Thursday, February 24, 2022 // (IG): BB //Weekly Sponsor: ISG
Report sheds light on use of initial access brokers in ransomware attacks
FROM THE MEDIA: Initial access brokers have been a crucial component of the ransomware-as-a-service economy, reports ZDNet. A study from KELA revealed that at least five Russian ransomware gangs — namely Avaddon, BlackByte, Conti, DarkSide, and LockBit — have been using IABs. Avaddon was observed to add a United Arab Emirates-based steel product supplier on its domain three weeks after access to the company was posted for sale on a forum, while Conti exposed data belonging to a US manufacturer within two weeks after access was sold on the dark web. Moreover, LockBit ransomware was able to attack Bangkok Airways less than a month after securing AnyConnect VPN access from an IAB dubbed "babam." "Bangkok Airways did not disclose any investigation details, but based on the timeline, it is highly possible that the attack was performed using the bought access," said researchers. The report also showed that babam also traded access to Gyrodata, a mining technology company.
READ THE STORY: SCmagazine
A QUICK LOOK:
Extortion doesn't stop after paying the ransom
FROM THE MEDIA: A global survey that looked into the experience of ransomware victims highlights the lack of trustworthiness of ransomware actors, as in most cases of paying the ransom, the extortion simply continues. This is not a surprising or new discovery, but when seeing it reflected in actual statistics, one can appreciate the scale of the problem in full. A global survey that looked into the experience of ransomware victims highlights the lack of trustworthiness of ransomware actors, as in most cases of paying the ransom, the extortion simply continues. This is not a surprising or new discovery, but when seeing it reflected in actual statistics, one can appreciate the scale of the problem in full. As Venafi underlines in its report, paying the ransom is only motivating crooks to return for more, as it sends the signal that the victim sees this as the easiest way out of trouble, which is nothing but an illusion. "Organizations are unprepared to defend against ransomware that exfiltrates data, so they pay the ransom, but this only motivates attackers to seek more," - comments Venafi's vice president, Kevin Bocek "The bad news is that attackers are following through on extortion threats, even after the ransom has been paid! This means CISOs are under much more pressure because a successful attack is much more likely to create a full scale service disruption that affects customers."
READ THE STORY: Bleeping Computer
A QUICK LOOK:
Actors are now going after supply chain companies
FROM THE MEDIA: Cybercriminals have started to target some of the world’s biggest logistics companies at a precarious moment for supply chains. The attacks threaten to disrupt global efforts to clear out the backlogs of undelivered cargo choking ports and warehouses to ease freight delays and high shipping prices. Expeditors, a Seattle-based company that coordinates land, sea, and air shipments in over 300 locations around the world, was hacked on Feb. 20. The company shut down most of its IT network and said it has “limited ability to conduct operations.” Cybersecurity analysts suspect the hack was a ransomware attack, in which cybercriminals lock up a company’s data and demand a ransom in exchange for its safe return. Expeditors is the world’s sixth largest freight forwarder—a middleman that helps businesses book space on trucks, container ships, and cargo planes. The firm coordinated over 900 million metric tons of air cargo shipments and 1.1 billion containers of ocean freight shipments in 2020. While its systems are down, Expeditors can’t book any new shipments, track where existing cargo is, or shepherd it through customs at ports around the world. The company’s paralysis may drag on for weeks as cybersecurity consultants work to restore its IT network.
