Internet threat news

The previous article published on this platform dealt with how the US elections are at threat of being disrupted via the use of ransomware. A core element of Recorded Future’s research into the matter centered on the increased use of Remote Desktop Protocol (RDP) and Citrix tools used by staff forced to work from home during the COVID-19 pandemic. This has resulted in an increased attack vector for ransomware gangs to exploit. Recent research published by Coveware paints another picture. Rather than the potential threat, Coveware’s research is based firmly in reality and deals with the current ransomware marketplace. The research was conducted over the second quarter of 2020 and revealed several worrying states for enterprises no matter their size, primary of which is that demands have increased 60% over the previous quarter.

Coveware releases these reports quarterly and they provide helpful insight into the realities dealt with those tasked to defend networks. One of the interesting insights provided concerns the market share across various ransomware operators. In the first quarter, this metric was dominated by the big game ransomware operators like Sodinokibi and Ryuk. In Q1 nearly 60% of confirmed attacks were carried out by the three biggest names in ransomware at the time. In Q2 this number dropped to 30% due to smaller and often less skilled operators increasing activity. The second quarter showed a greater market share was carved out by smaller, more opportunistic, ransomware operators.

The US Presidential Election draws the attention of the entire globe for a variety of reasons. Politics, economics, and the climate are affected by the nation’s choice of who will next sit in the White House. As November 2020 draws closer coverage of the election will dominate the news and debates around the dinner table. Currently, most of the coverage is political there is another aspect of the election that is gaining increased attention. That being how secure these elections will be to cyber threats, and in particular ransomware. Various ransomware gangs are notching up major corporations as victims and in the past, a number of state institutions and government departments have suffered ransomware infections, who is to say that the next elections will be free from such an incident.

A recent report by Recorded Future takes a deep dive into the threat posed by ransomware in the upcoming US election. It is not only security firms that have noted the existence of a threat. US state officials noted the existence of the threat posed by ransomware as well as the private sector. The threat posed is also not without real-world incidents. In 2016, the Palm Beach County Supervisor of Elections Office was hit with a ransomware attack which in turn was not reported to the relevant authorities at the time and only came to light recently. While the threat to election centers exists, the question remains can ransomware, even a highly co-ordinated campaign, disrupt the 2020 elections?

With Garmin, Canon, and Xerox all becoming victims to human-operated ransomware gangs, the InfoSec community did not have to wait long to see which major corporation was next. Customers of Konica Minolta, the massive business technology firm, took to Reddit to try and find out why services could not be accessed for several days. Later Bleeping Computer learned that the company that employs approximately 44,000 people and earned 9 billion USD in 2019, had become the latest high profile, ransomware victim.

At the time of writing, the business technology giant was yet to make a statement regarding the incident. That being said a number of cybersecurity researchers seem to confirm what Bleeping Computer believes. Initially, customers began reporting as far back as July 30, 2020, that the product services and support site were down. The site remained down for almost a week with little information being provided as to why the site was down. Many customers were presented with the following message when attempting to access the support services,

In a joint report issued by the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) information regarding a new previously unreported malware called Drovorub has been released to the public. The malware has been attributed by the two agencies to APT28, a group with a variety of codenames but tracked as Fancy Bear, by this publication. The report contains a wealth of technical information for anyone needing to harden their Linux system to prevent falling victim to a Drovorub infection.

The malware itself has been described as a “Swiss Army knife” as it is a multi-component malware. The malware consists of an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server. This enables the malware to perform a variety of functions including, stealing data and controlling the infected system remotely. The malware achieves a high level of stealth and is very difficult to detect, which is granted to the malware via the use of an advanced rootkit. A rootkit is typically defined as pieces of malicious code that achieve root access to the infected system by gaining privileged access to the system. From there they can be used to perform a variety of tasks including keylogging, file theft, disable antivirus products, and a host of other operations favored by state-sponsored groups. In the case of Drovorub the rootkit allows the malware to loaded upon boot up which further adds persistence in the infected network as, unlike many other malware families, the malware will survive a system restart. Further, the use of such an advanced rootkit allows Fancy Bear to infect a wide variety of targets as well as conducting attacks at any time.

