Internet threat news

Researchers at Proofpoint have published a report detailing a newly discovered piece of malware that attempts to steal account information about popular service providers, including Google, Facebook, Amazon, and Apple. Not only does the malware can steal account passwords and cookies but can also drop other malware onto the infected device. Called CopperStealer, the malware is being used by threat actors to push other strains of malware through malvertising campaigns.

The malware was discovered on 29 January 2021, when a Twitter user, TheAnalyst shared a malware sample with Proofpoint that triggered their malware detection systems. Following an investigation, the malware was discovered to have password and cookie stealing capabilities along with a downloader that could be used to drop other malware strains onto infected devices. The investigation also uncovered malware samples dating back to July 2019, possibly indicating that the malware has been in development for some time. According to researchers, one sample analyzed showed that the malware targeted Facebook and Instagram advertisers. However, previous samples showed versions capable of targeting users of other major service providers including Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter.

The US Federal Bureau of Investigation’s Cyber Division published an alert on March 16, 2021, warning readers that those behind the Pysa ransomware were actively targeting institution in the education sector. Institutions targeted include higher education, K-12 schools, and seminaries in 12 US states and the United Kingdom. The warning further stated, “Since March 2020, the FBI has become aware of PYSA ransomware attacks against US and foreign government entities, educational institutions, private companies, and the healthcare sector by unidentified cyber actors,”

Activity dating back to March 2020, is in line with known campaigns involving the ransomware strain. In the same month, this publication covered similar warnings issued by France’s Computer Emergency Response Team (CERT). In this instance, the warnings centered around French government departments been targeted by threat actors. Pysa named so because of the extension .PYSA added to the end of encrypted files, is seen by security researchers as a variant of Mespinoza ransomware and was first spotted in late 2019. The discovery came as several companies began reporting that they had suffered a ransomware incident from a yet unknown strain.

When news broke that the state-sponsored threat group Hafnium was actively exploiting four Microsoft Exchange zero-days the InfoSec community waited with bated breath to see when other groups would begin to target the same flaws. This would only take a few days till news that the fear of other threat actors exploiting the flaws arrived. This was then followed by the fear that ransomware may be dropped onto vulnerable machines accessed by attackers using the flaws. That day has seemingly arrived.

In summary, Microsoft disclosed that they and other security firms had discovered Hafnium exploiting four previously unknown vulnerabilities within Microsoft’s Exchange package. Patches have been released, and Microsoft even released patches for versions of Exchange that had reached end-of-life status. Hafnium is described as a Chines state-sponsored group that targets the US, and global, organizations via creating a web shell once access is granted.

Security researchers at Proofpoint have discovered a new initial access granting piece of malware written in a programming language rarely used for compiling malicious code. The language used in Nim and is possibly best described as a language being as “fast as C, as expressive as Python, and as extensible as Lisp.” Use of the language is incredibly rare, with only a few malware variants discovered and only really being posted to Twitter. NimzaLoader may be the first Nim written piece of malware to be analyzed thoroughly with such details being released to the public, at least to the best of the writer’s knowledge. However, when detections of the malware were initially been discovered by researchers it looked as if it was just another campaign of a well-known trojan, BazarLoader. This provided researchers with yet another conundrum to solve in an area of expertise known for dealing with conundrums.

Last week this publication covered how the threat group named Hafnium had been seen actively exploiting four separate zero-day flaws found within Microsoft’s Exchange Server packages. A week on and more hackers and threat groups have been seen targeting these flaws to gain access to Exchange Servers where they can steal emails and other vital information. Alternatively, the access granted via the compromise can be used to drop other malicious payloads. Out-of-band patches were rolled out by Microsoft, and it is strongly recommended that patches be installed if not done so already.

Following Microsoft’s several announcements regarding the discovery and the group believed to be behind the attacks, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), issued an emergency directive instructing government departments and agencies to apply the patches as a matter of priority. The directive went so far as to instruct relevant organizations to either patch their Exchange Servers or to cut the often-vital communication tool. This is in response to CISA seeing active exploitation of the four vulnerabilities in question.

