Threat Actors Organize: Welcome to Ransomware Inc.
FROM THE MEDIA: "Many people still think of a ransomware actor as the proverbial 400-pound hacker in his mom's basement -- nothing could be further from the truth," says in-the-trenches security expert Allan Liska. "There are a number of cottage industries that have sprung up in support of ransomware." "In fact, the leader of a ransomware group is often nothing more than a 'marketing' person whose sole purpose is to get more affiliates for the group," said Liska, who is known as the "Ransomware Sommelier." He shared his thoughts with Virtualization & Cloud Review following his presentation in a recent multi-part online event titled "Modern Ransomware Defense & Remediation Summit," now available for on-demand viewing. It's no surprise Liska started off discussing initial access brokers early on, as he has become somewhat of a specialist in that area. For example, last year took to Twitter to lead a crowdsourcing effort to create a one-stop-shop for a list of initial access vulnerabilities used by ransomware attackers, as we explained in the article "'Ransomware Sommelier' Crowdsources Initial Access Vulnerability List." Of course, organized ransomware has been a known thing for a while now, with even nation-state actors getting in on the action, but Liska and other security experts indicate the bad guys are getting more sophisticated.
READ THE STORY: Virtualization Review
A QUICK LOOK:
Cybersecurity: These countries are the new hacking threats to fear as offensive campaigns escalate
FROM THE MEDIA: The number of hostile nation-state hacking operations is rising as new countries invest in cyber intrusion campaigns and existing state-backed attack groups take advantage of the rise in organizations adopting cloud applications. Crowdstrike's 2022 Global Threat Report details how the cyber threat landscape has evolved throughout the last year. One of those developments is the rise of new countries engaging in offensive cyber operations, including Turkey and Columbia. In accordance with Crowdstrike's naming conventions, attacks by Turkish linked groups are detailed as attacks by 'Wolf' while attacks by Columbian operations have been Dubbed 'Ocelot' – in a similar way to how the cybersecurity names Russian-government backed activity 'Bear' or Chinese hacking groups 'Panda'. Activity by one of these new groups is detailed in the report; a Turkish based hacking group, dubbed Cosmic Wolf by researchers, targeted data of an unspecified victim stored within an Amazon Web Services (AWS) cloud environment in April 2021. The attackers were able to break into the AWS cloud environment using stolen usernames and passwords, which also provided the attackers with the privileges required to alter command lines. That means they were able to alter security settings to allow direct Secure Shell Protocol (SSH) access to AWS from their own infrastructure, enabling the theft of data. Ultimately, countries are seeing that cyber campaigns can be easier to conduct than traditional espionage and are investing in it.
READ THE STORY: ZDnet
A QUICK LOOK:
Ransomware Threat Intel: You're Soaking In It!
FROM THE MEDIA: Ransomware is the preeminent cyber threat facing both public and private sector organizations. By one estimate, around four in 10 organizations experienced a ransomware attack (PDF) in the last two years. Moreover, the stakes of ransomware incidents have risen right along with their frequency. Today's ransomware attacks are complex feats of extortion that combine data theft, malware deployment, denial of service, and other techniques. Ransomware attacks have been linked to disruption of critical infrastructure, from hospitals to gas distribution pipelines. Tackling ransomware threats is a top priority for both law enforcement and private sector security firms. The recent attacks affecting critical infrastructure in the US inject urgency into the government's response to the ransomware threat. For example, following the attack on the Colonial Pipeline, servers and bitcoin wallets used by the DarkSide ransomware group and its affiliates were seized and disabled, forcing the group to cease operations. But remember Ransomware is too diverse a threat to succumb to any "silver bullet" security solution. To stop ransomware, organizations must first develop an in-depth understanding of the tooling, capabilities, and behaviors of ransomware groups likely to target them. To get to this level of understanding, your organization needs up-to-date threat intelligence.
