In This Issue:

• Finally, some good news
• REvil Down
• Memento/APT35 attribution
• RPI versus IoT malware

REvil Down

Memento/APT35 Attribution

Raspberry Pi vs. IoT Malware

On the list of unexpected – not to mention expensive – anti-malware tools is the unlikely marriage of an RPI, an Oscilloscope, and a few other odds and ends. The result being that you can Detect malware with electromagnetic waves and Raspberry Pi.

We have officially reached the point where we can wave one box of flattened sand over another box of flattened sand and get the caged lightning in the first box to tell you whether or not the caged lightning in the second box of flattened sand is going to try to infect any of your other boxes of flattened sand. “Computers are boxes of flattened sand with caged lightning we trick into doing math” may be a popular meme, but honestly, detecting IoT malware using a Raspberry Pi and an Oscilloscope is just this side of outright magic. It’s also really, really cool.

The context for this month’s top Tweet is that it was quote tweeting Zerodium looks to buy zero-days in Outlook and Thunderbird email clients, an article worth reading in its own right. The Tweet, by Nate Worfield (@n0x08) reads as follows:

“Outlook vulns sold to Zerodium are worth 10x+ more than what Microsoft will pay. $150k higher than RCE in HyperV, arguably the most hardened code Microsoft has.
We’re banking on people responsibly disclosing to avoid the stigma of selling to an exploit broker.
Sub-optimal”

We could not agree more.

Talos Intelligence has a reputation lookup on their main page. It allows you to search “by IP, domain, or network owner for real-time threat data."

Ransomware puts New Mexico prison in lockdown: Cameras, doors go offline. This compromise is interesting because it’s a representative example of a class of ransomware attacks increasingly affecting prisons. It’s unknown if these attacks are targeted or merely targets of opportunity, but the compromise events do tend to include a wide range of different systems, making us suspect that prisons should expect to be more regularly targeted by Big Game Hunters.

Ransomware Attack Against KP Snacks. This compromise is notable mostly as a reminder that Conti ransomware is still out there, still going strong, and it is threatening our munchies.

IN THIS ISSUE:

Assuming you can have a headline attack in a month wherein the log4j vulnerability played itself out, we are presented with four contenders for title of “headline attack” over the past month:

Human resource management group hit by ransomware attack. Ultimately Kronos Group was the target, but the impact may also be felt by their big-name clients, “including Tesla, Marriott, Yamaha, Samsung, Revlon, The Container Store and Peet’s Coffee and Tea.”

FBI: Hackers use BadUSB to target defense firms with ransomware. Targets received packages with letters and infected USB keys in the mail. Some packages contained a thank-you note and fake Amazon gift card. Others pretended to be from the US Department of Health & Human Services, with updated guidance about COVID-19. This attack, linked to the Fin7 group, has been in progress since at least August 2021, targeting transportation and insurance companies before pivoting to defense firms in December.

Brazilian Ministry of Health suffers cyberattack and COVID-19 vaccination data vanishes.  Brazilians lost access to health data, including digital vaccine certificates, but Brazilian health minister Marcelo Queiroga says backups exist.

Shutterfly services disrupted by Conti ransomware attack. Attackers are threatening to leak corporate data, including “legal agreements, bank and merchant account info, login credentials for corporate services, spreadsheets, and what appears to be customer information, including the last four digits of credit cards.”

What’s worth noting about these four headlines is the diversity of targets: a corporate back-end services provider, defense firms, a government health department and a photo lab. Together, these compromises underscore how no organisation is safe. No vertical is sacrosanct, and no organization is too small or irrelevant.

The Extortion Economy Podcast: Exploring the Secret World of Ransomware. This 5-part podcast series “looks at the money, people and technology behind the explosion of ransomware that is delivering hundreds of millions of dollars to cybercriminals around the world.” The podcast is a joint production between ProPublica and MIT Technology Review.

How to Proactively Limit Damage From BlackMatter Ransomware. Security Researchers at Illusive found a logic flaw in BlackMatter ransomware that defenders can use to reduce the spread in some circumstances. More detail is available at Preventing BlackMatter Ransomware from Encryption of Available Remote Share.

