Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label LockBit. Show all posts
ransomware attacks
CDR CISA Cyber Attacks Cyber Defenses cybercriminals EDR endpoint detection and response LockBit Malicious Software Open Source Software ransomware attacks

The Rise of Weaponized Software: How Cyber Attackers Outsmart Traditional Defenses

 

As businesses navigate the digital landscape, the threat of ransomware looms larger than ever before. Each day brings new innovations in cybercriminal techniques, challenging traditional defense strategies and posing significant risks to organizations worldwide. Ransomware attacks have become increasingly pervasive, with 66% of companies falling victim in 2023 alone, and this number is expected to rise. In response, it has become imperative for businesses to reassess their security measures, particularly in the realm of identity security, to effectively combat attackers' evolving tactics.
 
Ransomware has evolved beyond merely infecting computers with sophisticated malicious software. Cybercriminals have now begun exploiting legitimate software used by organizations to conduct malicious activities and steal identities, all without creating custom malware. One prevalent method involves capitalizing on vulnerabilities in Open Source Software (OSS), seamlessly integrating malicious elements into OSS frameworks. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about this growing trend, citing examples like the Lockbit operation, where cyber attackers leverage legitimate, free software for nefarious purposes. Conventional endpoint security solutions often lack the necessary behavior analytics capabilities to detect subtle indicators of compromise. 

As a result, attackers can exploit tools already employed by organizations to acquire admin privileges more easily while evading detection. This underscores the need for organizations to stay abreast of evolving techniques and adapt their defense strategies accordingly. Throughout the ransomware attack lifecycle, cybercriminals employ a variety of tactics to advance their missions. 

From initial infection to data exfiltration, each stage presents unique challenges and opportunities for attackers. For example, attackers may exploit vulnerabilities, manipulate cookies, or employ phishing emails to gain initial access. Once inside a network, they utilize legitimate software for persistence, privilege escalation, lateral movement, encryption, and data exfiltration. 

One critical aspect of mitigating the risk posed by ransomware is embracing an identity-centric defense-in-depth approach. This approach places emphasis on important security controls such as endpoint detection and response (EDR), anti-virus (AV)/next-generation antivirus (NGAV), content disarm and reconstruction (CDR), email security, and patch management. By prioritizing least privilege and behavior analytics, organizations can strengthen their defenses and mitigate the risk of falling victim to ransomware attacks. 

As ransomware attacks continue to evolve and proliferate, organizations must prioritize identity security and adopt a proactive approach to defense. By recognizing and addressing the tactics employed throughout the ransomware attack lifecycle, businesses can bolster their defenses, enhance identity security, and safeguard against the ever-evolving threat of ransomware.
Read more »
Ransomware
AlphaV Cyber Security Cyber Victim Cyberattacks CyberCrime Cybersecurity CyberThreat LockBit Ransomware

Behind the LockBit Takedown: Strategies and Significance

 


It was widely hailed as a major victory for law enforcement to take down LockBit in the sprawling war against ransomware and was considered one of the most important victories for law enforcement. However, after law enforcement takes down ransomware groups, they usually reemerge, albeit with less power to continue their criminal activity. 

There was a back-and-forth tussle between law enforcement and the AlphV ransomware group in December when the group resurfaced on the dark web hours after being taken down by the police. As of today, AlphaV has been active for over ten years and lists new victims on its data leak site. 

Over the past decade, ransomware has become an increasingly prevalent problem worldwide, with modern ransomware gangs running complex businesses, and governments and private companies working together to stop these gangs have been working together for the past year. As a part of Operation Cronos, LockBit's infrastructure was used by the coordinating organizations involved with the operation to publish information about the gang's activities. 

There is no doubt that this activity against LockBit is an important victory, but ransomware continues to be a major threat, even from LockBit. To combat ransomware better, cybersecurity communities need to reflect on some lessons learned to improve the fight against ransomware. There have been instances where a victim has paid LockBit but has yet to receive the data that they promised was deleted from their servers, according to the UK's National Crime Agency (NCA). 

As a result of this, a victim trusts that the criminal will keep their end of the bargain after paying the ransom. This is one of the top risks associated with paying a ransom. The disclosure that LockBit failed to delete the data as promised severely tarnished its reputation. If a ransomware group appears trustworthy, its victims will not be willing to pay. 

Organizations need to be prepared for such eventualities and have plans in place in case of such an event. When a company's data is compromised, it needs to prioritize the creation of a thorough disaster recovery plan and procedure in case of data loss or damage, rather than relying on decryption for the sake of recovery. In response to a law enforcement takedown last week, which resulted in police seizing both LockBit's cyber extortion operations and its darknet site, as well as receiving significant intelligence, the criminals are attempting to relaunch their cyber extortion operation. 

The group's administrator, LockbitSupp, launched a new extortion site on Saturday that contains the names and contact information of five victim companies they are threatening to leak stolen documents. Even so, the site is no longer showing any of the old listings from before the law enforcement operation occurred.

Since its launch four years ago, this prolific ransomware-as-a-service outfit has hosted more than 2,000 documents that have been stolen from its victims. Last Monday, police posted a splash page to the dark web that said that they were in control, the most of any of the several extortion gangs operating on it. A week after LockBit's .onion website was hijacked by the U.K. National Crime Agency (NCA), the gang parodied LockBit's infrastructure in a series of posts about how the police had possessed “unprecedented technological access” to the company's infrastructure. 

To downplay the extent of the access, the ransomware service attempted to downplay it. The arrests of alleged affiliates as well as the shutting down of 14,000 accounts on third-party services have come as a result of the ransomware gang's failure to destroy the data of victims, even after it promised to. In an attempt to minimize the reputational damage caused by police action, a new LockBit post attempts to minimize the damage caused by the action. 

The criminals repeat what they claim in the beginning that police had compromised outdated PHP servers. To counter ransomware-as-a-service (RaaS), agencies will resort to a two-fold attack: first, to disrupt the administrative staff of the gang, and then to disrupt its affiliates. It is generally the task of the administrative staff to manage the data leak site, and the task of the affiliates to deploy the ransomware and encrypt networks is the task of the affiliates. 

There is a significant part of the administration staff that enables criminals, and without them being removed, there will be many more criminals assisting them. A disruption of the administration staff will result in the affiliates of the ransomware gangs working for other ransomware gangs. Infrastructure is used by affiliates themselves, either by purchasing it or by illegally accessing it. 

The tools, network connections, and behaviours of this infrastructure provide a considerable amount of information about this infrastructure. The ransom process exposes some details about the administrators: For the ransom process to proceed, the administrator must provide a method of communication and a method of payment for the ransom to be paid. 

The significance of these details may not seem useful to an organization immediately, but law enforcement and researchers will be able to leverage these details to uncover more about the individuals who committed these crimes. Using details from past incidents, law enforcement was able to disrupt LockBit's infrastructure as well as some affiliates of the group by using information from past incidents. 

Likely, Operation Cronos could not have been undertaken without that information, which was gathered with the assistance of attack victims and the allied agencies of the governmental organizations. The fact that an organization does not need to be a victim to help is an important thing to remember. Private organizations are eager to work with governments and are eager to collaborate with them. 

By partnering with CISA, the US government division that formed the Joint Cyber Defense Collaborative (JCDC) to create a global partnership platform to share critical and timely information to fight ransomware, organizations in the US can contribute to the effort to fight ransomware. Government agencies and public organizations can share information through the JCDC in a bidirectional manner. 