READ THE STORY: Quartz
A QUICK LOOK:
Tales from the Dark Web, How Criminals Monetize Ransomware
FROM THE MEDIA: Ransomware is fast becoming a potent way for threat actors to strike it rich. In the first six months of 2021 alone, $590 million in ransomware-related suspicious activity was tracked — more than the total for all of 2020, according to the Financial Crimes Enforcement Network. For most ransomware operators, money is the end goal and monetization is the last stop in their campaigns. These adversaries are constantly changing their monetization tactics to stay undetected on the dark web. Here are five points worth noting about monetization and the cash operations that fuel ransomware: Cryptocurrency is the preferred method of payment. Adversaries who cash out on ransomware want to fly under the radar. To preserve anonymity, they take refuge under various forms of virtual currency such as Bitcoin, Monero, Ethereum, and Litecoin. Because people do not need to share personally identifiable information when creating a cryptocurrency wallet, their identity remains anonymous. Bitcoin seems to be the main cryptocurrency of choice because it is fairly easy to obtain, provides anonymity, and enables quick payments. It accounts for a whopping 98% of ransomware payments, according to insurance broker and risk advisor Marsh. Mixing services provides further anonymity. While cryptocurrency such as Bitcoin provides users with anonymity, it is transparent and public. Transactions can be traced and tracked, although there is some difficulty involved in doing so.
READ THE STORY: Darkreading
A QUICK LOOK:
Dridex Malware Spreads Entropy Ransomware in Recent Cyberattacks
FROM THE MEDIA: Two recent cyberattacks, impacting an unnamed North American media organization and a regional government entity, deployed the Dridex trojan on targets’ computers before launching the Entropy ransomware. After further analysis of both attacks, researchers uncovered similarities in the code of Dridex and Entropy, which they said hinted at a common origin. While Entropy is a relatively new ransomware, Dridex is a well-known trojan targeting the Windows platform that is typically spread through malicious spam attachments. The malware has the capabilities to contact a remote server, send data about infected systems and download arbitrary modules on comments; it also frequently serves as an initial foothold in ransomware attacks. Attackers that distribute Dridex likely employ ransomware with similar configurations, according to the Cybersecurity & Infrastructure Security Agency (CISA), which in 2019 highlighted how code for the BitPaymer ransomware includes numerous similarities to Dridex, as part of attacks that at the time used both malware families to target U.S. financial institutions. “It’s not unheard of for malware operators to share, borrow or steal each other’s code, either to save themselves the effort of creating their own, intentionally mislead attribution or distract security researchers," said Andrew Brandt, principal researcher at Sophos in a Wednesday analysis. "This approach makes it harder to find evidence that corroborates a ‘family’ of related malware or to identify ‘false flags’ that can make attackers’ jobs easier and investigators’ jobs harder."
READ THE STORY: DUO
A QUICK LOOK:
Meat Prices Are Going Up. Congress Is Trying to Do Something About It
FROM THE MEDIA: Nobody was physically injured when an August 2019 fire broke out at a Tyson Foods’-owned beef packing plant in Holcomb, Kansas, but plenty of wallets were. The resulting four-month shutdown of the country’s second-largest beef packing plant, which was responsible for roughly 6% of the country’s total beef slaughter at the time, triggered wholesale beef prices to rise 10%, harming restaurant chains, grocery stores, and individual consumers shopping in the meat aisle. That one fire at a single meat packing plant could have such a dramatic effect on beef prices was the result of years worth of consolidation in the meat industry. Each year since 1980, an average of almost 17,000 cattle ranchers have gone out of business, according to a 2019 report from the Open Markets Institute, an anti-monopoly think-tank. In the mid-1990s, nearly 90% of U.S. hogs were sold into competitive markets, but by 2019 the proportion was under 7%, the report says. Four mega meat packers control 85% of the beef market, four firms control 54% of the poultry market, and four firms control 70% of the hog processing market. The Holcomb fire brought the meat market consolidation closer to the forefront of consumer awareness as prices rose, but the problem has been revealed repeatedly over the past three years. When there are so few meat processors, one-off emergencies—like ransomware attacks or pandemic outbreaks—at even a few meat processing factories can vastly reduce the amount of animals that can be turned into consumable meat across the nation. In the early days of the pandemic, for example, the number of pigs that could be processed declined by 45% as COVID-19 spread through the factories’ assembly lines. Pork breeders had to “liquidate” perfectly healthy pigs that they could no longer afford to feed and had no alternative meat processors on which to unload them. Customers couldn’t find their usual selections of protein in grocery stores, or began paying far more money for them.