READ THE STORY: DarkReading
A QUICK LOOK:
Russian cooperation in ransomware could ‘fully cease’ amid Ukraine row
FROM THE MEDIA: Just a few month ago, before Russia began positioning troops for a potential invasion of Ukraine, the major geopolitical friction between the West and Moscow was Russia's harboring of cybercriminals. Some of that tension began to dissipate when Russia started to make impactful arrests of ransomware gangs in January. But with the emerging showdown with NATO, Russia's assistance in last year's biggest threat may be tenuous at best. "If the U.S. responds with severe sanctions against the Russian economy for invading Ukraine, as is expected, I fully expect Russian newly found cooperation on ransomware to fully cease," said Dmitri Alperovich, head of the Silverado Policy Institute, who made his name as the founder of CrowdStrike. "In fact, it's quite possible they will release the criminals they have arrested this year, which would send a signal to the criminal underground that it's open season on Western organizations." For years, Russia's leniency toward domestic cybercriminal groups targeting victims outside the Russia-lead Commonwealth of Independent States has been a driver of those groups' success. Many of the most prominent strains of ransomware are hardcoded not to deploy on systems with Russian-language keyboards installed. After the Colonial Pipeline and JBS ransomware attacks rattled the United States in early 2021, the public/private collaborative Ransomware Task Force listed incentivizing Russia to govern its own citizenry as an irreplaceable component of an anti-ransomware strategy.
READ THE STORY: SC Magazine
A QUICK LOOK:
False flags and cyber prep.
FROM THE MEDIA: Presidents Biden and Putin spoke Saturday in negotiations aimed at reducing tensions over Ukraine, but without result, the Washington Post wrote, and US sources subsequently said the risk of a Russian invasion remained high. The White House published a brief "readout" of their conversation: "President Joseph R. Biden, Jr. spoke today with President Vladimir Putin of Russia about Russia’s escalating military buildup on the borders of Ukraine. President Biden was clear that, if Russia undertakes a further invasion of Ukraine, the United States together with our Allies and partners will respond decisively and impose swift and severe costs on Russia. President Biden reiterated that a further Russian invasion of Ukraine would produce widespread human suffering and diminish Russia’s standing. President Biden was clear with President Putin that while the United States remains prepared to engage in diplomacy, in full coordination with our Allies and partners, we are equally prepared for other scenarios." A White House representative, speaking on background, summarized the outcome of the conversation: "Over time, if Russia invades, this list will also include a severe economic cost that I’ve already described and irrevocable reputational damage caused by taking innocent lives for a bloody war choice. The two presidents agreed that our teams will stay engaged in the days ahead. Russia may decide to proceed with military action anyway.
READ THE STORY: The Cyberwire
A QUICK LOOK:
Russia Is Cracking Down on Cybercrime. Here Are the Law Enforcement Bodies Leading the Way.
FROM THE MEDIA: On February 7 and 8, the domains of several well-known Russian-language illicit communities—Ferum Shop, Sky-Fraud, Trump Dumps, and UAS—were seized by Department K, a division of the Ministry of Internal Affairs of the Russian Federation that focuses primarily on information technology-related crimes. In addition to seizing the domains, Russian authorities arrested Artem Alexeyevich Zaytsev and at least five other individuals. Artem Zaytsev appears to be the CEO of Get-Net LLC—the registrar for Sky-Fraud, Trump Dumps, UAS, and Ferum—and is connected to a range of other businesses in the Russian cities of Perm and St. Petersburg, including a loan provider. Threat actors are concerned about their future, as these takedowns have also fueled an already ongoing discussion about potential law enforcement takeovers of other major cybercrime venues. At the center of this conversation are Russia’s two main bodies for dealing with financial and cybercrimes, the Federal Security Service and Ministry of Internal Affairs’ (MVD) Department K. While their roles are different, they have both significantly affected the cybercrime landscape in Russia and how it will evolve. In the wake of the recent arrests, Flashpoint analysts explain the main differences and similarities between the FSB and MVD’s Department K, plus what their roles might mean for the future of the cybercrime landscape.