To stay on top of emerging trends as well as identify the infrastructure being used by attackers, CISA and organizations work together. There are several ways in which law enforcement can take advantage of collaboration and information sharing to gain a critical advantage against even the most powerful attacker groups, as the LockBit takedown demonstrated.
Read more »
Ransomware Gang
Cyber Crime Data Leak Extortion Threat Food Vendors LockBit Ransomware Gang

LockBit Ransomware Outfit Claims Subway as its Latest Victim

 

Due to an alleged ransomware attack by the notorious LockBit ransomware gang, the multinational fast-food restaurant giant Subway is facing a potential PR nightmare. Reports suggest Subway’s systems were exploited by the LockBit gang, known for its aggressive modus operandi. 

After the LockBit ransomware organisation claimed to have breached Subway's internal SUBS systems and stolen an abundance of data, the firm launched an investigation. The ransomware-as-a-service provider listed the company on its data leak website, claiming that one of its affiliates took gigabytes of critical details. 

LockBit indicated that they are allowing the company some time to preserve the data, "which includes hundreds of gigabytes of data and all financial of the franchise, including employee salaries, franchise royalty payments, master franchise commission payments, restaurant turnovers, etc." If they do not, the notorious outfit plans to sell it to competitors.

The message was posted on January 21, and the criminals gave Subway till February 2 to pay the extortion. However, Subway's spokesperson states that the company is still investigating the hackers' claims. 

For your information, LockBit is one of the most active ransomware groups, having targeted thousands of organisations. The US authorities claimed in June 2023 that the LockBit gang had targeted 1,700 companies in the US since 2020, collecting more than $90 million in ransom. 

Many people were surprised to learn that Subway was unaware of the ransomware attack. However, this is not surprising given that hackers are increasingly focusing on data theft rather than ransomware encryption, since developing, creating, maintaining, and delivering ransomware has become too difficult. Companies have significantly improved their data backup and defence systems; as a result, criminals steal data and demand payment for not releasing it publicly. 

It is worth mentioning that Subway has 20,000 stores worldwide and over 400,000 employees, so the data leak might have long-term consequences for its customers if it unfolds. To protect yourself from online risks, avoid clicking links or opening attachments, use strong passwords, enable two-factor authentication, maintain software and operating systems up to date, and invest in reliable antivirus and anti-malware software. Adequate cyber hygiene is the best approach to fight against cybercrime.
Read more »
Shimano
Canyon Bicycles Cyber Attacks Cybercime Cybersecurity LockBit ransomware attacks Shimano

Shimano's Cyber Siege: A Saga of Resistance Against Ransomware

 


Shimano Industries, a prominent Japanese multinational manufacturing company specializing in cycling components, fishing tackle, and rowing equipment, seems to have been hit by a massive data breach by the ransomware attacker LockBit, who has threatened to release confidential data, including information such as factory inspection results, lab tests and financial documents by 5 November if their demands are not met. 

The group stole 4.5 terabytes of sensitive company data.  The company had previously been involved in the production of golf supplies until 2005 and snowboarding gear until 2008. Situated in Sakai, Osaka Prefecture, the corporation operates with 32 consolidated and 11 unconsolidated subsidiaries. 

Its primary manufacturing facilities are strategically located in Kunshan (China), as well as in Malaysia and Singapore.  LockBit is a major international cybercrime group that uses malware to breach global corporations' security protocols and attempts to extort money in exchange. Its previous targets have included Royal Mail, with the British postal company's international services severely disrupted in January 2023 due to the attack. 

American aeroplane and missiles manufacturer Boeing is the latest victim of the group, with the company officially confirming the attack yesterday. Another major brand hit recently by a similar cybersecurity threat includes Canyon Bicycles. 

A victim who does not make a ransom payment within a few days will have their data posted on the dark web in addition to being threatened with posting their data on the dark web if a ransom payment is not made. 

Shimano Industries Ltd, a Japanese manufacturer of bicycle parts, was recently targeted by a ransomware attack that demanded payment of a ransom. Shimano was unwilling to pay the ransom and the blackmail gang offered to put stolen data online, which is what they did. Now the stolen data is probably widely available online. 

Escape Collective updated their report late last week and said, upon contacting an industry-leading cyber-security firm, it was said that the delay in publishing could be an indication that Shimano was in negotiations. This has been the case until recently.

Several attempts to contact LockBit itself via Sonar, a web messenger that can be used in the Tor darknet browser, have not been successful. In a recent report from LockBit, cybercriminals claim to have successfully penetrated the Japanese manufacturer's network and obtained access to several terabytes of data. It was announced by the attackers that Shimano would publish the stolen data after they ignored their ultimatum. 

The Russian ransomware group LockBit appears to have released much of the company data on its darknet page after the ransom has expired. The company has been releasing 4.5 terabytes of various company data. Now that LockBit has expired, much of the data has been released, however. Shimano did not respond to a request for comment on the matter. 

Experts have yet to clarify who made them. Several financial records and personal information, including financials of employees and customers, have been revealed to have been leaked in the current case. Drawings, diagrams, test evaluations, development material, etc., have also reportedly been reported to have been exposed, as well as contracts and non-disclosure agreements. 

Recently, the Russian-speaking ransomware gang LockBit caused a sensation by attacking the US aircraft manufacturer Boeing. They were one of the most active ransomware gangs at the time. Shimano has yet to release a statement regarding the attack, and it is also not mentioned on the Shimano homepage of any kind regarding the cyberattack. 

It seems that Shimano was hacked by hackers and that cash was not paid to them for this backdoor. It's also clear from the report that sensitive information was leaked. However, the company has not elaborated on its original statements following the hack. A Shimano spokesperson has been contacted by Cycling News and has replied to their inquiry by saying, "This is an internal matter at Shimano and is under investigation. 

For the time being, we cannot address the situation." According to the original ransom note issued by the LockBit group, the following threats were made: “If you do not pay the ransom, we will attack your company again in the future.” 

A researcher in cyber security at the University of Warwick, Dr Harjinder Lallie, explained to Cycling Weekly earlier this month that the leak may lead to intellectual property being transferred to competitors if it is not paid for.
Read more »
Ransomware
Air India LockBit malware National Aerospace Laboratories Ransomware

LockBit Claims Cyberattack on India’s National Aerospace lab

 

LockBit, the infamous ransomware group, has admitted to being behind a cyber assault on India's state-owned aerospace research laboratory. Additionally, during the month of July, LockBit's dark web leaked data of Granules, an Indian pharmaceutical company, as one of its latest targets in a cyber attack. 
 
On Wednesday, LockBit put the National Aerospace Laboratories (NAL) on its dark web leak site, where ransomware groups usually try to get money from their victims. They threatened to share the organization's stolen information unless they paid an unknown amount, according to what TechCrunch found. 

After asserting responsibility for the cyberattack on the National Aerospace Laboratories and posting the claim on the dark web, the hacker collective has presented a daunting ultimatum. They set a deadline of December 18, 2023, at 18:58:48 UTC, emphasizing that if their demands are not met, they will expose the compromised data.  

In an unexpected departure from their usual approach, LockBit has chosen not to reveal any mitigation plans this time. Typically, they would outline a ransom, often starting at $10,000, to secure a 24-hour extension to the deadline. As of the time this information is being shared, the National Aerospace Laboratories (NAL) website is currently inaccessible globally. 

The cause of this website disruption remains uncertain, and it is not clear whether it is linked to the ransomware attack or not. Furthermore, the LockBit released eight documents, claiming they were stolen. These documents include confidential letters, an employee's passport, and various internal records. 