READ THE STORY: Time
A QUICK LOOK:
Russia Could Use Cryptocurrency to Blunt the Force of U.S. Sanctions
FROM THE MEDIA: Russian companies have many cryptocurrency tools at their disposal to evade sanctions, including a so-called digital ruble and ransomware. When the United States barred Americans from doing business with Russian banks, oil and gas developers and other companies in 2014, after the country’s invasion of Crimea, the hit to Russia’s economy was swift and immense. Economists estimated that sanctions imposed by Western nations cost Russia $50 billion a year. Since then, the global market for cryptocurrencies and other digital assets has ballooned. That’s bad news for enforcers of sanctions, and good news for Russia. On Tuesday, the Biden administration enacted fresh sanctions on Russia over the conflict in Ukraine, aiming to thwart its access to foreign capital. But Russian entities are preparing to blunt some of the worst effects by making deals with anyone around the world willing to work with them, experts said. And, they say, those entities can then use digital currencies to bypass the control points that governments rely on — mainly transfers of money by banks — to block deal execution. “Russia has had a lot of time to think about this specific consequence,” said Michael Parker, a former federal prosecutor who now heads the anti-money laundering and sanctions practice at the Washington law firm Ferrari & Associates. “It would be naïve to think that they haven’t gamed out exactly this scenario.”
READ THE STORY: NYTIMES
A QUICK LOOK:
New data-wiping malware used in destructive attacks on Ukraine
FROM THE MEDIA: Cybersecurity firms have found a new data wiper used in destructive attacks today against Ukrainian networks just as Russia moves troops into regions of Ukraine. A data wiper is malware that intentionally destroys data on a device to make the data unrecoverable and for the operating system to no longer work correctly. This morning, Ukrainian government agencies and banks were hit with DDoS attacks that took websites offline. Soon after, cybersecurity firms Symantec and ESET disclosed that they found a new destructive data wiper malware also used in cyberattacks today against Ukrainian organizations. Symantec shared the hash of the new data-wiper on Twitter, which is currently being detected by only 16/70 security engines on VirusTotal. "According to Symantec Threat Hunter telemetry, they have discovered new wiper attacks in Ukraine, Latvia, and Lithuania. Targets have included finance and government contractors," Vikram Thakur, Technical Director at Symantec Threat Intelligence, shared in a statement to BleepingComputer. ESET also posted a detailed Twitter thread containing a technical analysis of the new data wiper and how they have seen it deployed.
READ THE STORY: Bleeping Computer
A QUICK LOOK:
Russia Sandworm Hackers Built a Firewall Called ‘Cyclops Blink’ and it Raises Alarms on Cybersecurity
FROM THE MEDIA: Russia's Sandworm hackers built a firewall called "Cyclops Blink," and it is something that raised the alarms of global cybersecurity agencies, especially with the current conflict of the country. The new firewall is the latest tool in the group that is giving a massive threat to the world's cybersecurity infrastructure with the group's notoriety status. According to Wired, there have been massive speculations that there might be a "high-profile cyberattack" happening between Russia and Ukraine now. Naturally, any actions of infamous hacking groups in the country will be something to watch out for, especially those watching it unfold in the current climate. The National Cyber Security Centre (NCSC) report of the United Kingdom and the United States' Cybersecurity and Infrastructure Security Agency (CISA) officials discovered Russian Sandworm hackers hiding in firewalls. The malware called "Cyclops Blink" has been hiding itself on firewalls sold by a company called "Watchguard" since 2019. Global cybersecurity agencies are on the high alert in the present cyber and political landscape as the mobilization of the Russian troops maybe something that escalates in the coming weeks. There are massive speculations on a brewing war, and it does not solely rely on soldiers fighting each other, but modern warfare's data and information breaches, along with the use of bombs.