READ THE STORY: Flashpoint
A QUICK LOOK:
Durham alleges cyber analysts 'exploited' access to Trump White House server
John Durham, the special counsel appointed under former President Trump to investigate the FBI's probing of Russian interference in the 2016 election, alleged in court that a tech executive "exploited" access to White House data in order to find damning information about Trump. In a court filing submitted Friday, Durham's office said that the executive, who is referred to in legal filings only as "Tech Executive-1" but has been identified in news reports as Rodney Joffe, used his company's access to nonpublic government domain name system (DNS) data through a pending cybersecurity contract as he was analyzing supposed links between the Trump Organization and a Russian bank. "Tech Executive-1’s employer, Internet Company-1, had come to access and maintain dedicated servers for the EOP as part of a sensitive arrangement whereby it provided DNS resolution services to the EOP," Durham's office wrote, using an acronym for the White House's Executive Office of the President. "Tech Executive-1 and his associates exploited this arrangement by mining the EOP’s DNS traffic and other data for the purpose of gathering derogatory information about Donald Trump." An attorney representing Joffe did not immediately respond when asked for comment. The filing came in Durham's prosecution against Michael Sussmann, an attorney who represented Joffe and worked on behalf of the Democrats and Hillary Clinton's 2016 campaign, for a single count of making false statements to the FBI's general counsel.
READ THE STORY: The Hill
A QUICK LOOK:
Russia and China devote more cyber forces to offensive operations than US, says new report
FROM THE MEDIA: Russia and China have each dedicated significantly more military cyber forces to conducting cyber effects than the United States, according to research by a London-based think tank. The International Institute for Strategic Studies’ Military Balance+ database, which evaluates global military trends, sought to provide a breakdown assessing the military cyber capabilities of these nations based mostly on active duty military forces with a responsibility for cyberspace operations (though some data was gathered on reservist units). According to the report, 33% of Russia’s military cyber forces are focused on effects, compared to 18.2% of Chinese military forces and 2.8% of U.S. forces. This data was derived from the composition of principal cyber forces according to roles assigned to individual units. Authors of the report clarified that “effects” generally refers to actions to deny, degrade, disrupt or destroy as well as those conducted by proxies in conjunction with a government actor. It can also include a range of other capabilities such as the ability to research vulnerabilities, write or use malware, and maintain command and control through exploits.
READ THE STORY: C4ISR
A QUICK LOOK:
China emerges as leader in vulnerability exploitation
FROM THE MEDIA: China-nexus threat actors are getting better and quicker at weaponising and deploying exploits for newly discovered common vulnerabilities and exposures (CVEs), and in the past 12 months leveraged new vulnerabilities at a “significantly elevated” rate when compared to 2020, according to CrowdStrike’s eighth annual Global threat report. CrowdStrike Intelligence said it had confirmed the exploitation of two vulnerabilities published in 2020 by China-nexus advanced persistent threat (APT) actors – in Oracle WebLogic and Zoho ManageEngine, respectively – but that last year it was able to confirm 12 vulnerabilities and nine different products being exploited, linked to 10 known APTs, including the infamous Wicked Panda (aka APT41 or Barium). The analysts said that although Chinese APTs have long developed and deployed their own exploits in the targeted intrusions, 2021 saw an increased volume of activity from Chinese APTs, highlighting an evolution in how these groups go about their work. “For years, Chinese actors relied on exploits that required user interaction, whether by opening malicious document or other files attached to emails or visiting websites hosting malicious code,” wrote the report’s authors. “In contrast, exploits deployed by these actors in 2021 focused heavily on vulnerabilities in internet-facing devices or services.”