Established in 1959, the National Aerospace Laboratories (NAL) is India's premier aerospace research organization, owned by the government's Council of Scientific and Industrial Research. NAL collaborates closely with entities like ISRO and DRDO, focusing on advanced research in aerospace and related fields, particularly in the development of civilian aircraft. 

As per a collaborative advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and its counterparts in Australia, Canada, France, Germany, New Zealand, and the United Kingdom, disclosed information highlights coordinated efforts in the field of cybersecurity. The report also shows that Lockbit has become the most famous used ransomware variant globally in 2022 and 2023.
Read more »
world’s largest organizations
Cyber Crime cybercrime gang Cybersecurity global threats Hacking LockBit world’s largest organizations

Unveiling LockBit: Cybercrime Gang Targeting Global Titans in Hacking Spree

 

Ransomware, a form of malicious software, has a history spanning over three decades. However, it only gained regular attention in popular media over the last ten years.

This type of malware locks access to computer systems or encrypts files until a ransom is paid. Cybercriminal groups now view ransomware as a lucrative scheme, especially with the emergence of "ransomware as a service," which enables various groups to profit from successful ransom demands through affiliate schemes.

One prominent group, LockBit, has garnered attention by showcasing high-profile victims on its website. LockBit refers to both the malware and the group behind it, complicating its identification.

LockBit emerged in 2019 as a stealthy malware aimed at infiltrating organizations, locating valuable data, and encrypting it. Unlike mere data theft, LockBit encrypts data and holds it hostage until a ransom is paid, often resorting to threats of data publication (known as double extortion) if the payment deadline isn't met.

The LockBit group remains largely enigmatic, claiming no specific political allegiance and welcoming an unlimited number of affiliates worldwide solely interested in financial gain. However, they enforce rules prohibiting attacks on certain targets, including critical infrastructure like hospitals and specific post-Soviet countries.

Despite these rules, instances like a Canadian hospital falling victim to LockBit indicate the potential breach of these restrictions by rogue users. Interestingly, LockBit justifies avoiding specific countries due to the high number of members originating from the former Soviet Union, despite the group's current location in the Netherlands.

LockBit's victims range from the United Kingdom's Royal Mail and Ministry of Defence to Japanese company Shimano and aerospace giant Boeing, whose leaked data surfaced after refusing to pay the ransom. LockBit has also allegedly claimed responsibility for the recent ransomware incident involving the Industrial and Commercial Bank of China, linking the group to nearly 2,000 victims in the United States alone.

Ransomware as a service (RaaS) has surged in popularity, mirroring legitimate software services like Microsoft 365, providing cybercriminals with tools to conduct ransomware campaigns efficiently and profitably. These services handle every aspect of the criminal process, enticing new affiliates with a 20% commission and requiring a hefty deposit in Bitcoin.

Preventing ransomware attacks involves robust cybersecurity measures such as system updates, password management, network monitoring, and prompt responses to suspicious activities. The decision to pay a ransom remains subjective for organizations, but bolstering cybersecurity measures can deter criminal groups from targeting easier victims.
Read more »
Vulnerabilities and Exploits
Citrix CitrixBleed Bug DP World LockBit LockBit ransomware Ransomware attack Vulnerabilities and Exploits

Researcher Claims: Teens with “Digital Bazookas” are Winning Ransomware War


One thing that Boeing, the Australian shipping company, the world’s largest bank and the world’s biggest law firm share in common is that they have all suffered a cybersecurity incident, at least once. And, these breaches have apparently been conducted by a teenage hacker, all due to the companies’ failure in patching a critical vulnerability that their security professionals warned about weeks ago, according to a post published by doublepulsar on Monday. 

According to Kevin Beaumont, a freelance security researcher, Some other notable victims of cybersecurity breaches include DP World, the Australian branch of the Dubai-based logistics company DP World; Industrial and Commercial Bank of China; and Allen & Overy, a multinational law firm.

These four companies have recently admitted to being struck with at least one security incident. Also, China's ICBC has allegedly paid an undisclosed amount of ransom to retrieve their encryption keys for data that remained unavailable since the breach. 

Beaumont stated the four businesses are among the ten victims he is aware of that are presently being blackmailed by LockBit, one of the most active and destructive ransomware crime syndicates in the world, citing data that allows the tracking of ransomware operators and those familiar with the breaches. Despite a fix being available since October 10, Beaumont claimed that all four of the organizations had yet to apply it to a critical vulnerability. The companies used the networking solution Citrix Netscaler.

CitrixBleed Bug

With a 9.4 severity rating out of 10, CitrixBleed is an easy-to-exploit vulnerability that reveals session tokens that can be used to negate any multifactor authentication mechanisms inside a vulnerable network. Within the affected victim's internal network, attackers are left with the equivalent of a point-and-click desktop PC and are free to move around.

In his post, Beaumont wrote:

Ransomware groups are often staffed by almost all teenagers and haven’t been taken seriously for far too long as a threat. They are a threat to civil society as long as organizations keep paying.

Focusing on cybersecurity fundamentals for enterprise-scale organizations is a challenge, as often people are chasing after the perceived next big thing—metaverse (remember that?), NFTs, generative AI—without being able to do the fundamentals well. Large-scale enterprises need to be able to patch vulnerabilities like CitrixBleed quickly.

The cybersecurity reality we live in now is teenagers are running around in organized crime gangs with digital bazookas. They probably have a better asset inventory of your network than you, and they don’t have to wait 4 weeks for 38 people to approve a change request for patching 1 thing.

Know your network boundary and risky products as well as LockBit do. You need to be able to identify and patch something like CitrixBleed within 24 hours—if you cannot, there is a very real possibility it isn’t the ideal product fit for your organization due to the level of risk it poses, and you need to rethink if the architecture of your house is fit for purpose. 

Vendors like Citrix need to have clear statements of intent for securing their products, as piling on patch after patch after patch is not sustainable for many organizations—or customers should opt with their wallets for more proven solutions. The reality is many vendors are shipping appliance products with cybersecurity standards worse than when I started my career in the late '90s—while also advertising themselves as the experts. Marketing is a hell of a drug.

Beaumont further highlighted query results from the Shodan search service, which showed that at the time of the intrusion, none of the four firms had installed a CitrixBleed patch. The CVE-2023-4966 vulnerability is being monitored.

The researcher additionally condemned Citrix for Netscaler's logging features, which he claimed made it practically impossible for consumers to determine whether they had been hacked. Because of this, it is possible that some users of the CitrixBleed patch were unaware that LockBit was already present on their networks.

However, Boeing refused to comment on the post.

In the case of Citric and Allen& Overy, the emails sent were left unanswered when the post reached Arstechnica. The tech forum further notes that requests for comment from DP World and ICBC were also not immediately followed.

LockBit uses tools like Atera, which offers interactive PowerShell interfaces without triggering antivirus or endpoint detection alerts, to escalate its access to other parts of the compromised network after the CitrixBleed exploit first provides remote access through Virtual Desktop Infrastructure software. This access persists until administrators take specific steps, even after CitrixBleed is patched.  

Read more »
Shimano
cyber attack Data Extortion LockBit Ransomware Shimano

Shimano Suffers Cyberattack: 4.5 Terabytes Company Data Breached


Shimano, the market-leading cycling component manufacturer, has been the subject of a ransomware attack that has affected 4.5 terabytes of important company data. 

The Japanese manufacturing has apparently been targeted by ransomware organization LockBit, who are threatening to expose the data on November 5, 2023, at 18:34:13 UTC, according to a post on X (previously Twitter) by technology security company Falcon Feeds.

