TRIAGE - Threat Reporting and Intelligence on Attacks and General Exploits #10
James Beal
Security Architect and Threat Intelligence Researcher, Aeterneus Intel Founder. TRIAGE'ing the evolving threat landscape to help Infosec Teams and Execs keep their organizations safe!
Howdy everyone, welcome to TRIAGE Tuesday! First we have more coverage of the Russia and Ukraine conflict showing the rest of the world is still expecting pushback in the cyber realm at some point in the near future. We have a presidential Executive Order on cryptocurrency and how that should impact ransomware payments, along with a cyber incident reporting bill that could potentially massively assist in tracking and raising awareness of cyber incidents. Then we discuss a new way to infect systems outside of traditional phishing, and finish with an awesome and in-depth look at the Conti ransomware group’s data leak and the knowledge everyone can take away from their daily processes. Enjoy a closer look at all 5 stories below!
1. Cyber events around Russia/Ukraine conflict for the week:
Overview:
1st?article: U.S. intelligence leaders and House lawmakers on Tuesday signaled they remain on edge that Russia could unleash a digital salvo on the country, and its allies, as Moscow’s invasion of Ukraine escalates. The various remarks — made during the public segment of the House Intelligence Committee’s annual worldwide threats hearing — are the latest acknowledgment that, while Russia has engaged in some malicious activities against Ukraine, the Kremlin has yet to fully deploy its legions of hackers and that what until now have been minor skirmishes could grow into full-scale, online conflict with ramifications for the rest the world.
2nd?article: Be careful when downloading a tool to cyber-target Russia: It could be an infostealer wolf dressed in sheep’s clothing that grabs your cryptocurrency info instead. Looking to cyber-hassle Russia, Ukrainian sympathizers? Be careful — malware is making the rounds, disguised as a pro-Ukraine cyber-tool that will turn around and bite you instead, researchers are warning.
TRIAGE: We are still in a “wait and see what happens next” holding pattern with cyberattacks originating from Russia pointed at the rest of the world in a general sense. As covered in the first article, the major players in the U.S. are still expecting to see an increase in activity around cyberattacks, especially around Russia’s specialty which is targeting critical infrastructure facilities. Countless articles and many books have been written about attacks, but Sandworm by Andy Greenberg is one of the best resources covering the saga of Russia attacking Ukraine over the last several years as a “test bed” for their cyber attack toolsets. If those tools are pointed at critical infrastructure in the US, UK or anywhere else in the world, they could have the same levels of destructive results. This becomes an issue for serious alarm as many countries are nowhere near as prepared and previously tested in recovering from these kinds of attacks as Ukraine is now after working through these attacks for years now. The second article actually demonstrates some activity we are seeing from Russia, again pointed at Ukraine in general, but it’s specifically targeting anyone, whether inside or outside the country, that attempts to help. This is a very common tactic, disguising malware within what appears to be legitimate software, and the people who are using it should have the general skills to watch for this, but when it comes to “hacktivism” sometimes there is more emotion involved than general common sense in the first place.
2. Biden’s cryptocurrency executive order addresses illicit financial risks
Overview: The Biden administration issued its much-anticipated cryptocurrency executive order, laying out a wide-ranging investigation into digital assets to gain at least a preliminary grasp on how to address the rapidly growing $3 trillion financial market and its role in ransomware and other illicit activities. The order, entitled “Ensuring Responsible Development of Digital Assets,” outlines a series of far-reaching goals, including reducing the risks that digital assets could pose to consumers and investors, improving business protections, financial stability, and financial system integrity, combating and preventing crime and illicit finance, enhancing national security, fostering human rights and financial inclusion, and addressing climate change and pollution.
TRIAGE: We have seen a crackdown on cryptocurrency and the way it can be processed through worldwide financial systems in the last couple years, with even more of a focus during the last 6-12 months. This is great news from the perspective on both sides, making it more legitimate as a true transactional method as well as attempting to help with the criminal activity tied to cryptocurrency in the first place. Having the U.S. President put out an official executive order puts the wheels in motion for much greater general awareness and the real potential for change and acceptance. I think most people have heard of one of the forms of cryptocurrency by now, but still consider it a niche thing, not aware of the total amounts of value as stated here in general terms. The article also goes into the main focus behind this, which is to find ways to keep it functional while making it harder for criminals to use and hide their wealth.