The US Federal Bureau of Investigation warned US companies via a Private Industry Notification that Iranian state-sponsored hackers are actively targeting the US private and government sectors, according to an article recently published by ZDNet. The latest alert warning of Iranian state-sponsored activity follows an alert published in February which again warned private industry partners of campaigns distributing the Kwampirs malware. The latest alert does not mention names but given the examples of previous attacks listed in the alert, researchers have determined that those responsible for the latest attack campaign form part of the advanced persistent threat (APT) group Fox Kitten.

Fox Kitten or Parisite is seen by the InfoSec community as the “spear tip” of Iranian cyber operations, often creating a beachhead for other groups to exploit. The group primarily operates by attacking high-end and expensive network equipment using exploits for recently disclosed vulnerabilities, before companies had enough time to patch devices. The devices targeted by the group tend to be used by large corporations and government departments, with previous campaigns actively targeting companies in the IT, Telecommunication, Oil, and Gas, Aviation, Government, and Security sectors of multiple states around the world. Typically once the targeted network is compromised the group will install a web shell or backdoor onto the vulnerable device. This grants the group future access to the compromised network which can be used by them or other Iranian groups.

It seems that the world cannot go a week without yet another large company falling victim to one of the human-operated ransomware gangs. Last week Evil Corp, the gang behind WastedLocker successfully attacked Garmin resulting in the company having to shut down many of its services, including its call centers and customer chat lines. Further, fitness trackers and aviation products were severely affected by the attack. Now, the gang behind the Maze has claimed an impressive scalp in Canon, the world-famous camera and all things image-related company.

The news surfaced via a Bleeping Computer article when the writer, Lawrence Abrams, discovered that several of Canon’s services were offline. The outage impacted Canon's email, Microsoft Teams, USA website, and other internal applications. It was also noted that image.canon, the company’s cloud service for storing images, also suffered an outage, potentially putting at risk users’ data and images stored on the platform. It was later shown that the cloud service was not impacted by the ransomware attack that the image.canon outage was not related to the ransomware attack, but the same cannot be said for several other services. Further, Canon announced that no user data or images were leaked during the announcement.

Based on research published by security firm McAfee has confirmed that the gang behind the NetWalker ransomware have established themselves as one of the most dangerous ransomware operators on the threat landscape. The research conducted by the firm reveals that the gang has potentially netted 25 million USD in ransomware payments since March 2020, proving the profitability of well organized and skilled ransomware gangs can generate as well as the danger posed by such gangs. While the 25 million USD figure is an estimate as it is not like these gangs have to report earnings to auditors or revenue services, it does mean that the gang ranks amongst some of the most successful gangs today including Dharma, Sodinokibi, and Ryuk. It is also noted by some that the figure of 25 million may be conservative due to the security firm’s limited view of the entire ransomware operation.

When Kaspersky Labs provided evidence the North Korean state-sponsored hacker collective named Lazarus was behind the WannaCry ransomware debacle that propelled ransomware into the limelight of malware, some scoffed. Those that believed it not to be the case seemingly also ignored evidence provided by several Western intelligence agencies. State-sponsored groups did not participate in for-profit, or financially motivated, hacking campaigns was the wisdom of the time. That time being 2017, now a better understanding of the group has led to wisdom on such matters. State-sponsored groups can indeed be financially motivated and perform cyber espionage. There was not a rule chiseled in stone, and there was most certainly no hacking rulebook being published in North Korea, raids on banks and cryptocurrency exchanges can attest to the mindset exhibited by Lazarus.

For Garmin’s vast user base the news that something is wrong with the services offered, is perhaps painfully old by now. In summary, reports began emerging as soon as July 23 that large swathes of the company’s services were offline. The company remained quiet as to why services were offline except for a tweet and an announcement via their website. In time several employees would speak out and say that the company had experienced a ransomware attack, what’s more, the offending piece of malware was WastedLocker. In even another staggering twist, reports emerged that 10 million USD was being demanded as a ransom by the cybercriminals behind the attack.

One of the key ways academics and researchers prevent cyberattacks is by finding flaws and vulnerabilities in software packages before hackers can. The Spectre and Meltdown vulnerabilities were found in this way and prompted major tech giants to find solutions before irreparable damage could be done. A team of academics from the Ruhr-University Bochum in Germany published a paper detailing how fifteen out of 27 desktop PDF viewers are susceptible to a new kind of attack, dubbed “Shadow Attack” by the team. The academics involved in the research and subsequent publishing of the research paper have already made quite a name for themselves uncovering other flaws that impact the widely used PDF file format.

