Edition 2

Highlights:

• Mandiant found the ROADSWEEP ransomware in the middle of July.
• The German Federal Office for Information Security says that the attackers are threatening to send up to 2 TB of data to the dark web.
• If you got a notice about a data breach, you need to know what is at risk and what you can do about it.
• Recently, BlackBerry security researchers found that three different threat groups were using the same infrastructure to do a wide range of malicious activities.
• The vulnerability known as CVE-2022-27824 in Zimbra has been added to the 'Known Exploited Vulnerabilities Catalog' by the Cybersecurity and Infrastructure Security Agency, which indicates that it is being actively exploited in attacks by hackers.
• H0lyGh0st has been using ransomware to get into the computers of many businesses, including small and medium-sized ones.
• Researchers could make a database of 22 billion credentials by putting together information from known databases of stolen usernames and passwords.
• The National Institute of Standards and Technology (NIST) warned against using one-time passwords sent as text messages as a second factor to authenticate users.
• One of the most interesting things is that two cyber-espionage groups, called "Bitter APT" and "APT36," were found to be working together.
• Agent Tesla, a type of Windows spyware, was sent to targets in emails that looked like reports or forms.
• The phishing was at its worst on March 31, right before a meeting of oil-producing countries called OPEC.
• Famous clients like Tesla, PepsiCo, Whole Foods, and the New York Metropolitan Transit Authority all went to court because of the situation.
• At ITS, our goal is to help businesses deal with tech risks and improve their security.

Mandiant details The Albanian government is being targeted by the ROADSWEEP ransomware and the Telegram persona

Before a conference of an Iranian opposition group, the "ROADSWEEP" ransomware line and a Telegram persona were used to cause trouble for the Albanian government. This is an expansion of Iran's disruptive cyber operations against a NATO member state into a new area. There may have also been a backdoor CHIMNEYSWEEP that no one knew about before and a new version of the ZEROCLEAR wiper. Mandiant found the ROADSWEEP ransomware in the middle of July. It drops a ransom note with a political theme that suggests it was aimed at the Albanian government. On July 18, 2022, Albania's government websites and services for citizens were messed up by something called "HomeLand Justice," which turned out to be a fake name.?

The HomeLand Justice front posted a video of the ransomware being used, along with what seemed to be Albanian documents and residence permits from MEK members. Researchers say that Iranian and pro-Iranian information operations have often sent hostile messages to the MEK. They also said that the group used the hashtags #MKO, #ISIS, #Manez, and #HomeLandJustice.ru, as well as what look like documents from MEK members. Researchers also found the CHIMNEYSWEEP backdoor, which uses either Telegram or infrastructure owned by hackers to send and receive commands (C&C). CHIMNEYSWEEP is dropped by a self-extracting archive with either an Excel, Word, or video file that is signed with a valid digital certificate.?

Mandiant Red Team tried to copy the techniques of FIN11 at an engineering company in Europe to find out how far ransomware operators might be able to reach in an OT (operational technology) network. Attacks can be hard to predict, whether they are caused by the war between Russia and Ukraine or by hackers trying to hide their bad behavior.

Semikron Says Possible Data Breach Could Happen After Ransomware Attack

On August 1, 2022, Semikron said that an attack that seems to be ransomware could have led to a possible data breach. The German Federal Office for Information Security says that the attackers are threatening to send up to 2 TB of data to the dark web. If you got a notice about a data breach, you need to know what is at risk and what you can do about it. Semikron was one of the people who got hit by ransomware recently, and it's important for other people to know what's at stake. Data breaches are a big PR problem for businesses because no company wants to be seen as careless with their customers' private information. Companies are best able to stop these attacks from happening in the first place by putting in place strong data security systems.

The Troublesome Rise of Initial Access Brokers

IABs are threat groups that usually hack into a target network and then sell access to that network on Dark Web markets to the highest bidder. Recently, BlackBerry security researchers found that three different threat groups were using the same infrastructure to do a wide range of malicious activities. IABs give threat actors the ability to steal data, use ransomware, and spread malware without having to worry about reconnaissance and initial intrusion activity. This is similar to how IaaS providers let legitimate organizations scale their operations. Researchers from BlackBerry couldn't figure out how the three different threat groups were able to keep their campaigns from the organizations they were trying to harm. The infrastructure to which Zebra2014 was selling access has close ties to a malicious spam campaign that Microsoft reported earlier this year.?

Digital Shadows found that most IABs gave their customers their first point of access through hacked Remote Desktop Protocol (RDP) systems and VPNs. In the third quarter of 2021, IABs charged an average of $1,869 for access to a VPN that had been hacked. Ransomware groups use it the most. There are many different kinds of threat actors who buy IAB listings. Prices depend on many things, such as the size and type of information that can be accessed.

Zimbra has a flaw that hackers are using to steal passwords

The vulnerability known as CVE-2022-27824 in Zimbra has been added to the 'Known Exploited Vulnerabilities Catalog' by the Cybersecurity and Infrastructure Security Agency, which indicates that it is being actively exploited in attacks by hackers. When authorized users try to log in, a hacker can manipulate the program such that it sends all IMAP traffic to the hacker instead of to the legal users. This grants them access to the email server and paves the route for assaults such as spear phishing, social engineering, and corporate email compromise (BEC).