领英推荐
3. Senate approves historic cyber incident reporting bill, sends to Biden’s desk
https://therecord.media/senate-approves-historic-cyber-incident-reporting-bill-sends-to-bidens-desk/
Overview: The Senate on Thursday passed landmark legislation that will mandate critical infrastructure operators alert the federal government when they are hacked or make a ransomware payment. “Critical infrastructure operators defend against malicious hackers every day, and right now, these threats are even more pronounced due to possible cyber-attacks from the Russian government in retaliation for our support of Ukraine,” Senate Homeland Security Committee Chair Gary Peters (D-Mich.) said in a statement. “It’s clear we must take bold action to improve our online defenses.”
TRIAGE: This ties in directly with the Exec Order above as another move to get more legislation through that covers cybersecurity incidents across US critical infrastructure. If this passes through all levels and gets fully approved, it will hopefully add to the general awareness of attacks organizations are facing, but will also add reporting overhead to those organizations that will need to be developed into standard processes. This is also confidential info and so probably will not be shared much publicly, and even if it is, we won’t have open source level details on the technical aspects behind those attacks. Those technical details are really the missing pieces we could use in a more open sharing forum for general protections, but that always comes down to the need to keep secrets from attackers on what knowledge defenders have on their current techniques.
4. Corporate website contact forms used to spread BazarBackdoor malware
Overview: The stealthy BazarBackdoor malware is now being spread via website contact forms rather than typical phishing emails to evade detection by security software. BazarBackdoor is a stealthy backdoor malware created by the TrickBot group and is now under development by the Conti ransomware operation. This malware provides threat actors remote access to an internal device that can be used as a launchpad for further lateral movement within a network. The BazarBackdoor malware is usually spread through phishing emails that include malicious documents that download and install the malware.
TRIAGE: The massive growth in BEC and ransomware has been tied to phishing messages as the primary delivery vehicle over the last several years. I’ve included this here because it serves as a great example that as we’ve already seen many times, attackers will modify their methods once detections are available and protections for the common methods are put into place across the net. As mentioned last week, most ransomware groups have evolved to fast smash and grab or low and slow long term attacks, this backdoor malware is designed for the latter case of “low and slow” to avoid detections for as long as possible. Conti is a major player in the malware/ransomware space along with the TrickBot group, and is the subject of the next article where you can find many details of their actual operations and see how involved things can get between ransomware creators, distributors and affiliates.
5. Inside Conti leaks: The Panama Papers of ransomware
Overview: The ransomware group Conti has only been around for two years, but in that short time it has emerged as one of the most successful online extortion groups of all time. Last year alone, it generated an eye-popping $180 million in revenue, according to the latest Crypto Crime Report published by virtual currency tracking firm Chainalysis. The group almost exclusively targets companies with more than $100 million in annual revenues, which, in turn, allows it to routinely extract multimillion-dollar ransom payments from its victims. The group seemed poised to continue in that vein until late last month, when it made a fatal mistake: it publicly supported Russia’s invasion of Ukraine. The group’s allegiance clearly rubbed someone the wrong way. Within days, the gang’s internal Jabber/XMPP server – which carried their private messaging channel – was hacked, and two years of the group’s chat logs appeared on a new Twitter handle called @ContiLeaks.
TRIAGE: The article itself goes into the general details behind this event, how it ties into the on-going Russia/Ukraine conflict and the political stance that lead to full exposure. The podcast audio linked in the article is actually the weekly podcast done by Recorded Future and is excellent on it’s own, easily worth adding to your favorite podcast app if you are interested in general cybersecurity and the stories behind major attacks. This massive leak was also covered in extreme detail by Brian Krebs on his blog page at?https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/?where he documents what he found after reading the entire dump of chat logs. This event is a rare behind the scenes view into how ransomware groups actually function, their communications and their processes for existing on a daily basis. It’s fascinating as a standalone event, but also will serve as a resource for research in the future as we look to changes made and reactions to current events affecting these criminal groups in general.
To get a copy of this article in email form delivered each week, subscribe to my?newsletter!