The Ryuk ransomware has long been both a thorn in the side of victims and an unmitigated success for its developers. In a sample of the malware discovered by the French National Agency for the Security of Information Systems (ANSSI), the offending ransomware has gone through yet another evolution to include worm-like capabilities that allow the malware to infect other devices across a network automatically.

In a white paper published by ANSSI details of the new variant have been illuminated upon. First observed in 2018, the code that forms the basis of the ransomware is believed to have been derived from the Hermes 2.1 ransomware. Since then Ryuk has struck several hospitals and healthcare providers, partnered with other cybercriminal organizations, and weathered numerous storms that threatened to sink operations.

Late on Tuesday, March 2, 2021, Microsoft warned of a Chinese state-sponsored group actively exploiting four zero-day vulnerabilities in targeted campaigns. Along with the warning Microsoft has also released out-of-band patches to help prevent further exploitation by the state-sponsored hacking group believed to be behind the campaign. The vulnerabilities were used to access on-premises Exchange servers which enabled access to email accounts and allowed the installation of additional malware to guarantee the long-term presence of the attackers on the target's network.

The Microsoft Threat Intelligence Center (MSTIC) has attributed the attack to HAFNIUM which is described by researchers as a new state-sponsored group that operates in China and believed to have links to the Chinese government. In a subsequent blog post, written by Tom Burt, Microsoft’s Corporate Vice President for Customer Security & Trust, Burt noted that this is the first time the Redmond tech giant is discussing the group and believes the group to be both highly skilled and sophisticated. Summarizing the group's tactics and methods Burt noted,

The threat posed to critical infrastructure via cyber-attacks has long been a major concern for security researchers. Recent developments have seen ransomware gangs actively targeting critical infrastructure. The HelloKitty ransomware variant might be best known for its attack upon CD Projekt Red, but the ransomware’s operators have proved equally capable of going after power plants. The bad news for organizations within the critical infrastructure sector does not end with HelloKitty.

In a report published by Dragos, researchers uncovered the activities of four new and distinct hacking groups targeting critical infrastructure. The discovery of these four groups seemingly accounted for a 36% increase in known groups tracked by the security firm that specializes in targeting industrial control systems (ICS). Dragos previously released details of 11 other groups known for targeting the US power grid. Further, the security firm noted that issues making targeting critical infrastructure such fertile ground include, not having enough visibility with the Operation Technology (OT) network and the unsafe sharing of OT credentials across the network. What follows is a brief look at each of the four new groups identified by Dragos.

Details of a new malware designed to target Macs, called Silver Sparrow, has already infected close on 30,000 separate machines. The malware was discovered by researchers from Red Canary who subsequently analyzed the malware along with Malwarebytes and VMWare Carbon Black. In a subsequent report published by Red Canary, it was found that the malware can target Apple’s heralded M1 chips. This would make Silver Sparrow the second such capable malware to have been discovered recently. A lot of mystery still surrounds the malware as while capable of infecting a wide array of Mac devices it lacks one crucial element, a payload.

Malwarebytes was able to provide an accurate breakdown of the malware's impact. By February 17, 2021, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries. High volumes of detections had been found in the United States, the United Kingdom, Canada, France, and Germany. Despite the high number of infections how the malware is distributed is not known. Similarly, how the malware infects machines is also not known. Typically, malware that targets Macs are often distributed via malicious ads, fake app downloads, pirated software, or the infamous fake Flash update. However, as for Silver Sparrow, these details are currently unknown.

Over the past week or so investigations into the recent SolarWinds attack which made international headlines in December 2020 have or are close to concluding. The revelations of the investigations show a truly massive scale of operations employed by the attackers, with many, including the US government, believing Russian state-sponsored hacking groups were involved. Major tech industry players were impacted like Microsoft and FireEye, along with government agencies with varying responsibilities. Microsoft should be applauded for their candor throughout the incident as well as their investigations that have helped keep the public informed.