The attack, first reported by Escape Collective, is also recorded on the Ransom-db website's Live Ransomware Updates, with Shimano.com listed as a victim of LockBit 3.0 and the date November 2, 2023, as the attack date. 

The whole ransom note is also available on Ransomlook.io, which is known as an open-source initiative intended to support users in tracking ransomware-related posts and actions across numerous sites, forums, and Telegram groups. 

The gang breached highly sensitive data

  • Identification, social security numbers, residences, and passport scans of employees
  • Balance sheets, profit and loss statements, bank statements, and numerous tax forms and reports are examples of financial papers.
  • Addresses, internal documents, postal exchanges, confidential reports, legal documents, and factory inspection findings are examples of client data.
  • Non-disclosure agreements, contracts, confidential designs and drawings, development materials, and laboratory testing are among the other documents.

LockBit is a cybercriminal group that employs malware to compromise critical company data and then tries to extort money in exchange for preventing its public publication. 

Lockbit world's most active ransomware

According to the cyber-crime prevention firm Flashpoint, it is the world's most active ransomware organization, responsible for 27.93% of all known ransomware assaults in the year ending June 2023. It stated a total of 1,036 victims is more than double that of the second-placed organization known as BlackCat. 

Other victims of the cyberattack

Shimano is the latest in a long line of high-profile LockBit victims. Trendmicro reports that the British postal service Royal Mail was attacked in January, virtually suspending its international export services. Dublin software firm Ion Group was targeted in February, while Taiwanese chipmaker TSMC was targeted in June with a US$70 million ransom demand. 

Boeing, the world's largest aircraft manufacturer, is also being extorted by the organization. 

A Shimano spokeswoman told Cyclingnews, "This is an internal matter at Shimano that is being investigated, but we cannot comment on anything at this time."

Aftermath of the attack

It is unclear what ransom, if any, has been sought by the organization at this time, but it is apparent that the revelation will be another significant blow in an already difficult period for the Japanese brand. 

It just announced a global recall of 2.8 million road cranksets due to a long-standing bonding separation issue. As a result, a class-action lawsuit was filed in North America in the weeks that followed. According to its most recent quarterly report, overall sales of bicycle components declined by 24.8%, with operational profitability decreasing by nearly half. 

Read more »
Sony Data Breach
Cyber Attacks Infection time LockBit Ransomware ransomware attacks Ransomware group Sony Data Breach

Time Taken by Ransomware to Infect Systems Witnesses a Significant Drop


The amount of time it will take for a threat actor to completely infect the targeted system with ransomware has decreased significantly over the past 12 months. 

According to a report published by The Register, the average dwell time — the interval between the start of an assault and the deployment of ransomware — was 5.5 days in 2021 and 4.5 days in 2022. The dwell duration was less than 24 hours last year, but less this year. Ransomware was even distributed within five hours after first access in 10% of cases, according to Secureworks' annual State of the Threat Report.

It is interesting to note that the cybersecurity industry has become much better at spotting the activity that occurs before a ransomware outbreak, which is one of the factors contributing to this dramatic decrease in infection time. Because of this, Secureworks explains, "threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex."

Also, this year has witnessed a considerable increase in the number of ransomware victims and data leaks due to the significant emergence of "several new and very active threat groups." Attacks are therefore occurring more frequently and in greater numbers.

The ransomware groups are now majorly utilizing three vectors to try and infect targeted systems. The first is known as scan-and-exploit, which looks for exploitable flaws in a system. When detected, stolen credentials are also exploited, and phishing emails are used to try to deceive people into giving attackers access to secure systems quickly.

Currently, Sony is one of the most recent high-profile victims of ransomware gang, but the company did not yet reveal the extent to which its systems are affected or data stolen. Another ransomware attack was recently witnessed in a Danish cloud-hosting company that compromised most of its customer data. Furthermore, a case came to light when the LockBit ransomware gang stole data from 8.9 million dental insurance customers earlier this year. 

However, on a positive note, the FBI was able to take down the renowned Qakbot botnet, which was revealed to be in charge of 700,000 compromised machines and was utilized in numerous ransomware assaults.  

Read more »
User Privacy
3 am 3 am Ransomware attackers Data Hackers LockBit LockBit ransomware malware Safety Security User Privacy

LockBit Ransomware Falters, Attackers Deploy New '3AM' Malware

 

In a recent cyberattack targeting a construction company, hackers attempted to deploy the LockBit ransomware on a target network but were thwarted. In an unexpected twist, they resorted to a previously unknown ransomware variant called 3AM, successfully infiltrating the system.

The newly discovered ransomware, 3AM, follows a fairly typical pattern by disabling various cybersecurity and backup-related software before encrypting files on the compromised computer. However, it stands out with an unusual theme: the name 3AM, a reference to the eerie hour when only insomniacs, night owls, and malicious hackers are typically active.

Researchers from Symantec highlighted this double-pronged attack in their recent report. It marked the first documented instance of 3AM being used alongside the LockBit ransomware in a single compromised machine.

Dick O'Brien, the principal intelligence analyst for the Symantec threat hunter team, cautioned, "This isn't the first time we've seen attackers employ multiple ransomware families simultaneously, and organizations should be prepared for such scenarios."

Upon gaining access to the target network, the threat actors wasted no time gathering user information and deploying tools for data extraction. They utilized tools like Cobalt Strike and PsExec to escalate privileges and performed reconnaissance tasks such as identifying users and network status. They also sought out other servers for lateral movement and established a new user for persistence. Subsequently, they employed the Wput utility to transfer the victim's files to their FTP server.

Their initial plan was to deploy LockBit ransomware, but the target's robust cybersecurity defenses prevented its execution. Unfortunately for the victim, the attackers had an alternative weapon at their disposal: 3AM ransomware. This malware is characterized by its encryption of files with the ".threeamtime" suffix and references to the time of day in its ransom note.

The ransom note began with an ominous message: "Hello, '3 am' The time of mysticism, isn't it? All your files are mysteriously encrypted, and the systems 'show no signs of life,' the backups disappeared. But we can correct this very quickly and return all your files and operation of the systems to [sic] original state."

In contrast to the creative ransom note, the authors displayed less innovation in the design of the malware itself. 3AM is a 64-bit executable coded in Rust, a language favored by both hackers and defenders. It attempts to terminate various security and backup-related software on the infected machine before proceeding with its primary tasks: scanning the disk, identifying specific file types, encrypting them, delivering the ransom note, and erasing any Volume Shadow (VSS) backup copies of files that could offer a potential lifeline to the victim.

In this particular attack, the hackers only succeeded in deploying 3AM on three machines, with two of them subsequently blocking the malware. However, the third machine was compromised successfully, where LockBit had failed. While the attackers claimed to have stolen sensitive data from this machine, Symantec couldn't independently verify this claim.

When it comes to defending against ransomware attacks, especially multi-faceted ones like this, O'Brien recommends a defense-in-depth strategy. He emphasizes that organizations should focus on addressing all stages of a potential attack rather than solely concentrating on blocking the ransomware payloads. He underscores the importance of early intervention in thwarting cyberattacks, stating that "the earlier you stop an attack, the better."
Read more »
ransomware attacks
BBC Cyber Attacks Cybersecurity Data Breach HMNB LockBit Ministry Of Defence ransomware attacks

UK's Nuclear Submarine Base Faces Unprecedented Threats: Russia Implicated in Shocking Incidents

 


A Russian-linked group of hackers, which has reportedly obtained hundreds of pages of information about critical sites such as HMNB Clyde, which houses the UK's nuclear weapons arsenal, is believed to have targeted the nuclear weapons arsenal at the naval base.

