as per Microsoft Threat Intelligence's new report on it.

This ransomware operates as affiliates of a variety of RaaS strains such as BlackCat/ALPHV, LockBit, and Embargo, among others. The Storm-0501 ransomware gang is well-known for its operations in on-premise networks, but now the group is focusing on extending its reach to cloud infrastructures as they look to compromise whole networks with their campaigns. 

Since Storm-0501 was first discovered in 2021, it has been associated with the Sabbath ransomware group as an affiliate. There are several notable ransomware groups, such as Hive, BlackCat, LockBit, and Hunters International, that have been involved in these operations from time to time, but it has been growing rapidly. 

There have been recent reports that the group has been using Embargo ransomware as a means of executing their operations. As a result of the group's broad range of targets within the United States, the group has selected a wide array of sectors for its attacks, including hospitals, government agencies, manufacturing companies, transportation companies, and law enforcement agencies. 

As part of their attack pattern, the group usually exploits weak credentials and privileged accounts, enabling them to steal sensitive information from compromised networks and to deploy ransomware to guarantee their success. Earlier this week, Microsoft team members shared information about a recent attack on Microsoft Entra ID (formerly Azure AD) that was performed by Storm-0501 threat actors. 

The credential-synching component of this on-premises Microsoft application is responsible for synchronizing the passwords and other sensitive data between the objects in Active Directory and Entra ID, assuming the credentials of the user are the same for both on-premises and cloud environments. This report warns that once Storm-0501 was able to migrate into the cloud at a later point in time, it was then capable of manipulating, exfiltrating, and setting up persistent backdoors to commit ransomware attacks. 

As a result of exploiting weak usernames and passwords, the attacker gains access to cloud environments via privileged accounts, which sets out to steal data as well as execute a ransomware payload on the target machine. It is Microsoft's position that the Storm-0501 is obtaining initial access to the network by stealing or buying credentials for access, or by exploiting known vulnerabilities that have already been discovered. 

It is worth noting that CVE-2022-47966 has been used in recent attacks against Zoho ManageEngine, CVE-2023-4966 has been used against Citrix NetScaler, and CVE-2023-29300 or CVE-2023-38203 may have been used against ColdFusion 2016. As the adversary moves laterally, it uses frameworks like Impacket and Cobalt Strike, steals data through Rclone binaries renamed to mimic known Windows tools, and disables security agents using PowerShell command-line functions. 

Storm-0501 is malware that has been designed to exploit stolen Microsoft Entra ID credentials (formerly known as Azure AD credentials) to move from on-premise to cloud environments, compromise synchronization accounts for persistence, and hijack sessions for recurrence. Using a Microsoft Entra Connect Sync account is an essential part of synchronizing data between on-premises AD (Active Directory) and Microsoft Entra ID (Entra ID cloud-based). 

These accounts allow a wide range of sensitive actions to be taken on behalf of the On-Premise AD account. In the case that the attacker has gained access to the credentials for the Directory Synchronization Account, he or she has the capability of changing cloud passwords through specialized tools like AADInternals, thus bypassing any additional security measures. 

An unauthorized user may exploit the Storm-0501 vulnerability if the account of a domain admin or other high-privileged user on-premises also exists in the cloud environment and is not properly protected (e.g. it does not implement multi-factor authentication). As soon as the malicious actor has gained access to the cloud infrastructure, they plant a persistent backdoor by creating a new federated domain inside of the Microsoft Entra tenant, which allows them to log in as any user that has the "Immutableid" property set to their benefit. 

A final step would be for the attackers to either install Embargo ransomware in the victim's on-premises infrastructure and cloud-based environments or keep backdoor access available for later use to the victim. In response to the growing prevalence of hybrid cloud environments, Microsoft's Threat Intel team has warned, "As organizations continue to work with multiple platforms to protect their data, securing resources across them becomes a growing challenge."

Keeper Security, vice president of security and infrastructure, said that a zero-trust framework is a highly effective means of achieving this goal for enterprise cybersecurity teams and that it can be achieved by progressively advancing towards one. Using this model, access is restricted based on the customers' roles, making sure that users only have access to the resources they need for their specific roles. 

This minimizes the possibility of malicious actors getting access to those resources," Tiquet stated in an email. "It is widely believed that weak credentials remain one of the most vulnerable entry points in hybrid cloud environments that are likely to be exploited by groups such as Storm-0501." A centralised approach to endpoint device management (EDM) is also vital to the success of the strategy, according to him. Keeping all environments patched - be it cloud-based or on-premises - is one of the best ways to prevent attackers from exploiting known vulnerabilities by ensuring a consistent level of security patching." 

In addition to my previous statement, he added that advanced monitoring tools will allow teams to detect potentially malicious threats across hybrid cloud environments before they can become breaches. SlashNext Security's field CTO Stephen Kowski provided a similar list of recommendations in a statement he sent via e-mail. Embargo, whose contact information can be found here, is a threat group that uses Rust-based malware in its ransomware-as-a-service (RaaS) operation, which accepts affiliates who access companies and deploy the payload, sharing part of the profit with the affiliate. 