In a recent interview with CBS News’ 60 Minutes Microsoft president Brad Smith answered many questions as to the scale of the attack and Microsoft’s unprecedented response to the incident. As to the scale, Smith and many others believe that the attack may have been the largest and most sophisticated the world has seen. Other reports estimate that 18,000 organizations may have been impacted by the attack.

In terms of law enforcement striking back at cybercriminals, the last few weeks have brought more than a few good stories. From two ransomware gangs ceasing operations in part due to collaborative law enforcement operations spanning several countries and there want to make up for some of the harm, they have caused. The law enforcement operations resulted in Emotet’s infrastructure being seized and the arrest of a Netwalker ransomware affiliate being arrested. Now, in a combined effort between French and Ukrainian law enforcement agencies, several affiliates of the Egregor have been arrested.

The news was initially broken by France Inter, with journalist Emmanuel Leclère noting that law enforcement made the arrests after French authorities could trace ransom payments to individuals located in Ukraine. The individuals arrested are believed to be hackers working in partnership with the creators of the ransomware to hack into corporate networks and deploy the ransomware. The InfoSec community refers to these individuals as affiliates.

The Polish game developer, best known for the Witcher 3 and Cyberpunk 2077, has recently taken to Facebook and Twitter to confirm that they had suffered a ransomware attack. The game developer has recently been in the news a lot following the shambolic release of Cyberpunk 2077, and for none of the reasons the company would like to be in the news. Suffering a ransomware incident now would be the last thing company employees and executives would want to deal with. This is also not the first time the company has suffered such an incident.

The latest incident was confirmed on February 8, 2021, via a statement. Included in the statement was a copy of the ransom note dropped by the attacker. In turn, hackers responsible for the attack claim, based on claims made in the ransom note, that source code for games like Cyberpunk 2077, Gwent, and The Witcher 3, along with an unreleased version of The Witcher 3 game, had been successfully stolen. Such tactics are in line with double extortion tactics which now dominate the ransomware threat landscape.

Recently, not one but two ransomware gangs have called it a day. For those who are victims of both the Ziggy and Fonix, ransomware strains will be pleased to know that both gangs have released decryption keys to help assist victims to recover their encrypted data. While the act may be viewed as a generous gesture to right wrongs committed in the past, not all may be as altruistic as it seems at first glance.

According to Bleeping Computer, security researcher M. Shahpasandi told the publication that the Ziggy Ransomware operators announced on Telegram that they were shutting down their operation and would be releasing all of the decryption keys. This was later confirmed by the publication when they reached out to the operators. Further, those behind the ransomware’s creation did so as they reside in a third-world country and needed to “generate money”. The reasons to stop operations boiled down to them feeling guilty about their actions and recent developments regarding law enforcement targeting cybercriminals. More on that to follow.

In the past, the research conducted by Chainalysis has provided levels of insight into ransomware operations that were sorely lacking in the past. By following the “money”, largely in the form of the trail left by ransomware gangs who utilize cryptocurrencies as their main vehicle for conducting their shady extortion business, Chainalysis provides a view of the criminal underworld few would typically see. The last time this publication covered research conducted by the blockchain analysis firm, their research revealed that two hacker groups were responsible for 60% of crypto hacks behind cryptocurrency theft from exchanges.

The latest report by Chainalysis, “The Chainalysis 2021 Crypto Crime Report” will be released later in February. In the meantime the firm has published a supplementary article detailing the connections between four of last years most prominent ransom gangs, Maze, Egregor, SunCrypt, and Doppelpaymer. Previously it was theorized that that Ransomware as a Service (RaaS) affiliates will often switch between ransomware strains to generate more profit. This would imply that the number of active ransomware threat actors is smaller than the ransomware activity currently seen and that there is a level of interconnectedness that has only been speculated upon.