New threat actors and new information on old threat actors. This and more was on our mind and in the news this month. Read on for the articles our team has been talking about around the proverbial water cooler.
Adversary Archaeology and the Evolution of FIN7
This article traces the evolution of the group FIN7, highlighting notable shifts in FIN7 activity over time. There’s a lot to digest here, and to learn as well, such as use of novel malware, incorporation of new initial access vectors, and likely shift in monetization strategies. Mandiant’s blog post draws on organic research from both historical and recent intrusions that Mandiant directly investigated, and describes the process of merging multiple UNC groups into FIN7.
Starting with FIN7’s initial access techniques, the article traces how they have diversified to include software supply chain compromise and the use of stolen credentials, in addition to their traditional phishing techniques. Read the blog post for intel on the most recent FIN7 intrusion operations, as well as the attribution methodologies used.
“This article underscores the importance of Threat Intelligence (CTI). Organizations need to understand who the adversary is that is attacking them, what they want, what they have done so far, and what they are going to do next. CTI helps answer these questions in addition to defending against these attacks.” — Shunta Sanders, Lead Senior Architect
Source: Mandiant, April 5
Former NSA Computer Scientist: Patching Vulnerabilities Gives False Sense of Security
This article covers a recent online conference named Hack At The Harbor, focusing on a debate about patching vulnerabilities. The topic, “Patching is useless”, was presented by Dave Aitel, 46, a former NSA computer scientist who ran his own security shop, Immunity, for many years. He argues that the remedies proposed by security vendors and big technology companies mostly work to lull people into a false sense of security without solving any problems.
“This article makes it clear that even if you manage to patch all vulnerabilities as soon as they are discovered (which in most cases is impossible due to the complexity of the companies IT systems and networks), you will still be totally vulnerable to a 0-day attack. Once you assume that you will be breached, the best strategy to protect yourself is the deployment of deception technologies in internal and external networks so you can detect the breach as soon as it happens.” — Fernando, Founder
Source: IT Wire, April 25
A Bad Luck BlackCat
After the REvil and BlackMatter groups shut down their operations, it was only a matter of time before another ransomware group took over, and that group appears to be BlackCat. They are becoming a major player in the ransomware market, thanks to knowledge of malware development, a new written-from-scratch sample in an unusual programming language, and experience in maintaining infrastructure. This article summarizes everything and also presents a new data point connecting BlackCat with past BlackMatter activity – the reuse of the exfiltration malware Fendr.
“You never know which threat actor everybody will be talking about in the future but it is definitely worth having Black Cat on your radar. This actor is “innovating”, doing things like using Rust to code their ransomware so it is easier to compile it for different platforms, and they consider themselves as a successor to notorious ransomware groups like BlackMatter and REvil. ” — Juan de la Fuente, Threat Intelligence Analyst
Source: SecureList, April 8
New powerful Prynt Stealer malware sells for just $100 per month
This article uncovers a new addition to the growing space of info-stealer malware infections. Prynt Stealer offers powerful capabilities and extra keylogger and clipper modules, and also targets a large selection of web browsers, messaging apps, and gaming apps. It can even perform direct financial compromise. The most interesting part? Its authors sell the tool in time-based subscriptions, such as 100$/month, $200/quarter, or $700 for a year, but it is also sold under a lifetime license for $900. The tool is crafted with stealthiness as a priority, making it a powerful and dangerous tool.
“This article underscores the need for organizations to stay vigilant when it comes to defending against cyber-attacks. The main motivation of many bad actors is money. As a result, they have productized their tools (malware) for anyone to purchase. It’s becoming easier and easier to buy malicious software like you can groceries. This malware (Prynt) is destructive and can cause real damage to an organization.” — Shunta Sanders, Lead Senior Architect
Source: Bleeping Computer, April 26
Applying a Traditional Blue Team Technique to Kubernetes
This technical blog by Tigera talks about the use of honeypots in an IT network and how they can be adjusted in Kubernetes environments. The article goes into detail about how honeypots act as a canary for a blue team, allowing an attack to be contained and removed from a network. It’s simple and straightforward, just like the concept of basic honeypots.
“This is a perfect example of how to use deception to protect your assets even if your budget is limited. With the strategy outlined here, any IT Security person can deploy deception to a satisfactory effect. Of course, one would soon find lacking tools like collection and classification of telemetry logs generated by the containers, or an analysis tool that allows intelligence to be gathered from the data collected. That’s when a platform like ours comes in.” — David, Founder and CEO
Source: Tigera, April 3