READ THE STORY: News AZI
A QUICK LOOK:
New MyloBot Malware Variant Sends Sextortion Emails Demanding $2,732 in Bitcoin
FROM THE MEDIA: A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims to pay $2,732 in digital currency. MyloBot, first detected in 2018, is known to feature an array of sophisticated anti-debugging capabilities and propagation techniques to rope infected machines into a botnet, not to mention remove traces of other competing malware from the systems. Chief among its methods to evade detection and stay under the radar included a delay of 14 days before accessing its command-and-control servers and the facility to execute malicious binaries directly from memory. MyloBot also leverages a technique called process hollowing, wherein the attack code is injected into a suspended and hollowed process in order to circumvent process-based defenses. This is achieved by unmapping the memory allocated to the live process and replacing it with the arbitrary code to be executed, in this case a decoded resource file. "The second stage executable then creates a new folder under C:\ProgramData," Minerva Labs researcher Natalie Zargarov said in a report. "It looks for svchost.exe under a system directory and executes it in suspended state. Using an APC injection technique, it injects itself into the spawned svchost.exe process."
READ THE STORY: THN
A QUICK LOOK:
Items of interest
Wazawaka Goes Waka Waka(Artical)
FROM THE MEDIA: In January, KrebsOnSecurity examined clues left behind by “Wazawaka,” the hacker handle chosen by a major ransomware criminal in the Russian-speaking cybercrime scene. Wazawaka has since “lost his mind” according to his erstwhile colleagues, creating a Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance, and publishing bizarre selfie videos taunting security researchers and journalists. In last month’s story, we explored clues that led from Wazawaka’s multitude of monikers, email addresses, and passwords to a 30-something father in Abakan, Russia named Mikhail Pavlovich Matveev. This post concerns itself with the other half of Wazawaka’s identities not mentioned in the first story, such as how Wazawaka also ran the Babuk ransomware affiliate program, and later became “Orange,” the founder of the ransomware-focused Dark Web forum known as “RAMP.” The same day the initial profile on Wazawaka was published here, someone registered the Twitter account “@fuck_maze,” a possible reference to the now-defunct Maze Ransomware gang. The background photo for the @fuck_maze profile included a logo that read “Waka Waka;” the bio for the account took a swipe at Dmitry Smilyanets, a researcher and blogger for The Record who was once part of a cybercrime group the Justice Department called the “largest known data breach conspiracy ever prosecuted.” The @fuck_maze account messaged me a few times on Twitter, but largely stayed silent until Jan. 25, when it tweeted three videos of a man who appeared identical to Matveev’s social media profile on Vkontakte (the Russian version of Facebook). The man seemed to be slurring his words quite a bit, and started by hurling obscenities at Smilyanets, journalist Catalin Cimpanu (also at The Record), and a security researcher from Cisco Talos.
READ THE STORY: Krebs on Security
The Most Dangerous Black Market You've Never Heard Of(Video)
FROM THE MEDIA: Mercury is crucial to small-scale gold mining in South America but increasing scrutiny of its health and environmental impact in the Amazon is leading to its prohibition throughout the continent. This investigation delves into the underworld of mercury, following its path from Guyana to neighboring Suriname, exploring the health and environmental consequences, and what the prohibition of mercury would mean for the livelihoods of miners and communities across the Amazon. ‘MERCURY’ is a film by Tom Laffay, produced by InfoAmazonia, a data journalism initiative which reports on the Amazon. It forms part of a wider investigation called ‘Mercury - Chasing the Quicksilver’ led by journalist Bram Ebus. Read more here: https://mercurio.infoamazonia.org/en/
How hacking actually looks like(Video)
FROM THE MEDIA: Let me show you what hacking actually looks like. You've probably seen many movies where hacking is portrayed like this - *random windows open, they display random text scrolling very fast, doesn't make any sense* In this video, let's see what real hacking actually looks like. Breaches Believe me or not, your password is probably already out there publicly available on the Internet without even. your knowledge. This might feel a bit unconvincing, but it’s true there is a chance. Even mine existed publicly on the Internet without even me knowing it until recently when I finally found out that my credentials are already stolen and available for literally anyone to see. I had to then change my passwords on all my websites immediately.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at email@example.com-