The spread of ransomware has led to a thriving dark web ecosystem

There are now hundreds of thriving marketplaces on the Dark Web where you can buy a wide range of professional ransomware products and services at different prices. Researchers found 30 different families of ransomware for sale on the pages. They found ads for well-known ransomware like DarkSide/BlackCat, Babuk, Egregor, and GoldenEye. The tools and services in these marketplaces are made so that attackers with little technical knowledge and experience can use them to launch ransomware attacks against whoever they want. IABs are threat actors who sell access to networks that have already been broken into to other threat actors. Jupiter, Neptune, and BlackCat are three of the most important players in this space.?

Access is given through stolen credentials for Citrix, Microsoft Remote Desktop, and Pulse Secure VPN. Prices for VPN access can go as high as $5,000 or even higher, depending on the type of organization and access it gives. Point to check: Ransomware is, and has been for a few years, the biggest threat to the security of business data. Some of the bigger ransomware groups now have hundreds of hackers working for them and make hundreds of millions of dollars a year. The US government is offering a $10 million reward for information that helps find and/or catch members of Conti.

The H0lyGh0st ransomware from North Korea has ties to world politics

People think that "H0lyGh0st" is connected to the North Korean group PLUTONIUM, which has been active since 2014. Lazarus is a threat actor group that seems to be backed by the Reconnaissance General Bureau of the Democratic People's Republic of Korea (DPRK) (RGB). In recent years, the international community has put more pressure on the closed country by putting more sanctions on it. This could force the North Korean government to look for illegal ways to make more money. But you could also say that H0ly Gh0st is motivated by the threat group's desire to make more money for itself.?

H0lyGh0st has been using ransomware to get into the computers of many businesses, including small and medium-sized ones. Before encrypting the files, the threat actor steals a copy of all of them, then asks for a ransom. If the victim doesn't agree and pay, they are told that their files will be posted online. A quick pop-up asking for permission in broken English is a sign that the threat actor is trying to get them to help them. In October 2021, different kinds of ransomware from the H0lyGh0st family started to show up.?

When you run the first version, "HolyRS.exe," you can see that it opens a command window and the system file "Net.exe." In the command window, we can see that a TCP connection is being made to the address 193.56.29.123:8888. This is the same address that the SiennaPurple ransomware gave out. If the malware can't get to the ServerBaseUrl, it tries to get there through the intranet. The H0lyGh0st ransomware infection can cost you in ways other than money. No matter if the ransom is paid or not, ransomware can destroy a lot of data and hurt a business or its reputation. At this point, schools, banks, and other small to medium-sized businesses are known to have been affected.

Attackers have an advantage over text-based 2FA when they have stolen data

About 1 billion records that were put together from online databases have the names, email addresses, passwords, and phone numbers of mobile phone users. This gives attackers everything they need to use SMS for phishing attacks, also called "smishing." When compared to email attacks, smishing is seven times more likely to work. Researchers could make a database of 22 billion credentials by putting together information from known databases of stolen usernames and passwords. The National Institute of Standards and Technology (NIST) warned against using one-time passwords sent as text messages as a second factor to authenticate users.?

Users should not pay attention to any alerts that come through SMS. Instead, they should log into their account directly. Adding reCAPTCHA checks can let users know that something is wrong.

Facebook finds new malware for Android that APT hackers are using

Facebook has put out its adversarial threat report for Q2 2022. One of the most interesting things is that two cyber-espionage groups, called "Bitter APT" and "APT36," were found to be working together. These cyberspies use social media sites like Facebook to gather information (OSINT) or make fake profiles to befriend victims. The Android app that Facebook found is a new piece of malware called "Dracarys" by Meta. It takes advantage of accessibility services to give itself more permissions without the user's permission. All existing anti-virus engines can't find Dracarys, which shows how well Bitter can make stealthy custom malware. People in Afghanistan, India, Pakistan, the United Arab Emirates, and Saudi Arabia were the latest targets of APT36.

A spear-phishing group went after oil companies weeks before the price of US oil contracts went negative. How did they do?

A spear-phishing campaign went after companies that make oil for the whole world. Agent Tesla, a type of Windows spyware, was sent to targets in emails that looked like reports or forms. If the file was opened, Agent Tesla would use a Yandex mail server to get orders from its masters and send stolen data back to them. The phishing was at its worst on March 31, right before a meeting of oil-producing countries called OPEC. Many of these countries were targets of the phishing. The spear phishing attacks could be part of a business email compromise scam, but the fact that it drops the Tesla Agent information stealer suggests that these campaigns are more about spying. Someone wants to keep track of how companies are dealing with the oil crisis. This could be a private energy company, a state-backed hacking group, or a mix of the two.

Lessons on Third-Party Risk Management from the Kronos Ransomware Attack

Over 8,000 employers, including hospitals, were hit by the Kronos ransomware attack. It stopped customers from processing payrolls, which caused a lot of trouble and fighting inside the company. Famous clients like Tesla, PepsiCo, Whole Foods, and the New York Metropolitan Transit Authority all went to court because of the situation. At ITS, we share our knowledge and help businesses figure out what went wrong so that this doesn't happen again.?

Find out how the incident will affect your business. Change your passwords right away and set up MFA (multi-factor authentication). Be sure to tell your IT security team or managed service provider as soon as possible about problems like this. You can only do so much to deal with third-party risk. Check each vendor's security and put them in order of how important they are to your business.?

If you can, use backups for operations that are important to the mission. It will let you deal with any important problems before they get worse. The Kronos hack is a good reminder that you shouldn't just worry about your network. Third-party services can be shut down by cyber threats, which can also stop some of your most important operations. Knowing how to reduce the risks and what to do if your vendor is attacked can help lessen the impact.

If you enjoyed reading this post or found it valuable, please consider subscribing and sharing this newsletter. I hope this small step can help many to keep well-updated on cybersecurity related issues.