In This Issue:

• This month’s headline attack: Planned Parenthood 
• Ransomware attacks are crossing the line, causing chaos 
• Pay attention to the broader cybercrime ecosystem 

Planned Parenthood Los Angeles was victim of a cyber-attack involving ransomware. Planned Parenthood Los Angeles says hack breached about 400,000 patients’ information. 

This attack combined ransomware with data exfiltration. While the attack hit the news in early December, it took place in October. The Planned Parenthood attack only affected the Los Angeles chapter, but data exfiltrated during the event may include patients’ “name and one or more of the following: address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information.” This is highly sensitive information, and the repercussions of this attack have yet to be fully felt. 

Ransomware Attacks Are Crossing the Line, Causing Chaos 

Delta-Montrose Electric Association, a Colorado energy company, has lost 25 years of data to what appears to be a ransomware attack. While none of the press releases about the event have used the term “ransomware,” the description of the attack fits a standard ransomware profile. 

While the attack did not affect the utility company’s electrical or fiber optic networks, it devastated back office networks, with numerous functions still offline a month after the attack. This is only the latest attack against critical infrastructure companies in the USA, which may explain why the U.S. military’s cyber command now admit that they are acting directly against ransomware groups, including those not known to be state sponsored: U.S. Military Has Acted Against Ransomware Groups, General Acknowledges. 

The USA isn’t the only country to see their critical infrastructure attacked recently. A great deal of energy was expended by the Australian media on blaming China for the attack, but it ultimately turned out to be ordinary Conti ransomware in a Ransomware attack on Australian utility claimed by Russian-speaking criminals.  

This underscores the problem that nations face in retaliating against malware gangs: attribution is often more difficult than actually disrupting a malware gang’s operations. In acting directly against ransomware operators you may not actually know whom you’re attacking… or being attacked by. 

Perhaps the most overlooked piece of advice for defenders is to pay attention to the entire Cybercrime supply chain: Fueling the rise in ransomware. Trend Micro’s David Sancho has a particularly excellent quote in this article: “Media and corporate cybersecurity attention have been focused only on the ransomware payload, when we need to focus first on mitigating the activity of initial access brokers.” 

Some of this is a signal-to-noise problem. Research for this newsletter involves trawling through the month’s news regarding all things information security, with a focus of ransomware. One that that stands out when you do this regularly is how saturated every medium is with vendors talking about how their backup and/or disaster recovery software will help you recover from ransomware, trying to sell you incident response services or talking about cybercrime insurance. 

It is important to understand why this is, and why this needs to change. Traditionally, information security practices were almost exclusively focused on prevention: firewalls, endpoint protection, and so on, all focused on keeping the bad guys out so that compromises didn’t happen. This never really worked because there were just so many attacks that eventually someone would succeed, almost always through some sort of phishing attempt. 

But this is changing. Initial network access is often gained by specialist “access brokers” who then sell access to multiple networks to various threat actors who then wish to deploy malware, ranging from cryptominers to information stealers, as well as ransomware. In addition to phishing, access brokers make use of social engineering and unpatched vulnerabilities to gain direct access to networks without having to rely on someone clicking the wrong link.  

Not being up-to-date on patches is a nearly universal problem that affects organizations of all sizes. Among the worst culprits for being unpatched are single-purpose IT “appliances.” This year, VPN appliances have been notably in the spotlight, but there are plenty of examples of everything from storage units to firewalls having critical vulnerabilities that went unpatched in significant numbers of organizations this year. 

It isn’t enough to focus on what happens when ransomware strikes—efforts must be made to secure all parts of the network, including disrupting the initial access to the network. 

The Supply Chain Buzz for November 15th  

In which the pivot by attackers away from well-defended financial organizations and towards poorly defended manufacturing organizations is discussed. 

The cost of ransomware in 2021: A country-by-country analysis  

The statistics in this article show the devastating economic toll ransomware has taken in a number of key markets. The data includes ransom demands, the cost of downtime, and the overall global cost of ransomware, as well as separate statistics focused on the public and private sectors.

