It appears that the increase in cybercrime and the growing innovation by criminals is starting to see a coordinated institutional response. While it remains to be seen if that results in any sort of real change, it’s fascinating to watch it unfold. Read on for the news we’ve been watching and sharing this month.
Ransomware Groups to Watch: Emerging Threats
This threat intel report from Unit 42 highlights four emerging ransomware groups that look to be important future threats. The information comes from Unit 42’s ransomware hunting operations and are a result of monitoring current ransomware activity, dark web leak sites, and evaluating up and coming players. The four emerging ransomware groups highlighted AvosLocker, Hive Ransomware, Hello Kitty, and LockBit 2.0.
“The rise in ransomware attacks is disturbing, sadly this is becoming the new norm that organizations no matter the size have to contend with. Every day there is a new emerging adversary/bad actor looking to disrupt an organization’s mission. This underscores the fact that cybersecurity needs to be a priority for everyone in an organization, not just the cybersecurity team. The time is now to take a proactive stance to threats instead of a reactive one.” — Shunta Sanders, Lead Senior Architect
Source: Unit42, August 25
US Taps Amazon, Google, Microsoft, Others To Help Fight Ransomware, Cyber Threats
The U.S. government has created the Joint Cyber Defense Collaborative, an initiative that includes the world’s most prominent tech companies, including Amazon.com Inc., Microsoft Corp. and Google. The goal is to bolster the United States’ critical infrastructure defenses against cyber threats, and the move comes after a string of high-profile attacks. The agency, which is part of the Dept. of Homeland Security, has as its principal objective to improve information sharing between the public and private sectors in an effort to prevent further attacks that threaten national security.
“This is an important piece of news. The fact that big IT actors are joining forces to fight ransomware as part of a government request for help meeting shows how the ransomware problem is still a maximum priority for the government. They have realized the impact it can have on critical national infrastructures. Deception can help those companies to detect such threats on their early stages.” — Fernando, Founder
Source: Wall Street Journal, August 5
FBI Sends Its First-Ever Alert About a ‘Ransomware Affiliate’
Whenever the FBI does something for the first time, the security world listens. This month, they published their first-ever public advisory detailing the modus operandi of a “ransomware affiliate.” Ransomware affiliate is a new term that refers to a person or group who rents access to Ransomware-as-a-Service (RaaS) platforms, orchestrates intrusions into corporate networks, encrypt files with the “rented ransomware,” and then earn a commission from successful extortions. It is a further example of how ransomware is now an organized crime system, not just a conjunction of sporadic hackers or threat actors. The FBI report outlines the OnePercent Group, an actor that dates back to November 2020.
“What I found interesting about this piece of news was both the coining of the “Ransomware affiliate” term and the involvement of the FBI. RaaS (Ransomware as a Service) dates back to at least October 2002, but it is only growing and increasing in sophistication, and meanwhile not everybody is aware of it.” — Member of the Development Team
Source: The Record, August 25
FIN8 cybercrime gang backdoors US orgs with new Sardonic malware
A new malware has resulted in a breach of a US financial organization. Sardonic, a malware created by a financially motivated cybercrime gang, was discovered by Bitdefender researchers. The threat actor behind the dangerous malware is FIN8, which as been active since at least January 2016 and is known for targeting retail, restaurant, hospitality, healthcare, and entertainment industries with the end goal of stealing payment card data from POS systems. Sardonic is a C++-based backdoor that is deployed on targets' systems by social engineering or spear-phishing, favorite attack vectors of FIN8.
“This recent incident shows that no organization is safe from adversaries/bad actors looking to harm an organization’s business/mission. The hospitality industry has a treasure trove of user data that bad actors want. This attack underscores the need to have robust threat hunting and threat intelligence capabilities within an organization to combat such attacks. The only way to possibly deter such events from happening is by not making yourself a “soft target”. Sure up your cybersecurity posture now, not after a breach.” – Shunta Sanders, Lead Senior Architect
Source: Bleeping Computer, August 26
Spies for Hire: China’s New Breed of Hackers Blends Espionage and Entrepreneurship
American law enforcement has discovered some “interesting” job ads from a Chinese “start up” recently. Three well-paid positions recruiting Cambodian speakers for a high-tech company called the attention of American intelligence, and it has been determined that they are really part of a front company controlled by the Chinese government. This is just further evidence of aggressive campaigns by China to amp up their campaigns by employing private-sector talent.
“It’s true that this type of news is more and more common. However, even if this kind of news is recurrent I think it is important to keep talking about it, because state-backed threats should still be a concern for all countries.” – Fernando, Founder
Source: New York Times, August 27