As far back as August 2024, an Embargo ransomware affiliate attacked the American Radio Relay League (ARRL) and claimed to have received $1 million for a decryptor that worked once it was provided to them. The theft of sensitive data from Firstmac Limited, an Australian company that deals with mortgages, investment management and investment strategy, was reported to the cybercrime reporting agency earlier this month. When the deadline to negotiate a solution had passed, an Embargo subsidiary was discovered to have breached the company.
Read more »
Technology INdustry
Cyberattacks CyberCrime Data Breach Data Security Breach EMBARGO Hackers Login Credentials Non Bank Lender Stock Exchange Technology INdustry

Australia's Premier Non-Bank Lender Suffers Data Security Breach

 


One of Australia's largest non-bank mortgage lenders, Firstmac, has suffered a cyberattack, which resulted in customer information such as credit card and passport numbers, Medicare numbers and driver's licence numbers being stolen and published on the dark web. In a letter sent to its customers, the Brisbane-based lender informed them that one of its information technology systems had been successfully breached by an unauthorised third party, making it one of Australia's largest non-bank lenders. 

According to the non-bank lender, hackers have taken possession of nearly ten thousand driver's licenses and two hundred and fifty thousand "customer records" over the last few days. The company notified the Australian Stock Exchange of the incident. As a result of the unusual activity it has detected on its systems "in the last few days," the company has suspended trading until Monday. The hackers were said to be very sophisticated.

There is no indication that the hackers gained access to Latitude information held at two separate service providers by using employee login credentials - whether they have been stolen or if this was a credential stuffing attack - which they were not aware of. A consortium of investors, including KKR and Deutsche Bank, acquired Latitude from GE in 2015 to sell its credit cards and instalment payment plans to retailers. In 2021, the company became public. 

Firstmac Limited, one of the largest firms in the country, has informed its customers that it has suffered a data breach the day after an alleged theft of 500GB of data from the company by the new Embargo cyber-extortion group was uncovered. In the financial services industry of Australia, Firstmac is primarily known for its mortgage lending, investment management, and securitization services, which it provides to its clients. 

Based in Brisbane, Queensland, the company employs 460 people and has issued 100,000 home loans. At the moment, the firm manages around $15 billion in mortgage loans. Troy Hunt, the creator of Have I Been Pwned, published on X yesterday a sample of the notice letter sent to Firstmac's customers informing them of a major data breach. 

Cyberdaily, the technology industry publication, reported that a large amount of data was posted on the dark web by the hackers behind the attack. EMBARGO, a ransomware gang with roots in the Netherlands, is credited with the hack – which was carried out sometime in April, according to the publication. As a report points out, Firstmac was given a ransom deadline of May 8 by the gang, a deadline that seems to have lapsed since the gang did not appear to have met that deadline. 

Cyberdaily posted screenshots of the dark website EMBARGO, which provided customer information such as their loan and financial information, as well as their email addresses. Several FirstMac executives and IT departments were also published by the gang. It is unclear how many customers and employees have been affected by the breach. 

FirstMac has been contacted for further information. While Firstmac's security systems have been strengthened in recent months, it still assured its beneficiaries that their funds and accounts are safe, and the firm's systems have been bolstered to ensure this. There has been a new requirement that everyone who wants to change an account or add a card to an account will need to provide their two-factor authentication code or biometric information to verify their identity as one of the measures that increased security.

IDCare is offering free identity theft protection services for recipients of the notices. Users are advised to be cautious when responding to unsolicited correspondence and to regularly check their account statements for any unusual activity or transactions. As a resOn the newly formed threat group's extortion page, it appears that only two victims have been identified, and it is unclear whether or not the new threat group is doing their own data breaches, or if they have been buying stolen data from others intending to blackmail the owners. 

A sample of Embargo encryption has still not been found, so it is unknown if this is a ransomware group, or if they are simply aiming to profit by extorting funds. A large number of hacks against Australian servers were recorded in the 2022-23 financial year, which is an increase of more than 300 per cent compared to the previous financial year, according to the Australian Signals Directorate, an agency under the federal government responsible for security and information. 

A data breach was discovered late last year affecting Melbourne travel agency Inspiring Vacations, in which approximately 112,000 records, totalling 26.8 gigabytes of data, were exposed online as a result of an insecure database that couldn't be password protected. The recent data breach of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World, and Dymocks has been labelled a "new normal" of constant attacks and breaches which have affected millions of Australians including customers of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World, and Dymocks among others. 

There have now been significant increases in penalties for serious or repeated breaches of customer data, largely due to the Optus breach in particular. As a result of the Embargo extortion group having announced the attack online on its site, there was extensive coverage by Australian media outlets about the attack on Firstmac which occurred at the end of April. Earlier this week, Embargo published all of the data they claimed to have stolen from Firstmac's systems, including documents, source code, email addresses, phone numbers, and database backups, one day after they made a claim it had been stolen.
Read more »
Subscribe to: Posts (Atom)