As reported by the news report, LockBit, a notorious ransomware group claimed to have stolen thousands of documents containing sensitive and highly sensitive national security information, along with information about high-security prisons, in the raid. 

The Sunday Mirror reported that there was another high-security target - a GCHQ listening post and the Porton Down chemical weapons lab - that was also targeted. There were 60 incidents reported to the Clyde Naval Base in 2022, up from 16 in 2021, which is an increase of 275% in one year from 16 incidents reported to the base in 2021. 

Threat actors aligned with the Russian government have reportedly carried out attacks against the UK's Ministry of Defence (MoD) and made stolen information available on military and intelligence websites online. 

The Mirror reports that several UK locations, including a nuclear submarine base, a chemical weapons lab, and a listening post for GCHQ have been targeted by hackers who are targeting the database of Zaun, a company that manages physical security at some of Britain's most secretive locations. 

The BBC asked the Ministry of Defense to explain the increase in breaches and to rule out any suggestion that some of these breaches may have been caused by an increase in Russian hacking and cyber-attacks. A dark web website was then created to post the stolen information. 

It is reported in the Mirror that the leaked data can be used to access top-secret websites within the Ministry of Defence, maybe even by criminals. Zaun was attacked by LockBit, a hacking group that has been responsible for the majority of hacking attacks in the world, last month. 

LockBit has been dubbed the world's most dangerous hacking group. Among the most wanted suspects in the gang is Mikhail Matveev, one of the most influential members of the gang. Since March 2022, there have only been two breaches known to have been recorded, compared with 21 breaches in 2020, 19 incidents in 2019, and 10 incidents in 2018. 

A report was released saying that information about the security of the base was leaked online by hackers associated with Russia. As part of the raid by notorious ransomware group LockBit, the newspaper reported that thousands of pages of data were also stolen, including highly sensitive information regarding high-security prisons as well as information about national security details. 

In some studies, security breaches are referred to as incidents such as lost ID cards, the breach of a zone that protects personal electronic devices, general breaches of data protection regulations, misaccounted documentation, and minor security breaches, among others. 

An unpatched Windows 7 PC was used to gain access to one of the firm's manufacturing machines and was running software for it when the breach occurred. The vulnerability has been closed and the machine has been removed," the company wrote in a statement. 

According to the statement, LockBit was able to gain access to some recently sent emails, orders, drawings, and project files from the company, even though Zaun "does not believe that any classified data has been compromised" or could have been accessible by LockBit. 

A cyber-security alert was issued by the UK National Cyber Security Centre (NCSC) about the threat from state-aligned groups to critical national infrastructure (CNI) organizations in the UK in April. The alert warned that groups sympathetic to Russia's invasion of Ukraine were responsible for the emerging threat.

As a result, CNI organizations are strongly encouraged to follow NCSC recommendations when cyber threat levels are heightened because newly emerging groups could launch "destructive and disruptive attacks" with less predictable consequences than traditional cybercriminals, even though these groups may be more likely to launch destructive and disruptive attacks. 

In connection with this attack, the UK National Cyber Security Centre (NCSC) has been contacted, along with the Office of the Information Commissioner (ICO) regarding the leak of data. Zaun has not revealed any details about the equipment that was stolen, and any ransom demands that may have been made have not been released by Zaun. 

Defending the national security of the country has shown to be a significant concern for Labour MP Kevan Jones, who is a member of the Commons Defence Select Committee. The incident has been described as a huge blow to the infrastructure that supports national security, according to security experts. 

The FBI has been monitoring LockBit since 2020, and during this time they have demanded ransom for more than £80 million in a worldwide campaign. It has been reported that three Russian nationals, Rlan Magomedovich Astamirov, Mikhail Vasiliev, and Anatoliy Minakov, have been charged with hijacking LockBit ransomware and have been arrested in the US. 

During the attack, Zaun informed the police of the cyber attack and claimed that there was no compromise of classified documents. Several issues regarding security have been declined by the Government, according to the Mirror. The UK government has put a great deal of emphasis on the significance of the leaked information. 

According to security and intelligence expert Professor Anthony Glees, every detail helps hostile actors break through the UK's defenses. The official also stressed that sloppy protocols, particularly those that are applied by suppliers, are a threat to the safety of the nation.

According to Tobias Ellwood, chair of the Senate Defense Committee, there are concerns about how defense establishments will continue to function without the threat of attack, and an increased level of defense against interference backed by Russia needs to be put into place.
Read more »
Varian
Data Breach Exposed Patient Records Healthcare Data LockBit LockBit ransomware group Ransomware Gang Siemens Healthineers Varian

LockBit Attack: Ransomware Gang Threatens to Leak Cancer Patients’ Medical Data


LockBit ransomware group recently revealed its intent to leak private medical data of cancer patients, stolen in the breach on Varian Medical Systems.

Varian, a subsidiary of Siemens Healthineeres, provides software for the oncology department's applications and specializes in offering therapeutic and diagnostic oncology services. The California-based corporation has more than 10,000 employees as of 2021 and had an annual profit of £269 million. 

While it is still unclear how LockBit got access to Varian's systems or how much data was stolen, the ransomware gang warned readers of its "victim blog" that if the company did not meet their demands within two weeks, soon, its private databases and patient medical data would be made public. Apparently, Varian has until 17 August to meet the negotiation demands in order to restore their stolen data, if they wish to avoid ‘all databases and patient data’ from being exposed in LockBit’s blog. 

The attack is most likely to be a part of ‘triple extortion,’ a strategy usually used by ransomware actors. The strategy involves a three-part attack on an organization that starts with the theft of data that appears to be sensitive before it is encrypted. The corporate victim of the breach can only get their data back and keep it private if they pay a ransom, following which they will receive – in theory – a decryption key from the hackers. 

In regards to the breach, Siemens Healthineers – Varian’s parent company confirmed that an internal investigation is ongoing. However, they did not provide any further details of the breach. 

“Siemens Healthineers is aware that a segment of our business is allegedly affected by the Lockbit ransomware group[…]Cybersecurity is of utmost importance to Siemens Healthineers, and we are making every effort to continually improve our security and data privacy,” said a spokesperson.

Growing Cases of LockBit

Recent months have witnessed a good many cyberattacks conducted by LockBit against some major companies. According to a report by the US Cybersecurity and Infrastructure Security Agency, in the first quarter of 2023, the ransomware gang has already targeted 1,653 companies. They frequently repurposed freeware and open-source tools for use in network reconnaissance, remote access, tunnelling, credential dumping, and file exfiltration. 

Some examples of the LockBit hit companies would be their recent campaign against the port of Nagoya, which ossified supply chains for Japanese automobile company Toyota, and SpaceX in which the ransomware gang claims to have led to a haul of 3,000 proprietary schematics, and an attempt to extort $70 million from Taiwanese chip maker TSMC.  

Read more »
TSMC cyberattack
Cyber Attacks Kinmax LockBit LockBit ransomware group National Hazard Agency Ransomware attack Ransomware Gang Royal Mail TSMC TSMC cyberattack

TSMC Cyberattack: LockBit Demands a Ransom of $70m


Taiwan Semiconductor Manufacturing Company (TSMC) accused one of its equipment suppliers for its LockBit breach that, that has emerged in the on the gang’s dark web victim blog. Apparently, the ransomware has demanded a whopping $70 million ransom demand./ Without disclosing the type of data hacked, the corporation has named the affected third-party supplier as Kinmax Technology, a system integrator with offices in Taiwan.