READ THE STORY: Techtimes
A QUICK LOOK:
Western Companies Should Prepare to Be Collateral Damage in Russia’s Cyber Conflict
FROM THE MEDIA: As the prospects to preempt renewed Russian aggression in Europe have dimmed in recent weeks, the Biden administration has taken a flurry of steps to ensure that U.S. financial and critical infrastructure operators—the majority private sector—are steeled for what is likely to be a new phase of unconstrained Russian cyber activity against American and allied interests. U.S. officials’ emphasis on concrete, actionable steps to bolster digital defenses are particularly needed, as prospective Russian cyber operations simultaneously stretch across, and deviate from, abstract notions about how conventional warfare escalates. Cyber operations can serve as prelude, accelerant, trigger, accompaniment, or offramp to conventional inter-state armed conflict, as Columbia University’s Jason Healey and the late Robert Jervis have outlined. They are certain to be part of Moscow’s response to a post-invasion sanctions regime. Where they currently fall within that schema is a conceptual puzzle for policymakers and military thinkers—one no less challenging for C-Suites and front-line workers servicing critical industries and functions. How should private-sector stakeholders grapple with such an acute yet abstract threat? The answer may lie in understanding these stakeholders less as bystanders and more as participants in the current geopolitical environment. Moscow is focused on “sowing political and economic turmoil in the West, undercutting Westerners’ faith in democratic government, and weakening the influence of Western countries in Russia’s neighborhood,” cyber expert Dmitri Alperovich recently wrote. This focus will only intensify in tandem with the conflict surrounding Ukraine. U.S. enterprises, and their European counterparts, will serve as a battlefront in this contest—willingly or not.
READ THE STORY: Barrons
A QUICK LOOK:
Items of interest
Will Russia’s invasion of Ukraine trigger a massive cyberwar(Article)
FROM THE MEDIA: Tensions continue to rise between Russia and the West, as Russian president Vladimir Putin mobilizes his troops on the border of Ukraine, but in 2022 wars aren’t only fought on a physical battlefield. Russia, Ukraine and the latter’s Western allies have all built up the capability to launch huge state-sponsored cyberattacks. Are we lurching towards the world’s biggest cyberwar? Western authorities certainly seem fearful of potential cyberattacks. The UK’s National Cyber Security Centre warned organizations to improve their cyber defenses on 22 February, though declined to elaborate further when asked by New Scientist. There are similar warnings in the US. On 16 February, the Cybersecurity and Infrastructure Security Agency warned companies that provide services to US armed forces to be on the lookout for an increased number of attempts to break into their IT systems. That followed a 23 January memo from the US Department of Homeland Security warning that “Russia maintains a range of offensive cyber tools that it could employ against US networks”. In early February, the European Central Bank also warned against cyberattacks.
READ THE STORY: New Scientist
Russia’s use of cyber coercion(Video)
FROM THE MEDIA: This webinar, chaired by Dr Greg Austin, IISS Senior Fellow for Cyber, Space and Future Conflict, featured two evaluations of Russia’s use of cyber assets to advance its strategic goals by Bilyana Lilly, Pardee fellow at the Pardee RAND Graduate School at the RAND Corporation, and Dr Ofer Fridman is Director of Operations at the King’s Centre for Strategic Communications (KCSC). This webinar is part of a research project by the International Institute for Strategic Studies (IISS) assessing the cyber campaigns and coercive diplomacy of countries around the world.
Infighting Among Russian Security Services in the Cyber Sphere(Video)
FROM THE MEDIA: This talk draws on more than a decade of research into the cyber threat environment of the RuNet (much of it conducted in Russia) and insight gained as a bit player in a trial that is itself a significant escalation among Russia's security agencies. It will discuss the competition between Russia's security agencies active in the cyber sphere, as well as the specific conflicts, and actions, that may have played a role in creating the current situation, and how the current situation could influence future decisions regarding international campaigns.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com