Sifting through academic papers can be tedious work, overly formal language and jargon make it a trying endeavor even for professionals. That being said the report succinctly summed up the need and findings of the academic’s research in the opening paragraph, stating,

After an extended hiatus of nearly five months, Emotet has surged back to life with a new campaign sending out malicious emails to users worldwide. Historically the malware has been spread via malicious emails containing documents, often Word or Excel being the favored platforms to exploit, containing malicious macros that will install Emotet on the machine. From there the malware can include the infected machine into the malware’s botnet to send more malicious emails out, spread laterally across a network, and be used to drop other types of malware. Emotet is known to drop ransomware as well as info-stealing malware once it has infected a machine.

In an article published by Bleeping Computer and a technical blog post published by Malwarebytes details of the new campaign have been released to the public. In the first-mentioned article, researchers confirmed that Emotet activity seemed to fall off the map on February 7, 2020. An Emotet tracking group Cryptolaemus noted that while there was no spamming activity for the 5 month period, the malware’s developers were actively adding malicious modules to the code. It was also noted that a couple of days before July 17, the day activity surged back to life, a few test emails were distributed across the network.

Reports began emerging on July 15 that certain high profile Twitter users, including Joe Biden, Elon Musk, and Wiz Khalifa, were advertising a way to double your money if you sent an amount of cryptocurrency to a specific wallet. Claims similar to this have been seen numerous times before in several other crypto scams, where scammers look to trick or extort cryptocurrency from individuals. It was later revealed by Twitter that the actual accounts of those listed above, and several others were hacked and used to spread the scam without the knowledge of the account users.

Other high profile accounts that were compromised included Kim Kardashian West, Jeff Bezos, Bill Gates, Barack Obama, Wiz Khalifa, Warren Buffett, YouTuber MrBeast, Wendy’s, Uber, CashApp, and Mike Bloomberg. Something to note is that the political figures, Joe Biden, Barack Obama, and Mike Bloomberg are all affiliated to the Democratic Party in one form or the other with Joe Biden being the current Democrat nominee set to take on the current president Donald Trump in November’s election. From a number of reports, it would seem that now Republican Party figures had their accounts compromised by the scammers. Further, Warren Buffet, a known and very vocal critic of cryptocurrencies who publicly stated that he does not own any cryptocurrency and has no plans to own cryptocurrency had his account compromised.

The last time this publication covered Phorpiex it was seen distributing the Nemty across its botnet infrastructure. In the past the botnet was seen distributing GandCrab, however, researchers discovered that the botnet was seen distributing a new ransomware called Avaddon during the preceding month of June 2020. Avaddon’s distribution was discovered by Proofpoint who likewise noted that several other older ransomware strains were being distributed in separate campaigns but at roughly the same time.

In a separate report published by Check Point, it was revealed that the recent surge in Phorpiex activity amounted to the botnet being one of the most active malware families for the month of June. In the month of May, the malware was ranked 13th in terms of activity, the botnet climbed the rankings in June to be the second most detected malware family. The first was Agent Tesla which has been described by researchers as,

The year has already seen several new ransomware strains emerge into the wild as well as some new campaigns from new ransomware families. With the discovery of Conti this trend continues. Conti does not deserve mention for being part of a trend but rather for the unique features and the unique spin on ransomware traits the ransomware’s developers have instilled in the malware. In a technical report published by security firm Carbon Black, the curtain has been drawn back to reveal a dangerous strain of the ransomware despite being in its infancy.

According to the report, the ransomware boasts three features that separate it from the mass of other ransomware strains currently making up the threat landscape. Those being that the ransomware has a network only encryption mode, high-speed file encryption, and the ransomware’s capability to abuse Windows Restart Manager. Returning to the network only encryption mode, for the time being, in essence, this allows the ransomware an incredible amount of control over what is targeted for encryption which in turn can be done by the attacker via a command-line client. In practice, this allows the attacker to skip encrypting files on local drives and focus solely on targeting network drives and the files shared on them.