TSMC stated on the issue, saying "TSMC has recently been aware that one of our IT hardware suppliers experienced a cybersecurity incident, which led to the leak of information pertinent to server initial setup and configuration." The company confirms that no customer data has been exposed in the breach.

“After the incident, TSMC has immediately terminated its data exchange with this concerned supplier in accordance with the company’s security protocols and standard operating procedures,” the statement added.

One of the affiliates of LockBit, National Hazard Agency shared screenshots of directory listings of stolen TSMC files on their leak website on Thursday, giving them a deadline of August 6 to pay the ransom amount. However, the ransomware gang did not reveal details of the amount of data it stole from the company.

The blog also gave the company an option to extend the said deadline by 24 hours for $5,000, or to delete all stolen content or download it immediately for $70 million.

Kinmax Issues an Apology

Kinmax Technology expertise in networking, cloud computing, storage, security and database management. The company claims to have experienced a breach on 29 June, stating “internal specific testing environment was attacked, and some information was leaked.” The leaked information included “system installation preparation that the company provided to our customers,” Kinmax said.

LockBit Emerges Again

LockBit is a Russian ransomware gang that first came to light in year 2019. As of the first quarter of 2023, it has a total of 1,653 alleged victims, as per a report released by US cybersecurity firm CISA.

According to the report, since its first known attack in January 2020, the cybercrime group has gathered nearly $91m in ransoms from US victims.

LockBit has also been a reason for a number of high-profile cyberattacks in the UK. This year, the gang has been responsible for the popular Royal Mail attacks, where it demanded a ransom of $80m in Bitcoin. The company however did not pay the ransom, deeming the demand as “ridiculous.” The ransomware gang then responded by exposing the data online, along with the copies of the negotiations held between LockBit and the Royal Mail representatives.

The ransomware gang was also responsible for stealing data from WH Smith, a high-end retailer in the UK. The attack was directed at present and former employees' personal information. Since then, there has been no information indicating whether the business has paid the ransom.

Read more »
Ransomware
Cyberattacks Data Breach Dental Care LockBit MCNA MFA PharMerica Ransomware

9 Million Patients' Data Exposed by Ransomware Attack on US Dental Giant

 


A ransomware attack may have compromised nearly nine million individuals' personal information in the United States. This is due to the harm caused by an apparent attack on a dental health insurer — one of the country's largest.

According to Managed Care of North America (MCNA) Dental, a multinational dental insurance company headquartered in the United States, the company took notice of certain activities in its computer system on March 6, 2023. MCNA immediately stopped those activities and began an investigation.

As a result, despite those steps being taken, the LockBit ransomware – which acquired responsibility for the attack – is making a comeback with a threat to leak 700GB of data stolen from MCNA's network if the company does not pay the attackers a $10 million ransom. To allow anyone to download all of the data, reports suggest the group released the data on its website on April 7 for anyone to download.

There are several dental insurers in the United States. However, Managed Care of North America (MCNA) Dental claims to be the nation's largest dental insurer for children and seniors covered by government-sponsored plans. Among the notices the company posted on Friday, it stated it became aware on March 6 that "certain activities in our computer system took place without our permission" and that the company had decided to take action. After it was discovered that a hacker had gained access to their computer system between February 26 and March 7, 2023, the company became suspicious that there was a breach of security. 

A breach notice from MCNA ticks the typical boxes: it was discovered that a criminal could view and copy some information stored in our computer system using IDX, a ZeroFox Inc.-owned company. 

Names, addresses, dates of birth, telephone numbers, e-mail addresses, Social Security numbers, driver's licenses, and other government-issued identification numbers were among the information that was stolen. There was also information regarding health insurance details, dental care records, billing, and insurance details that were taken. 

According to MCNA Dental, the hackers also gained access to information about a patient's health insurance plan information, Medicaid ID numbers, billing and insurance claim information, and bills and insurance claims. 

During this time, PharMerica, a leading pharmacy service provider with over 2,500 facilities in the US and offering over 3,100 pharmacy and healthcare programs, announced a data breach that exposed nearly six million patients. PharMerica operates in more than 2,500 facilities across the country.

As part of the notification to Maine's attorney general regarding the data breach, PharmaCrime indicated that on March 14, its computer network was discovered to have suspicious activity on it. 

It was reported on March 7 that the LockBit ransomware gang was responsible for the attack, saying they were willing to publish 700 gigabytes of stolen data unless the victim paid a $10 million ransom. LockBit released the data on April 7 because MCNA failed to pay the ransom.

To assist people whose personal information may have been involved in this incident, the insurer is now sending individual letters directly to them. 

Several questions must be addressed about possible liability and responsibilities arising from LockBit having the data and publishing it versus MCNA publishing its breach notice. Until well over a month after LockBit first released its data, the company did not notify its patients of the breach, which gave threat actors ample opportunity to target those in the affected area before the company was fully notified.

In the past, security experts have told organizations that are victims of ransomware not to pay the attackers in exchange for the decryption keys, however, due to double-extortion attacks that can lead to both companies and their clients suffering long-term harm due to data leaks, the rules of the game have changed. There are several factors to consider before paying a ransom. It might be to your advantage to give in to a ransom demand. This will save you a lot of trouble and time in the long run. 

Organizations can take several measures to prevent ransomware attacks from gaining a foothold in their networks. These measures include enhancing their overall security defense posture and implementing multifactor authentication (MFA). 

As part of their efforts to prevent phishing attacks, organizations should also maintain strong controls to shield them since attackers often use credentials stolen in this way as an entry point into a network to launch ransomware attacks and other malicious software.
Read more »
Ransomware Gang
Cyber Attacks Data exposed Fujitsu Kyocera avx LockBit LockBit ransomware MalwareBytes ransomware attacks Ransomware Gang

Kyocera AVX: Electronic Manufacturer Company the Current Target of LockBit


Kyocera, a global electronics manufacturer, has apparently experienced what seems like a data breach, wherein their data was exposed by ransomware gang LockBit on their dark web blog. The company was one of several who felt the aftershocks of a breach at Japanese tech firm Fujitsu last year.

The group has set a June 9 deadline for the payment of an undetermined ransom. According to the blog, "all available data will be published" if the company does not collaborate with the cybercriminals before then.

Kyocera AVX

Kyocera AVX’s clients involves military, industrial and automotive industries, for whom the company manufactures electronic products. It was established in the 1970s, and since 1990, it has been a part of Kyocera, a Japanese electronics business best known for its printers. Over 10,000 individuals are employed by it globally.

On May 26th, security researchers revealed that selected data of the company has been leaked and posted to LockBit’s dark web victim blog.

Apparently, the company’s data was breached following a cyberattack that took place on Fujitsu last year. The attack might have been the reason why LockBit was able to launch a supply chain attack on Kyocera AVX, and other companies that are partnered with Fujitsu via cyber or other social engineering attacks.

According to a Financial Times report, Fujitsu confirmed the attacks in December following a heads-up given by police agency of a potential intrusion. The intrusion further gave outsiders access to emails sent through an email system powered by Fujitsu.

It was later revealed that at least ten Japan-based companies, along with Kyocera AVX were victims of the attack.

LockBit Continues Cyber Activities Against Russia’s Enemy 

Ransomware gang LockBit, which is assumed to have originated in Russia has been on news highlights pertaining to its interest on targeting organizations based in US and allied countries. 

According to a report by security firm Malwarebytes, 126 victims have been posted by the ransomware gang in February alone.

