April saw some interesting news from cyber criminals. Read on to find out what set our team’s wheels spinning with defense innovations this month.
Ransomware Gang Threatens Pain on the Stock Market
Recently, in a new tactic to put pressure on cyber attack victims, ransomware attackers have expanded their extortion tactics with a new technique aimed at companies that are listed on NASDAQ or other stock markets. The operators of Darkside say they are willing to notify crooked market traders in advance so they can short a company’s stock price before they list its name on their website as a victim. The Darkside crew believes that the negative impact of having a traded company’s name listed on its website would be enough to cause its stock price to fall and for a crooked trader to make a profit.
“T think that, although this may appear to be just another ransomware attack focused on making money, it is the first of a new way of doing so within the world of ransomware. It is also an example of how ransomware attacks can financially affect many people, not just the business and the attacker involved.” — Fernando, Founder
Source: The Record, April 22
Top Cybercrime Gangs Use Targeted Fake Job Offers to Deploy Stealthy Backdoor
A group of criminals behind a stealthy backdoor known as more_eggs is targeting professionals with fake job offers tailored to them based on information from their LinkedIn profiles. These attacks are very targeted, and the access caters to a “select group of high-profile attackers”. The gang is selling access to systems infected with the backdoor to other sophisticated cybercrime groups including FIN6, Evilnum and Cobalt Group that are known to target organizations from various industries.
“I always like to read about how criminal gangs are using open source intel reconnaissance to improve their attacking strategy. In this case scouring LInkedIn both for victims and for job offers to appropriate to make their attack seem more believable. Leveraging this recon activity against cyber criminals is an underused and very valuable tactic. We know, at CounterCraft, that deploying threat intel gathering campaigns using external attack surface (like LinkedIn employee profiles) provides excellent results in detecting and understanding cyber adversary recon and profiling activity…” — Dan, Founder
Source: CSO Online, April 6
Hackers Are Exploiting a Pulse Secure 0-Day To Breach Global Organizations
Bad news for Pulse Secure. Hackers backed by nation-states are exploiting critical vulnerabilities in the Pulse Secure VPN to bypass two-factor authentication protections and gain stealthy access to networks belonging to a raft of organizations in the US Defense industry and elsewhere. At least one of the security flaws is a zero-day, meaning it was unknown to Pulse Secure developers and most of the research world when hackers began actively exploiting it. Multiple hacking groups are involved, at least one of which likely works on behalf of the Chinese government.
“I think this is another important piece of news about new exploits. It’s yet another attack targeted at VPNs by state-backed actors. As seen with the recent breach of European institutions in early April, these kinds of attacks are becoming “normal”, but they remain something we should be really worried about” – Fernando, Founder
Source: Ars Technica, April 20
Researchers Uncover a New Iranian Malware
An Iranian threat actor has unleashed a new cyberespionage campaign against a possible Lebanese target with a backdoor capable of exfiltrating sensitive information from compromised systems. The operation has been attributed to APT34(aka OilRig), thanks to similarities with previous techniques used by the threat actor. The backdoor gathers basic information about the victim’s machine, but it also establishes connections with a remote server to await additional commands that allow it to download files from the server, upload arbitrary files, and execute shell commands, the results of which are posted back to the server.
“This is a reminder for all of us that every vulnerability or threat, however small they may be, can be used for huge goals. Cyberespionage and cyberwar are always running. We must keep an eye on every new threat to get ahead of it, and use it in our interests. We see here how deception is used from the dark side of the industry. But once they are identified, when can act in advance with deception techniques to get the most insight from the situation.” — Angel, Engineer
Source: The Hacker News, April 8
NAME:WRECK Vulnerabilities Impact Millions of Smart and Industrial devices
A new set of vulnerabilities that impact hundreds of millions of servers, smart devices, and industrial equipment were discovered. Called NAME:WRECK, the vulnerabilities have been discovered as part of an internal research program at ForeScout named Project Memoria. This initiative aims to provide the cybersecurity community with the largest-ever study on the security of TCP/IP stacks. Although never visible to end-users, TCP/IP stacks are libraries that vendors add to their firmware to support internet connectivity and other networking functions for their devices. Any vulnerabilities in the TCP/IP stacks expose users to remote attacks, and this latest discovery should set off alarms for SCADA professionalse.
“SCADA professionals looking for ways to protect their networks should pay attention. We are convinced deception can be really useful for improving security on SCADA infrastructures, which are notoriously difficult to protect.” — Fernando, Founder
Source: The Record, April 13