• Supply Chain Attacks Becoming Normalized 
• Secure Your Cloud Instances 
• The Cost of Being Unprepared 
• Remember Insider Threats 

One of the most common mistakes that today’s organizations make is to assume that workloads in the cloud are secure.  While it’s true that virtual machines and other cloud-provisioned resources tend to be more secure by default than an on-premises install, that doesn’t mean they’re actually secure. Attacks against public cloud instances are becoming more common, with one example detailed here: Hackers Using Compromised Google Cloud Accounts to Mine Cryptocurrency.  

Today, there are two primary attacks that are commonplace once a system is compromised: using the compromised instances to mine cryptocurrency, and encrypting them with ransomware. More sophisticated threat actors may attempt to move laterally from the compromised public cloud instance, attacking other public cloud workloads, or even on-premises workloads, if a VPN between an on-premises data center and the cloud exists for them to exploit. 

Supply chain attacks have been so successful that some threat actors are beginning to specialize in them.  One such threat actor, Darkdev, is known for creating a fake Roblox API NPM package, the technical details of which are explored here: Tracking the ‘Noblox.js’ npm Malware Campaign. 

Supply chain attacks involve hiding malware inside code that is uploaded to popular repositories for commonly used programming frameworks. In the above case, it is the node.js ecosystem that is under attack, but these types of supply chain attacks have become normalized everywhere you find a development framework with a community repository of code libraries. 

This is a big problem in large part because the use of frameworks is increasingly taught to new developers as part of post-secondary education. This has led to a rapid rise in their popularity, their use within today’s organizations, and thus the exposure of those organizations to supply chain attacks if they are not diligent about which code repositories they allow to be used. 

In November 2020 the Canadian city of St. John New Brunswick was hit by a devastating ransomware attack. This attack was the work of the Ryuk Ransomware gang. The attack took most of the city’s digital infrastructure offline, including its 911 dispatch system. The few publicly known details are discussed here: Inside Saint John's response to a 'devastating' cyberattack. 

The Ryuk gang demanded some $20 million Canadian worth of Bitcoin. The city didn’t pay, and a year later there are still systems offline due to this attack. This incident demonstrates many of the hard choices that ransomware victims must make. 

There’s no guarantee that paying the ransom would have resulted in systems being restored – the Ryuk gang was not exactly communicative – or that those systems could have been trusted if Ryuk offered the decryption keys. The capital costs of rebuilding and/or replacing systems have thus far proven to be significantly lower than the initial amount demanded for ransom … but only if you don’t take into account the time required to bring all these systems back online. 

Most importantly, this isn’t an extreme example in any way. This is actually a pretty run-of-the-mill example of what happens when municipalities don’t invest adequately in information security, backups, and disaster recovery: near-total compromise, and a lengthy road back to “working.” And today it remains the norm for municipalities not to invest in infosec, backups, or DR, which is the primary reason they are favored targets for ransomware gangs. 

One of the easiest vulnerabilities for any threat actor to exploit is people. Security blogger Brian Krebs has been following one particularly interesting approach in which the threat actor approaches employees of various companies, and offers them a share of the ransom if they will infect their employer. More on that here: Arrest in ‘Ransom Your Employer’ Email Scheme. 

While an arrest has been made in relation to this scheme, this will not be the last we hear of this approach. 

The “No More Ransom” project describes itself as “an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky and McAfee with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.”  

The project offers free prevention advice, decryption tools, and Crypto Sherriff (a tool for identifying ransomware variants). 

Why a Ransomware Group Is Pretending to Be a Real Company – Kate Linebaugh, Bob McMillan - Wall Street Journal.   

Increasingly, ransomware operators are using many of the same strategies and processes as legitimate businesses. This requires them to recruit staff for a variety of roles, including infrastructure maintenance and even media relations. Here’s how criminal group Fin7 does it. 

• Ransomware Gangs Enter the ‘Exploit-as-a-Service’ Market 

• Two Prominent Ransomware Hackers Targeted by U.S. Authorities 

• BlackMatter Ransomware Group Allegedly Ceases Operations