This year, the gang targeted the UK Royal Mail, demanding ransom of $80 million in bitcoin. When the business refused to pay up, labeling the demands "ridiculous," the gang retaliated by sharing the information along with copies of the conversations between LockBit and Royal Mail's officials.

Later, it stole client information from WH Smith, a high-end street retailer in the UK. The hacker used current and previous employees' personal information. Since then, there has been no information indicating whether the business has paid the ransom.

In its recent case, this month, an individual named Mikhail Pavlovich Matveev who claims to have been involved with LockBit, has a bounty of $10 million on his head placed by the FBI. With connections to both the Hive and Babuk organizations, Matveev is believed to be a major participant in the Russian ransomware ecosystem.  

Read more »
Ransomware
Cyber Crime Cyberattacks Dark Web Data Theft LockBit Malicious actor Ransomware

Data And Employees Of BSI Shared On The Dark Web By LockBit Ransomware Gang

 


An international data breach affecting one of Indonesia's leading Islamic banks, Bank Syariah Indonesia, caused significant disruptions to its normal operations and payment systems which in turn hampered the business flow. Customers’ personal and financial details have been compromised due to this breach. 

The infamous ransomware group, LockBit claims to have spread 1.5 TB data belonging to the customers and employees of Bank Syariah Indonesia, on the dark web sites. Millions of BSI customers' identity data was leaked by the LockBit gang. The gang did not receivethe demanded ransom in time which led to the same. 

Over the past few years, companies and government agencies have had several data breaches in Indonesia. A cybersecurity expert described it as one of the biggest breaches at a financial institution in the country. 

During the Bank Syariah Indonesia cyberattack, the ransomware group requested the termination of all services. The management of the company lied to their customers and partners that the stoppage was a result of the technical work they were carrying out. 

Earlier today, it was reported that LockBit 3.0 was distributing 1.5 TB of BSI bank data at a fantastic price to dark sites posted on a Twitter account named @darktracer_int. 

CNN Indonesia reports the attackers stole "non-critical data" belonging to Bank Indonesia employees during the incident. They then used ransomware payloads to infect several dozen systems within the bank's network before extorting money from the bank. 

According to the bank, there have been no reported impacts on BI's public services due to the incident, as first reported by Reuters. 

"BI is aware of a ransomware hack last month. We know we have been hit by a cyberattack. This is a crime, it is real, and we are exposed to it," Erwin Haryono, head of BI's communications department, told local media outlets that it is a crime. 

Following Bank Syariah Indonesia's cyberattack on 15 May, ransom payments were due by this date. As a result of the ransomware attack on Bank BSI, the group had access to the following data: 

Over 15 million individual records can be found in nine databases containing personal information. Customer service and employee service are both part of this. 

A person's name, phone number, address, account data, card details, and transaction details are collected. 

Legal documents are legally binding documents. 

In the bank, all internal and external services have passwords needed to access them. 

In a statement released on Wednesday, the central bank of Indonesia said it is confident that the country's payment system is safe and reliable for any transaction. 

Additionally, the authorities stated that they would continue to ensure that payment service providers meet all regulatory requirements in the future. BSI's payment system (under Bank Indonesia's supervision) has also returned to normal. 

BSI President and Chief Executive Officer Henry Gunardi announced on May 11 that ATMs and bank branches are now available to the public again. According to him, an important part of the restoration process was strengthening capacity and restoring key channels of communication. A BSI official explained that the disruption occurred on May 8 as a result of company maintenance on the company's information technology system. This maintenance was conducted to mitigate risks. 

A previous version of the ransomware group's communication with bank representatives between the dates of May 8 and May 13 had been published as well. As can be seen in the screenshots, the bank offered a payment of $10 million to recover the stolen data to get the data back. After requesting $20 million from LockBit, the company disappeared without a trace. 

Earlier this month it was reported that the LockBit ransomware group sent a tweet announcing the end of the negotiation period, and all of the stolen data from Bank Syariah Indonesia is now publicly available on the black market. 

After a month of being taken down, Bank BSI has not been able to return its systems to function. This is even after LockBit wrote a rant. A class action lawsuit is being filed as a result of users finding their data with a data leak and then going to court and bringing the case to court. 

Despite Bank Indonesia not stating which ransomware gang was responsible for the attack, Conti posted a series of files that it claims were stolen from Bank Indonesia's network today which they claim helped expose the attack. 

The ransomware group claims that if Bank Indonesia does not pay the ransom to them, 13.88 GB of information will be exposed to the public. 

As of earlier today, when BleepingComputer contacted a representative of Bank Indonesia, he did not have any comments to offer. It's imperative to remember that this type of Ransomware-as-a-Service (RaaS) is linked to the Russian cybercriminal group Wizard Spider, which is also responsible for other notorious malware, such as Ryuk, TrickBot, and BazarLoader. 

As soon as corporate workstations infected with BazarLoader or TrickBot malware are breached by these ransomware groups' affiliates, the ransomware group's affiliates gain remote control of the compromised computers using command and control systems. As soon as the Conti operators gain access to the victim's internal network, they will disrupt other devices scattered throughout the victim's network. This will spread malware.

In addition to Ireland's Department of Health (DoH) and Health Service Executive (HSE), Conti also attacks marketers RR Donnelly (RRD), who sell services to the government. 

There has also been a recent update to the FBI's advisory warning that an increased number of Conti ransomware attacks have been reported as a result of increased Conti activity. The FBI recently released an advisory warning regarding increased Conti activity.
Read more »
Vulnerabilities
LockBit malware MOTW Ransomware Vulnerabilities

New MOTW Bypass Method Introduced by LockBit

 


Despite being on the winning side of the race, LockBit operators continue to exfiltrate data from high-profile organizations and add the names of those organizations to its leak site. It's well known that the tactics and techniques employed by the gang are one of the significant factors contributing to the murders of innocent individuals. In the context of evasion tradecrafts, researchers have come across one such technique. 

When a .img container is used to deliver an image, the protection mechanism used by the Mark of the Web (MOTW) has been bypassed. As a result, it is possible to bypass traditional signature-based detection by deploying scripts that extract a password-protected executable from a compressed archive that can only be unpacked when a specific password is provided. 

Revolutionary Techniques: What are They? 

In a campaign conducted between December and January of this year, Fortinet researchers observed that LockBit operators were using evasion techniques to conceal their identities.

  • An image file mounted as part of the attack campaign contains malware files, one of which is visible to the user and the others are hidden. Therefore, attackers can evade MOTW's protection mechanism by sending the attack through a .img file container.  
  • It is after the user opens the single visible file that a set of BAT scripts are downloaded. These scripts check whether the targeted system is at the proper privilege level. 
  • The Python embed package of the official Python distribution is also sometimes used to execute Python scripts in some cases. Some scripts are used to change the password and settings of the system without the user being aware of them. 
  • There is also a BAT script in the final payload of LockBit ransomware, which will be executed by the ransomware's password-protected archive. 
The Exploitation Strategy of LockBit 

  • LockBit 3.0, released by the LockBit operators in June 2022, caught the attention of researchers as they added enhanced anti-analysis features and evasion improvements as well. In these regards, it exhibited similarities to BlackMatter ransomware in that it packaged code into byte strings, created function trampolines, and resolved function addresses dynamically, which are techniques that have been used to execute the malware. 
  • There was a slight setback suffered by operators towards the end of September 2022 when disgruntled developers allegedly leaked the source code of LockBit 3.0 to the media. There was, however, no adverse effect on the attackers as LockBit Green was upgraded in February, bringing an upgrade to the threat landscape. 
  • This updated version of ransomware draws on the code that was used in Conti ransomware and uses reverse engineering analysis to develop it. 
  • The LockBit Green variant has recently been released by the LockBit team and is believed to have targeted at least five victims so far. 
A few examples of successful ransomware attacks using LockBit have been reported in the second and third quarters of 2022. LockBit remains one of the most active ransomware families in RaaS and extortion attacks. Depending on the leak sites, LockBit tallied records for 436 victim organizations between April and September based on data gathered from the leak sites. 

Exfiltrator-22 or EX-22 has been developed by a group of former LockBit affiliates and members known as a new framework that aims at defending against post-exploitation attacks. The framework has been created by utilizing the source code from other famous post-exploitation frameworks that have been leaked out. 

The EX-22 ransomware family is designed to spread ransomware across corporate networks, using a framework-as-a-service model for post-exploitation without being detected by the victim. 

There are a variety of industries that have been targeted by LockBit ransomware, such as a variety of critical infrastructure industries, in recent years. The threat actors will continue to use obscure methodologies to avoid detection as long as new variants are released with additional capabilities, experts claim.
Read more »
Russia
ALPHV Cyber Crime Cyberattack Cybersecurity Google LockBit Microsoft NATO Russia

The Ukraine Invasion Blew up Russian Cybercrime Alliances

 


Over the years, Russia has built up one of the world’s most formidable cybercriminal ecosystems. Russian hacker groups are linked to disruptive cyberattacks including one of the United States’ most critical oil pipelines and the world’s largest meat producers.  

A recently released study suggests that the conflict between Russia and the former Soviet Union disrupted the criminal ecosystem in Russia and its former Soviet satellite states. This was a year after the illegal invasion. Alexander Leslie, the associate threat intelligence analyst at Recorded Future's Insight Group, believes this is one of the most significant developments in the history of cybercrime. It has broad implications affecting nearly every aspect of the world of cybercrime.

In a recent interview with The Register, Leslie told them that these fractures can be felt in all facets of the Russian-speaking underground: digital fraud, dark web forums and marketplaces, ransomware gangs, and hacktivists, all of whom derive their revenue from Russian-speaking underground activities. 

"Russia's military intervention in Ukraine has ushered in the era of volatility and unpredictability in the world of international cybercrime, which carries a multitude of implications for the defense community," Leslie said in a statement. 

As per the report, Russian cybercrime refers to a wide range of crimes perpetrated by miscreants who speak Russian languages in a variety of parts of the world, including Russia, Ukraine, Belarus, the Baltics, the South Caucasus, and Central Asia.  Leslie, during the time before the war, all of these criminal elements shared a common goal. This goal was refusing to target entities located in the Commonwealth of Independent States. This was so as not to draw attention from law enforcement. The day after the Russian government began attacking critical infrastructure on February 24, 2022, the Conti ransomware gang immediately declared its "full support" for the Russian government and pledged to use all the resources at its disposal to take back the critical infrastructure that had been destroyed. There were later claims that the country had condemned the war, but the damage had already been done at that point. 

Hundreds of internal documents from Conti's internal domains were leaked by a Ukrainian security researcher on February 27, 2022. It was the so-called Conti leaks that led to the Trickbot leaks, which were able to reveal Trickbot's senior leadership by using the information revealed in the Conti data dump, which was appropriated by the Trickbot leaks. According to reports, Conti closed down its operations in the weeks that followed. 

Moreover, Conti's rival gangs such as ALPHV (BlackCat) and LockBit neither declared their loyalty to the Kremlin to any significant extent, while on the other hand, some of his rival gangs did. 

There is also a decrease in the number of ransomware attacks in the context of the war in general, which may be attributable to fewer Russian cyberattacks as well. It has been a year since the war started and fears of large-scale disruptions of Ukrainian and Western infrastructure have not yet been realized. Although Russia has not given up, Google reported that it would increase the targeting of Ukrainian users by 250 percent by the year 2022 compared to 2020. In contrast, it will increase the targeting of NATO users by 300 percent.  

As experts point out, this is not necessarily an indictment of Russia's cyber capabilities. Instead, it is an indication of the effectiveness of Ukrainian cyber defense backed up by its Western allies and companies such as Google, Microsoft, and Amazon on the ground. This is a largely successful strategy.  

The Georgia Institute of Technology's Nadiya Kostyuk, who specializes in modern warfare and cyber conflict, has said that that support was "crucial" to Ukraine's cyberspace remaining relatively unscathed, despite the geopolitical turmoil around the world. 

It is currently apparent that Ukraine's cyber capabilities haven't kept up with those of Russia even though it has been developing them since 2014. According to her, Microsoft, along with other companies, had played a huge part in building more resilient networks and systems as well as defending Ukraine's cyberspace. 

Forum Rules for the Russian Dark Web. 

The war did not only expose the fault lines of ransomware gangs, but also other criminals associated with these gangs. It would appear that the invasion of Ukraine also violates an unwritten rule on Russian-language dark web forums, which holds that criminals would not target organizations in former Soviet states unless they were inside the country. 

Despite the increased geographical decentralization of cybercriminal groups, Leslie predicts that the industry will become more centralized in the future.

During the kinetic war and in the immediate aftermath of it, there was also an increase in pro-Russian hacktivist groups. The 'second wave' of hacktivism took place around March 22, 2022, when Killnet's campaign against the Latvian government was initiated, following the initial wave of hacktivism, which included pre-existing groups such as the Stormous ransomware gang as well as new crews that were created to support the Russian war effort. 

An Increase in the Number of Killnets

Despite that, Recorded Future claims that Killnet dominated this second wave of electronic music. 

As a consequence of these attacks, the gang and its subgroups have expanded their targets beyond Europe. They have in recent years targeted the Americas, Asia, and other parts of the world. 

Recorded Future says that most of the pro-Russian hacktivist groups active since the end of the war are no longer active despite estimates by security researchers such as @Cyberknow20 that there were 70 or more such groups active at the beginning of the war. 

As the authors point out, although they identified about 100 such groups between February 24, 2022, and February 10, 2023, only a few remain active today. This is even though a total of about 100 groups were identified. 

Even those that remain are not very effective, as there are only a few left. A new FBI report describes Killnets' distributed denial of service attacks as having "limited success" in the course of their attacks. Additionally, the researchers point out that their impact on the overall war effort has been "minimal" at best, in terms of the effects on the war effort. 

Is 2023 Going to be a Year of Change?

A second year of the war is expected to bring more of the same from security researchers, with insider criminal gangs leaking information, hacktivist attacks making headlines, and database dumps being sold on dark-web forums - possibly with a rise in Russian and Belarusian databases that have been leaked - as well as credential leaks targeting .ru and .by domains that have been targeted by hackers.  As a result of the malware-as-a-service threat landscape and the ongoing changing of the criminal forums on the dark web, "volatility and instability" are predicted to persist through 2023 throughout the Russian-speaking dark web market. 

In the short term, Leslie predicts that the cyber efforts of Ukraine are likely to be stepped up in 2023. The public-private partnership has helped foster increased collaboration between intelligence agencies and the provision of active defensive support, and we anticipate that this will only increase in the years to come, Leslie added. 

The majority of offensive operations are likely to be undertaken by the IT Army of Ukraine. This is expected to maintain support to enable a method of crowdsourced hacktivism that will continue to dominate offensive operations. 

He says he expects more hack-and-leak attacks from the Ukrainian IT Army in the future, but the most dominant methods of attack will likely remain DDoS attacks and website defacement.
Read more »
Subscribe to: Posts (Atom)